【web_逆向09】AES加密逆向实战
目标网站
- 话不多说,直接干:https://www.XXXX.com/rank_m/c7/, 可以联系本人微信号:wxid_ps0bm4kbsl0t22
寻找加密入口
- 查看接口数据,发现入参、出参都是经过加密的,需要加密、解密
- 查看Initiator中,发现promise。异步
- 通过interceptors搜索,往回找不一定能找到,可以考虑正向搜索
- 注意事项,固定逻辑
/**
# 异步框架....固定的逻辑.
# 执行过程
# next表示下一步执行哪里...
# return 语句表示给下一步传递的消息. 上一步return的东西是下一步. 接受到的东西
# sent 是接受上一步return回来的东西.
# abrupt 第一个参数如果是return. 表示该异步逻辑. 彻底结束. 第二个参数是真正的返回值.
# stop 终止该异步逻辑....
# 该异步框架是对promise和async await 的封装.
#
return tianwanglaozi.....wrap((function(e) { # 事件循环...event loop
for (; ; ) // 死循环
switch (e.prev = e.next) { // switch
case 0: // 第一次执行....
e.next = 2 ; // 下一步是2
// 百分之百是promise
return me.search.getSearchSalaryList(pe(pe({}, y), {}, {
pageNum: f.current,
limit: 15
}));
case 2:
t = e.sent,
a = t.resdata,
1 == t.rescode && a && (n = a.salarys,
r = a.pageCount,
c = a.totalCountStr,
l = a.company,
s = a.recCompany,
x((function(e) {
return (0,
F.JO)(f.current, e, n)
}
)),
z(+r || 0),
K(c || ""),
Z(l || null),
D(s || []),
J(!1));
case 3:
e.abrupt("return", xxx) # 结束了...真的结束了.
case 6:
case "end":
return e.stop() # 彻底停止...
}
}
), e)
a: 随机 -> 作为AES加密的IV
mode: cbc模式
n: 参数(json字符串)
*/
- 入口步骤
数组类型的key处理方式
如果见到的东西. 是这个样子的.
{
"words": [
1193550929,
1635214187,
1197891916,
1111046002
],
"sigBytes": 16
}
-
1、先转换成字符串子
- key.toString() => 16进制的数字....hex... => 字节....
- key.toString() => 16进制的数字....hex... => 字节....
-
2、直接使用console转换成功字节
-
3、使用python处理
import binascii
s = "472424516177636b4766614c42393772"
bs = binascii.a2b_hex(s)
print(bs) #'G$$QawckGfaLB97r'
python代码完成加解密
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad
import base64,json
import requests
def encrypt(data):
aes = AES.new(key=b'G$$QawckGfaLB97r',mode=AES.MODE_CBC,iv=b'GKLqVnx1kHNt286G')
data_json = json.dumps(data,separators=(',', ':'))
data_bs = pad(data_json.encode('utf-8'),16)
miwen = aes.encrypt(data_bs)
b = base64.b64encode(miwen).decode()
b.replace("/", "_").replace("+", "-").replace("=", "~")
return b
def decrypt(s):
aes = AES.new(key=b'G$$QawckGfaLB97r',mode=AES.MODE_CBC,iv=b'GKLqVnx1kHNt286G')
bs_s = base64.b64decode(s)
ming_bs = unpad(aes.decrypt(bs_s),16)
data_dic = json.loads(ming_bs.decode())
return data_dic
if __name__ == '__main__':
data = {
"cityCode": 7,
"industryCode": "",
"curPage": 1
}
session = requests.Session()
session.headers = {
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}
url = 'https://www.xxx.com/api_to/channel/salary/list.json'
param = {
"b" :encrypt(data),
"kiv":'GKLqVnx1kHNt286G'
}
res = session.get(url=url,params=param).text
# print(res)
# 解密数据
shuju = decrypt(res)
print(shuju)
使用JS加解密,python调用
- js代码,xxx.js
var CryptoJS = require("crypto-js");
var n = function() {
var e, t, n, r, i = null;
return i || (t = new RegExp("\\u200c","g"),
n = new RegExp("\\u200d","g"),
r = new RegExp(".{8}","g"),
e = "".replace(r, (function(e) {
return String.fromCharCode(parseInt(e.replace(t, 1).replace(n, 0), 2))
}
)),
i = {
key: CryptoJS.enc.Utf8.parse(e),
mode: CryptoJS.mode.CBC,
pad: CryptoJS.pad.Pkcs7
}),
i
}();
var iv = "GKLqVnx1kHNt286G";
function encrypt(data){
let s = JSON.stringify(data);
let r = CryptoJS.AES.encrypt(s, n.key, {
iv: CryptoJS.enc.Utf8.parse(iv),
mode: n.mode,
padding: n.pad
});
return r.toString().replace(/\//g, "_").replace(/\+/g, "-").replace(/=/g, "~")
}
function decrypt(s){
let r = CryptoJS.AES.decrypt(s, n.key, {
iv: CryptoJS.enc.Utf8.parse(iv),
mode: n.mode,
padding: n.pad
});
return JSON.parse(r.toString(CryptoJS.enc.Utf8));
}
- python代码
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding='utf-8')
import execjs
import requests
session = requests.session()
session.headers = {
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}
f = open("xxx.js", mode='r', encoding="utf-8")
js = execjs.compile(f.read())
f.close()
url = "https://www.xxx.com/api_to/search/salary.json"
data = {
"cityCode": 7,
"industryCode": "",
"curPage": 1
}
params = {
"b": js.call("encrypt", data),
"kiv": 'GKLqVnx1kHNt286G'
}
resp = session.get(url, params=params)
print(resp.text)
# 数据解密....
print(js.call("decrypt", resp.text))