JS逆向之金逸电影params

篇幅有限

完整内容及源码关注公众号:ReverseCode,发送

http://www.jycinema.com/wap/#/register

抓包

登录url:

POST http://www.jycinema.com/frontUIWebapp/appserver/photoMessageService/newsSendMessage

参数:

params:ey622Jt557b2114Jp469bG373VO310dW8741i248ZX535Ii076Oi988Ix997NT571gw811Nj907Iw911ND991A5893NS763Is198In627Nl690bm498RU398eX141Bl991Ij727oi670cm475Vn649Ii854wi037Y2151hh831bm4625l109bE023lk146Ij946o3769LC284Jj066aG622Fu333bm353Vs667Q26149k642ZS856I6624Ik524ow241MD637A1091Ii342wi356bW787Vt825Ym215Vy105SW604Qi506Oi857Ii850fQ497==152

分析

ey开头是base64中的{,fq是base64中的},有可能是base64加密

搜索photoMessageService/newsSendMessage

image-20210417081614897

定义了sendMg属性,那么必定被调用才发起请求,搜索.sendMg

image-20210417082003298

点击获取验证码,请求参数中$scope.registerData.tel就是我们提交的手机号,那么加密必然是在getData

image-20210417082318460

跟进getData后对params进行处理生成{"mobileNumber":"15806204095","sendType":"reg","channelId":7,"channelCode":"J0005","memberId":""}

并发现了密码加密的函数,在下方通过$rootScope.getEncryption(params.params)调用生成密码。

image-20210417082740728

由于Base64.encode有utf-8乱码问题,无法直接使用,var re_btou = new RegExp(["[À-ß][€-¿]", "[à-ï][€-¿]{2}", "[ð-÷][€-¿]{3}"].join("|"),"g");通过base64.js源码提供Base64.encode(value)实现params加密关键函数getEncryption。

image-20210417092425546

爬虫实现

由于个人的js学的太孬了,在python调用js时报错execjs._exceptions.ProgramError: ReferenceError: Base64 is not defined,那么我只能避开,使用python实现base64加密并作为参数传入调用getEncryption。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import json
import requests
import execjs
import base64

from requests_toolbelt import MultipartEncoder

username = "15806204095"
psssword = "123456"
with open(r'jy_params.js', encoding='utf-8', mode='r') as f:
JsData = f.read()
param = {"mobileNumber": "15806204095", "sendType": "reg", "channelId": 7, "channelCode": "J0005", "memberId": ""}
val = base64.b64encode(json.dumps(param).encode())
params = execjs.compile(JsData).call('getEncryption', val.decode())
print(params)
headers = {
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Content-Length': '341',
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
'Cookie': 'JSESSIONID=DD188088D4E4EAC0098C9CCBCC32E52F; Hm_lvt_62d04228e1f84e012c1d9c0227f722c3=1618618136; Hm_lpvt_62d04228e1f84e012c1d9c0227f722c3=1618618136',
'Host': 'www.jycinema.com',
'Origin': 'http://www.jycinema.com',
'Proxy-Connection': 'keep-alive',
'Referer': 'http://www.jycinema.com/wap/',
'User-Agent': 'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Mobile Safari/537.36',
}
data = {'params': params}
r = requests.post("http://www.jycinema.com/frontUIWebapp/appserver/photoMessageService/newsSendMessage", data,
headers=headers)
print(r.text)

{“msg”:”短信发送成功”,”count”:0,”status”:”S”}

完整源码请关注微信公众号:ReverseCode,回复:JS逆向

文章作者: J
文章链接: http://onejane.github.io/2021/04/17/JS逆向之金逸电影params/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 万物皆可逆向
支付宝打赏
微信打赏