登录抓包
1
2
3
4
5
6
7
8
9
10 GET /passport/Account/LoginPost?r=0.9345254254001656&kds=yes&username=123123123123123&pass=WWp51MtDwL7%2FZa1WhsxOAA%3D%3D&recordPwd=1&ckcode=9585&fscode=sst&invite= HTTP/1.1
Host: www.91118.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://www.91118.com/Passport/Account/Login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ASP.NET_SessionId=nyjbljyzdbjjd3obr1w0xbza
Connection: keep-alive
返回
1
2
3
4
5
6
7 {
"Value": null,
"ResultMessage": null,
"ResultCode": -100,
"Other": null,
"Date": "2023-01-11 15:09:24"
}
初步可见,密码参数加密,其他参数明文
打开浏览器调试器,搜索关键字"LoginPost",得到如下结果:
记录关键代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39 $.get(Passprt.URI + "/Account/LoginPost", {
r: Math.random(),
kds: "yes",
username: o,
pass: encryptByDES(s),
recordPwd: e,
ckcode: i,
fscode: r,
invite: t
}, function(n) {
if (n.ResultCode > 0)
if (n.ResultCode == 1)
window.location.href = $(".login_btn").attr("data-url");
else {
$("#bind1").hide();
$("#bind2").show();
var i = "";
$.each(n.Value, function(n, t) {
i += '<li data-user="' + t.UserId + '" data-usertype="' + t.UserType + '" data-bak="' + t.FromBak + '"><div class="faceimg"><span><\/span><img src="' + t.Avatar + '" /><\/div><div class="roleinfo"><div class="rlifname">' + t.TrueName + "(" + (t.UserType == 0 ? "学生" : "老师") + ')<\/div><div class="rlifclass">' + t.SchoolName + "<\/div><\/div><\/li>"
});
$(".bindselrform").html(i);
$(".bindselrform li").click(function() {
$(".bindselrform li").removeClass("on");
$(this).addClass("on");
$.get(Passprt.URI + "/Account/LoginCheck", {
r: Math.random(),
userId: $(this).attr("data-user"),
usertype: $(this).attr("data-usertype"),
bak: $(this).attr("data-bak"),
invite: t
}, function() {
window.location.href = $(".login_btn").attr("data-url")
})
})
}
else
alert("用户名或密码错误");
$("#randomImage").attr("src", $("#randomImage").attr("data-url") + "?r=" + Math.random())
})
关键代码得到密码参数来自于:pass: encryptByDES(s),初步确认加密算法为DES
打个断点看看传入的密码参数s是什么:
可见s是明文密码,确认加密算法无误为DES
控制台打印出函数encryptByDES:
双击控制台输出的函数内容,自动跳转到函数代码位置:
得到加密函数以及可能会用到解密函数:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 var _key = 'k1fsa01v';
var _iv = 'k1fsa01v';
function encryptByDES(message) {
var keyHex = CryptoJS.enc.Utf8.parse(_key);
var encrypted = CryptoJS.DES.encrypt(message, keyHex, {
iv: CryptoJS.enc.Utf8.parse(_iv),
mode: CryptoJS.mode.ECB,
padding: CryptoJS.pad.Pkcs7
});
return encrypted.toString();
}
function decryptByDES(ciphertext) {
var keyHex = CryptoJS.enc.Utf8.parse(_key);
var decrypted = CryptoJS.DES.decrypt({
ciphertext: CryptoJS.enc.Base64.parse(ciphertext)
}, keyHex, {
iv: CryptoJS.enc.Utf8.parse(_iv),
mode: CryptoJS.mode.ECB,
padding: CryptoJS.pad.Pkcs7
});
return decrypted.toString(CryptoJS.enc.Utf8);
}
到这里已经很明显了,算法为DES,模式:ECB/Pkcs7,密钥:k1fsa01v,偏移:k1fsa01v
具体的实现代码,可以直接将该js代码扣去使用,不过记得引入CryptoJS库。或者在自己的语言中使用自身的DES实现算法也是可以的。