Shulou(Shulou.com)06/01 Report--

This article mainly explains "Python how to withhold a complete reverse data", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "Python how to withhold a complete reverse data" bar!

XX Street login password encryption

AHR0cDovL3NlbGxlci5jaHVjaHVqaWUuY29tL3NxZS5waHA/cz0vVXNlci9pbmRleA==

This encryption is too simple, five-second positioning is really not blowing, so come directly.

Enter the wrong account password and initiate a login request, and you can see that there is an encrypted field of password in the login package. So we search for password: or password: or password= or password= in turn

Soon get the following results [figure 1-1]. Just implement it in Python.

Figure 1-1x blog login password parsing and explaining how to withhold an encryption algorithm

AHR0cHM6Ly93d3cud2VpYm8uY29tL2xvZ2luLnBocA==

Using the Chrome browser to grab the package, I believe everyone will, in front of the grab package we skip, directly to the encryption parameter analysis place.

Tip: this time the encryption is not asynchronous. Don't wait foolishly on the XHR tab.

The XBO landing box is embedded in the page, plus the XBO landing page picture and a lot of things to load, so there are two main packages we need to pay attention to:

The packet that returns the relevant encryption key before login [figure 2-1]

The package that initiates the login request [figure 2-2]

Figure 2-1

Figure 2-2

It's clear when we get here, and we're done with su and sp.

First, let's take a look at su, which doesn't actually need to search. It looks like our initial coding result. Base64 is the only one familiar with the coding composed of a-zA-Z [0-9] + / =. Let's directly find an online tool to verify our conjecture. [figure 2-3]

Figure 2-3

Of course, we can also try the search parameter name su [figure 2-4]. Obviously, the search results also verify our conjecture.

Figure 2-4

Let's take a look at sp.

Where we searched for su above, we found the password encryption, and we have framed the main logic in red [figure 2-5], and then we hit the breakpoint to find out what the missing parameters are.

Figure 2-5

The parameters here are relatively simple. First, me.servertime, me.rsaPubkey and me.nonce [figure 2-6]. These three parameters have the same name in the previous request packet. For more information, please see [figure 2-1].

Figure 2-6

Now that we have found all the parameters, we need to switch to webstorm to debug our overall encryption algorithm.

Paste 789-791 lines of code directly into the edit box and complete it as follows.

Function get_sp () {

Var f = new sinaSSOEncoder.RSAKey

F.setPublic (me.rsaPubkey, "10001")

B = f.encrypt ([me.servertime, me.nonce] .join ("\ t") + "\ n" + b)

Return b

}

Get_sp ()

Although we know that the operation will definitely report an error, what we need is the error information. [figure 2-7]

2-7

Prompt sinaSSOEncoder is not defined, and let's go back to the browser debug window to find out where sinaSSOEncoder is defined. You can search for var sinaSSOEncoder directly in the page

The result is only one [figure 2-8]

Figure 2-8

Next, copy the entire contents of sinaSSOEncoder into the editor, lines 1048-1981. Continue to run and prompt navigator is not defined, which we define as {}. Next, you will be prompted that me is not defined [figure 2-9].

Figure 2-9

But we all know that this me.rsaPubkey is returned in [figure 2-1] after debugging, so we replace it. In the same way, replace with other parameters that we already know. Now only the b parameter is unknown.

When we run down, we can see that the b parameter is the password we entered [figure 2-10]. We continue to replace and run again, and we find that there is nothing to output and no error is reported. We add a print statement to the function to see what the result of b is returned. You can see that the encrypted result has been obtained. [figure 2-11]

Figure 2-10 figure 2-11 Thank you for reading, the above is the content of "Python how to withhold a complete reverse data". After the study of this article, I believe you have a deeper understanding of how Python withholds a complete reverse data, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.