2.猿人学爬虫攻防第二题 JS 混淆 动态cookie
抓取到发布日热度的值,计算所有值的加和
1.分析网页
由于是动态Cookie,为了避免其他Cookie的影响,所以使用浏览器的无痕模式进行调试,按f12并选中【Preserve log】
我们点击页码进行翻页,发现数据来源于。
对其进行分析,又发现熟悉的参数 m.
这次我们使用fiddler抓包工具。
我们可以看到第一次请求中返回了一段混淆过的js代码,我们对其进行处理。
将其复制到 ob混淆专解测试版V0.1
需要注意不要
得到结果:
2.分析js代码:
我们发现关键函数:
function W(Y, Z) {
document["cookie"] = "m" + M() + "=" + V(Y) + "|" + Y + "; path=/";
location["reload"]();
}
function X(Y, Z) {
return Date["parse"](new Date());
}
W(X());
w()函数定义了两个形参,而执行的函数w(x());是传一个参数的 ,这个参数就是x的返回值。
【 document["cookie"] 】,我想大家已经明白了,Cookie是如何被设置的了
而后面的【 location"reload"; 】,非常关键
这行代码的意思就是:刷新当前文档,也就是按了一下浏览器上的刷新页面按钮
现在我们重新理一下思路
- 发送请求返回了两个响应
- 第一个没有Cookie,而第二个有Cookie
- 第一个虽然没有Cookie,但是却执行了一段JS代码
- 这段JS代码给网页中的Cookie赋了值,接着刷新了整个页面
- 最后,呈现在我们眼前的网页,也就是reload的结果。
3.分析cookie如何生成
document["cookie"] = "m" + M() + "=" + V(Y) + "|" + Y + "; path=/";
可以看到这里使用了m函数
function M(Y, Z) {
var a2 = B(this, function () {
var a5 = function () {
var a6 = a5["constructor"]("return /\" + this + \"/")()["compile"]("^([^ ]+( +[^ ]+)+)+[^ ]}");
return !a6["test"](a2);
};
return a5();
});
a2();
K();
qz = [10, 99, 111, 110, 115, 111, 108, 101, 32, 61, 32, 110, 101, 119, 32, 79, 98, 106, 101, 99, 116, 40, 41, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 32, 40, 115, 41, 32, 123, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 32, 40, 49, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 111, 114, 40, 105, 61, 48, 59, 105, 60, 49, 49, 48, 48, 48, 48, 48, 59, 105, 43, 43, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 105, 115, 116, 111, 114, 121, 46, 112, 117, 115, 104, 83, 116, 97, 116, 101, 40, 48, 44, 48, 44, 105, 41, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 10, 10, 125, 10, 99, 111, 110, 115, 111, 108, 101, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 91, 111, 98, 106, 101, 99, 116, 32, 79, 98, 106, 101, 99, 116, 93, 39, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 402, 32, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 32, 123, 32, 91, 110, 97, 116, 105, 118, 101, 32, 99, 111, 100, 101, 93, 32, 125, 39, 10];
eval(L(qz));
try {
if (global) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
} else {
while (1) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
debugger;
}
}
} catch (a5) {
return navigator["vendorSub"];
}
}
首先,我们可以看到函数里面还包含着两个函数分别是【 a4() 】和【 K() 】
而这个【 a4() 】函数,也定义在M()内,但是执行【 a4() 】函数的时候,并没有传入参数,所以说,这段代码是没用的
在分析K函数:
function K(Y, Z) {
if (Z) {
return J(Y);
}
return H(Y);
}
需要传入参数,而执行的时候,又没有传入,所有这段代码也是是没用的
我们简化一下M()函数
function M(Y, Z) {
qz = [10, 99, 111, 110, 115, 111, 108, 101, 32, 61, 32, 110, 101, 119, 32, 79, 98, 106, 101, 99, 116, 40, 41, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 32, 40, 115, 41, 32, 123, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 32, 40, 49, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 111, 114, 40, 105, 61, 48, 59, 105, 60, 49, 49, 48, 48, 48, 48, 48, 59, 105, 43, 43, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 105, 115, 116, 111, 114, 121, 46, 112, 117, 115, 104, 83, 116, 97, 116, 101, 40, 48, 44, 48, 44, 105, 41, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 10, 10, 125, 10, 99, 111, 110, 115, 111, 108, 101, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 91, 111, 98, 106, 101, 99, 116, 32, 79, 98, 106, 101, 99, 116, 93, 39, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 402, 32, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 32, 123, 32, 91, 110, 97, 116, 105, 118, 101, 32, 99, 111, 100, 101, 93, 32, 125, 39, 10];
eval(L(qz));
try {
if (global) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
} else {
while (1) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
debugger;
}
}
} catch (a5) {
return navigator["vendorSub"];
}
}
我们可以看到又出现了eval函数,做这第一道题的时候,我们知道eval可以间接的改变一些值。
L函数:
function L(Y, Z) {
let a0 = "";
for (let a1 = 0; a1 < Y["length"]; a1++) {
a0 += String["fromCharCode"](Y[a1]);
}
return a0;
}
这个函数实际上并没什么用,挖坑操作。
继续往下看
try {
if (global) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
} else {
while (1) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
debugger;
}
}
} catch (a5) {
return navigator["vendorSub"];
}
这段也是忽悠的东西global没有直接进入catch环节, return navigator["vendorSub"];
我们发现依旧是空值。
4.结果
var navigator = {};
var B = function () {
var Y = true;
return function (Z, a0) {
var a1 = Y ?
function () {
if (a0) {
var a2 = a0["apply"](Z, arguments);
a0 = null;
return a2;
}
}
: function () {};
Y = false;
return a1;
};
}
();
function C(Y, Z) {
var a0 = (65535 & Y) + (65535 & Z);
return (Y >> 16) + (Z >> 16) + (a0 >> 16) << 16 | 65535 & a0;
}
function D(Y, Z) {
return Y << Z | Y >>> 32 - Z;
}
function E(Y, Z, a0, a1, a2, a3) {
return C(D(C(C(Z, Y), C(a1, a3)), a2), a0);
}
function F(Y, Z, a0, a1, a2, a3, a4) {
return E(Z & a0 | ~Z & a1, Y, Z, a2, a3, a4);
}
function G(Y, Z, a0, a1, a2, a3, a4) {
return E(Z & a1 | a0 & ~a1, Y, Z, a2, a3, a4);
}
function H(Y, Z) {
let a0 = [99, 111, 110, 115, 111, 108, 101];
let a1 = "";
for (let a2 = 0; a2 < a0["length"]; a2++) {
a1 += String["fromCharCode"](a0[a2]);
}
return a1;
}
function I(Y, Z, a0, a1, a2, a3, a4) {
return E(Z ^ a0 ^ a1, Y, Z, a2, a3, a4);
}
function J(Y, Z, a0, a1, a2, a3, a4) {
return E(a0 ^ (Z | ~a1), Y, Z, a2, a3, a4);
}
function K(Y, Z) {
if (Z) {
return J(Y);
}
return H(Y);
}
function L(Y, Z) {
let a0 = "";
for (let a1 = 0; a1 < Y["length"]; a1++) {
a0 += String["fromCharCode"](Y[a1]);
}
return a0;
}
function M(Y, Z) {
qz = [10, 99, 111, 110, 115, 111, 108, 101, 32, 61, 32, 110, 101, 119, 32, 79, 98, 106, 101, 99, 116, 40, 41, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 32, 40, 115, 41, 32, 123, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 32, 40, 49, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 111, 114, 40, 105, 61, 48, 59, 105, 60, 49, 49, 48, 48, 48, 48, 48, 59, 105, 43, 43, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 105, 115, 116, 111, 114, 121, 46, 112, 117, 115, 104, 83, 116, 97, 116, 101, 40, 48, 44, 48, 44, 105, 41, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 10, 10, 125, 10, 99, 111, 110, 115, 111, 108, 101, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 91, 111, 98, 106, 101, 99, 116, 32, 79, 98, 106, 101, 99, 116, 93, 39, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 402, 32, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 32, 123, 32, 91, 110, 97, 116, 105, 118, 101, 32, 99, 111, 100, 101, 93, 32, 125, 39, 10];
eval(L(qz));
try {
if (global) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
} else {
while (1) {
console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
debugger;
}
}
} catch (a5) {
return navigator["vendorSub"];
}
}
function N(Y, Z) {
Y[Z >> 5] |= 128 << Z % 32,
Y[14 + (Z + 64 >>> 9 << 4)] = Z;
if (qz) {
var a0,
a1,
a2,
a3,
a4,
a5 = 1732584193,
a6 = -271733879,
a7 = -1732584194,
a8 = 271733878;
} else {
var a0,
a1,
a2,
a3,
a4,
a5 = 0,
a6 = -0,
a7 = -0,
a8 = 0;
}
for (a0 = 0; a0 < Y["length"]; a0 += 16)
a1 = a5,
a2 = a6,
a3 = a7,
a4 = a8,
a5 = F(a5, a6, a7, a8, Y[a0], 7, -680876936),
a8 = F(a8, a5, a6, a7, Y[a0 + 1], 12, -389564586),
a7 = F(a7, a8, a5, a6, Y[a0 + 2], 17, 606105819),
a6 = F(a6, a7, a8, a5, Y[a0 + 3], 22, -1044525330),
a5 = F(a5, a6, a7, a8, Y[a0 + 4], 7, -176418897),
a8 = F(a8, a5, a6, a7, Y[a0 + 5], 12, 1200080426),
a7 = F(a7, a8, a5, a6, Y[a0 + 6], 17, -1473231341),
a6 = F(a6, a7, a8, a5, Y[a0 + 7], 22, -45705983),
a5 = F(a5, a6, a7, a8, Y[a0 + 8], 7, 1770010416),
a8 = F(a8, a5, a6, a7, Y[a0 + 9], 12, -1958414417),
a7 = F(a7, a8, a5, a6, Y[a0 + 10], 17, -42063),
a6 = F(a6, a7, a8, a5, Y[a0 + 11], 22, -1990404162),
a5 = F(a5, a6, a7, a8, Y[a0 + 12], 7, 1804603682),
a8 = F(a8, a5, a6, a7, Y[a0 + 13], 12, -40341101),
a7 = F(a7, a8, a5, a6, Y[a0 + 14], 17, -1502882290),
a6 = F(a6, a7, a8, a5, Y[a0 + 15], 22, 1236535329),
a5 = G(a5, a6, a7, a8, Y[a0 + 1], 5, -165796510),
a8 = G(a8, a5, a6, a7, Y[a0 + 6], 9, -1069501632),
a7 = G(a7, a8, a5, a6, Y[a0 + 11], 14, 643717713),
a6 = G(a6, a7, a8, a5, Y[a0], 20, -373897302),
a5 = G(a5, a6, a7, a8, Y[a0 + 5], 5, -701558691),
a8 = G(a8, a5, a6, a7, Y[a0 + 10], 9, 38016083),
a7 = G(a7, a8, a5, a6, Y[a0 + 15], 14, -660478335),
a6 = G(a6, a7, a8, a5, Y[a0 + 4], 20, -405537848),
a5 = G(a5, a6, a7, a8, Y[a0 + 9], 5, 568446438),
a8 = G(a8, a5, a6, a7, Y[a0 + 14], 9, -1019803690),
a7 = G(a7, a8, a5, a6, Y[a0 + 3], 14, -187363961),
a6 = G(a6, a7, a8, a5, Y[a0 + 8], 20, 1163531501),
a5 = G(a5, a6, a7, a8, Y[a0 + 13], 5, -1444681467),
a8 = G(a8, a5, a6, a7, Y[a0 + 2], 9, -51403784),
a7 = G(a7, a8, a5, a6, Y[a0 + 7], 14, 1735328473),
a6 = G(a6, a7, a8, a5, Y[a0 + 12], 20, -1926607734),
a5 = I(a5, a6, a7, a8, Y[a0 + 5], 4, -378558),
a8 = I(a8, a5, a6, a7, Y[a0 + 8], 11, -2022574463),
a7 = I(a7, a8, a5, a6, Y[a0 + 11], 16, 1839030562),
a6 = I(a6, a7, a8, a5, Y[a0 + 14], 23, -35309556),
a5 = I(a5, a6, a7, a8, Y[a0 + 1], 4, -1530992060),
a8 = I(a8, a5, a6, a7, Y[a0 + 4], 11, 1272893353),
a7 = I(a7, a8, a5, a6, Y[a0 + 7], 16, -155497632),
a6 = I(a6, a7, a8, a5, Y[a0 + 10], 23, -1094730640),
a5 = I(a5, a6, a7, a8, Y[a0 + 13], 4, 681279174),
a8 = I(a8, a5, a6, a7, Y[a0], 11, -358537222),
a7 = I(a7, a8, a5, a6, Y[a0 + 3], 16, -722521979),
a6 = I(a6, a7, a8, a5, Y[a0 + 6], 23, 76029189),
a5 = I(a5, a6, a7, a8, Y[a0 + 9], 4, -640364487),
a8 = I(a8, a5, a6, a7, Y[a0 + 12], 11, -421815835),
a7 = I(a7, a8, a5, a6, Y[a0 + 15], 16, 530742520),
a6 = I(a6, a7, a8, a5, Y[a0 + 2], 23, -995338651),
a5 = J(a5, a6, a7, a8, Y[a0], 6, -198630844),
a8 = J(a8, a5, a6, a7, Y[a0 + 7], 10, 1126891415),
a7 = J(a7, a8, a5, a6, Y[a0 + 14], 15, -1416354905),
a6 = J(a6, a7, a8, a5, Y[a0 + 5], 21, -57434055),
a5 = J(a5, a6, a7, a8, Y[a0 + 12], 6, 1700485571),
a8 = J(a8, a5, a6, a7, Y[a0 + 3], 10, -1894986606),
a7 = J(a7, a8, a5, a6, Y[a0 + 10], 15, -1051523),
a6 = J(a6, a7, a8, a5, Y[a0 + 1], 21, -2054922799),
a5 = J(a5, a6, a7, a8, Y[a0 + 8], 6, 1873313359),
a8 = J(a8, a5, a6, a7, Y[a0 + 15], 10, -30611744),
a7 = J(a7, a8, a5, a6, Y[a0 + 6], 15, -1560198380),
a6 = J(a6, a7, a8, a5, Y[a0 + 13], 21, 1309151649),
a5 = J(a5, a6, a7, a8, Y[a0 + 4], 6, -145523070),
a8 = J(a8, a5, a6, a7, Y[a0 + 11], 10, -1120210379),
a7 = J(a7, a8, a5, a6, Y[a0 + 2], 15, 718787259),
a6 = J(a6, a7, a8, a5, Y[a0 + 9], 21, -343485441),
a5 = C(a5, a1),
a6 = C(a6, a2),
a7 = C(a7, a3),
a8 = C(a8, a4);
return [a5, a6, a7, a8];
}
function O(Y) {
var Z,
a0 = "",
a1 = 32 * Y["length"];
for (Z = 0; Z < a1; Z += 8)
a0 += String["fromCharCode"](Y[Z >> 5] >>> Z % 32 & 255);
return a0;
}
function P(Y) {
var a2,
a3 = [];
for (a3[(Y["length"] >> 2) - 1] = undefined, a2 = 0; a2 < a3["length"]; a2 += 1)
a3[a2] = 0;
var a1 = 8 * Y["length"];
for (a2 = 0; a2 < a1; a2 += 8)
a3[a2 >> 5] |= (255 & Y["charCodeAt"](a2 / 8)) << a2 % 32;
return a3;
}
function Q(Y) {
return O(N(P(Y), 8 * Y["length"]));
}
function R(Y) {
var Z,
a0,
a1 = "0123456789abcdef",
a2 = "";
for (a0 = 0; a0 < Y["length"]; a0 += 1)
Z = Y["charCodeAt"](a0),
a2 += a1["charAt"](Z >>> 4 & 15) + a1["charAt"](15 & Z);
return a2;
}
function S(Y) {
return unescape(encodeURIComponent(Y));
}
function T(Y) {
return Q(S(Y));
}
function U(Y) {
return R(T(Y));
}
function V(Y, Z, a0) {
M();
return Z ? a0 ? H(Z, Y) : y(Z, Y) : a0 ? T(Y) : U(Y);
}
function W(Y, Z) {
var cookie = "m" + "=" + V(Y) + "|" + Y;
return cookie;
}
function X(Y, Z) {
return Date["parse"](new Date());
}
function get_cipher() {
return W(X());
}
# -*- coding: utf-8 -*-
'''
@Time : 2021/2/1 20:57
@Author : 水一RAR
'''
import requests
import execjs
import time
def get_cipher_value():
# 导入JS,读取需要的js文件
with open(r'js代码/02.js',encoding='utf-8',mode='r') as f:
JsData = f.read()
# 加载js文件,使用call()函数执行,传入需要执行函数即可获取返回值
psd = execjs.compile(JsData).call('get_cipher')
return psd
def get_data(page_num,cipher):
url = f'http://match.yuanrenxue.com/api/match/2?page={page_num}'
headers = {
'Host': 'match.yuanrenxue.com',
'User-Agent':'yuanrenxue.project',
'Cookie':cipher
}
print(f'加密密文--->{cipher}')
response = requests.get(url,headers = headers)
return response.json()
if __name__ == '__main__':
sum_num = 0
for page_num in range(1, 6):
info = get_data(page_num, get_cipher_value())
price_list = [i['value'] for i in info['data']]
print(f'第{page_num}页发布日热度的值:{price_list}')
sum_num += sum(price_list)
time.sleep(1)
print(f'发布日热度值总和:{sum_num}')
