Shulou(Shulou.com)05/31 Report--

This article Xiaobian for you to introduce in detail "python+JS how to achieve reverse SMZDM login encryption", the content is detailed, the steps are clear, the details are handled properly, I hope this "python+JS how to achieve reverse SMZDM login encryption" article can help you solve your doubts, following the editor's ideas slowly in-depth, together to learn new knowledge.

Actual combat scene

The platform we targeted this time is [SMZDM].

The target site is: aHR0cHM6Ly93d3cuc216ZG0uY29tLw==.

Before the official start, sign up for an account, and then simulate the login to see which parameters are hidden secretly.

When we see all the request parameters after login, we still silently close the site and withdraw.

As can be seen from the figure above, username,password is an important encryption area. The parameters at the beginning of geetest_ are the contents of the following selected verification code. If you do not disassemble the verification code at this stage, you can continue to pay attention to the logic of the subsequent verification code.

Login point-and-click verification code can be ignored, it is not easy to fix it at this stage.

The API request parameters are:

Request URL: zhiyou.smzdm.com/user/login/ajax_normal_check

Request method: POST

Parameter analysis.

This time, without adding a breakpoint, we first analyze the request initiator, open the request call stack of the link, and then analyze the relevant address in turn.

Based on experience, you can find that there is a common_submit function whose file is window.js, which you can focus on.

Next, add a XHR breakpoint with the keyword login/ajax_normal_check.

After the breakpoint is stopped, you can go directly to the objective function:

As a result, the relevant encryption logic is found directly, as shown in the following figure:

The core code is extracted and then further analyzed.

Var _ = login_obj.encryptPassword (I); (I = _), (r = btoa (r))

It turns out that the login_obj.encryptPassword function calls a new interface.

EncryptPassword: function (r) {var t = null; return $.ajax ({url: "/ / zhiyou.smzdm.com/user/login/pre", type: "get", async:! 1, dataType: "json"}) .done (function (e) {var o T = e & & 0! = e.error_code? Null: (o = new JSEncrypt) .setPublicKey (atob (e.data.pub_key)), o.encrypt (r)}), t}

With regard to the account using js btoa, there is nothing special about this, just simple base64 encryption.

Through the developer console, test using btoa encryption 12345, and then do the same encryption over Python.

Import base64wtext = "12345" # Encoding a = base64.b64encode (wtext.encode ()) print (a.decode ()) # output MTIzNDU=

The two results are consistent, and the username parameter is solved.

Let's move on to the password parameter. The password encryption process is as follows:

Get pub_key through an API

Encode pub_key with atob

Set JSEncryptRSAKey encryption KEY

Encrypt the user's password.

Test whether the pub_key encryption interface can be called directly

Import requestsheaders = {"Host": "zhiyou.smzdm.com", "Accept": "application/json, text/javascript, * / *; qencryp0.01", "Referer": "https://zhiyou.Python encryption confusion .com / user/login/", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64) X64) own UA "} res = requests.get ('https://zhiyou.Python encryption confusion .com / user/login/pre', headers=headers, timeout=3) print (res.text)

The running code gets the following response, where pub_key is also obtained.

After testing the interface for many times, an error is found and the account limit is triggered. When everyone is coding, it is recommended to prepare several different accounts to prevent them from being blocked.

Further debugging shows that JS encryption uses a plug-in. Download the corresponding JS directly as follows:

Https://res.Python confuses .com / resources/public/user/zhiyou/js/jsencrypt.min.js

Set up a local environment where the JS code can run and write the following code, which involves the files mentioned above.

Test environment function getQueryVariable (variable) {var query = _ window.location.search.substring (1); var vars = query.split ("&"); for (vari = 0; I < vars.length; iTunes +) {var pair = vars [I] .split ("="); if (pair [0] = = variable) {return pair [1] }} return false;} Competition = getQueryVariable ("competition"); b64 = atob (competition); (o = new JSEncrypt ()) .setPublicKey (b64); aaa = o.encrypt ("123456"); [xss_clean] (aaa)

You can then make the call with Selenium, passing pub_key through the URL parameter.

The logic is also very simple. Python calls the interface to generate KEY, then passes the KEY to the JS environment we build, and finally calls the address of the target site (built by ourselves) through Python to obtain the encrypted value and then pass it.

After reading this, the article "how to achieve reverse SMZDM login encryption with python+JS" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself to understand it. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.