腾讯qq空间GET登陆JS分析
本文共 9394 字,大约阅读时间需要 31 分钟。
腾讯QQ空间作为腾讯的社交核心产品之一在登陆的安全设置上没有用变态的技术都是常规策略。可能是因为该产品内容上的价值对于用户而言重要但是对于他人来说并不重要。
老规矩首先抓个包试试看看那登陆请求有哪些字段
u:2551513277@qq.com verifycode:!NNT pt_vcode_v1:0 pt_verifysession_v1:e02e02eecdb805b45ce122cde11c229d62be175396694ebe18c4f39b3491e5f7845b10c499d60bc42ad9ff81768d860401fbf1871932aacd p:xeOyBOEajC3l2pBFTuB6EGzMpGaIMGpL5rOkK3s6qe3ExEc1QB8xZIojs2wFvNVIElBAAvEP5ap0kbLGmTDgkRWU0vPYTvM8mVbYpYcCsxc9DwJXbpIVNQk0a8R4fg4jdMiKKtvri4SsNXFjIgr5NMQb*3OaB06ynyg2Xd2jcEo0CxmUx-eoKSpSb6vzUbNrlJSuo1DtFHZDINXcGtnLxARgMy35Km7BzXrKgkNj2uuOoKD1aXd*Cx5pMpDxXbUtmTc1TAA5PI1qKUElnihIGeZ8M35F9r07dsB0M0D5a9T-QVXIBsYCr0N8ecUEkFCOC2zSZy0z1xsDMlyNdcBV9Q__ pt_randsalt:2 u1:https://qzs.qq.com/qzone/v5/loginsucc.html?para=izone ptredirect:0 h:1 t:1 g:1 from_ui:1 ptlang:2052 action:3-19-1548851060420 js_ver:10291 js_type:1 login_sig: pt_uistyle:40 aid:549000912 daid:5
粗略分析我们就知道哪些字段比较难搞了u是用户名、verifycode是类似验证码的东西、pt_verifysession_v1类似id的字符串、p就应该是密码了。
我们分析的重点在verifycode、pt_verifysession_v1、P三个字段了然后再看post请求之前的请求发现了一个有价值的get请求
返回如下:
ptui_checkVC('0','!NNT','\x00\x00\x00\x00\x98\x15\x00\xbd', 'e02e02eecdb805b45ce122cde11c229d62be175396694ebe18c4f39b3491e5f7845b10c499d60bc42ad9ff81768d860401fbf1871932aacd','2') 很好这个get请求已经返回verifycode、pt_verifysession_v1参数那我们需要重点分析的是password的加密方式了。再看这个请求的参数
其中appid是来自html源码中的那就是时候获得这两个参数并没有太大问题。
继续看password查找发出该请求的相应js位置
if ("login" == t) { i.u = encodeURIComponent(pt.plogin.at_account), i.verifycode = $("verifycode").value, pt.plogin.needShowNewVc ? i.pt_vcode_v1 = 1 : i.pt_vcode_v1 = 0, i.pt_verifysession_v1 = pt.plogin.pt_verifysession || $.cookie.get("verifysession"); var n = $("p").value; pt.plogin.armSafeEdit.isSafe && (n = pt.plogin.armSafeEdit.safepwd), i.p = $.Encryption.getEncryption(n, pt.plogin.salt, i.verifycode, pt.plogin.armSafeEdit.isSafe), i.pt_randsalt = pt.plogin.isRandSalt || 0, window.TDC && TDC.getInfo && TDC.getInfo().tokenid && (i.pt_jstoken = TDC.getInfo().tokenid) } p= $.Encryption.getEncryption(n, pt.plogin.salt, i.verifycode, pt.plogin.armSafeEdit.isSafe)其中n是输入的密码pt.plogin.salts是特殊的字符串、i.verifycode是verifycode字段、pt.plogin.armSafeEdit.isSafe为空。
再看加密的函数
$.Encryption = $pt.Encryption = function() { function t(t) { return e(t) } function e(t) { return u(i(c(t), t.length * m)) } function i(t, e) { t[e >> 5] |= 128 << e % 32, t[14 + (e + 64 >>> 9 << 4)] = e; for (var i = 1732584193, n = -271733879, l = -1732584194, c = 271733878, u = 0; u < t.length; u += 16) { var g = i , d = n , h = l , f = c; i = o(i, n, l, c, t[u + 0], 7, -680876936), c = o(c, i, n, l, t[u + 1], 12, -389564586), l = o(l, c, i, n, t[u + 2], 17, 606105819), n = o(n, l, c, i, t[u + 3], 22, -1044525330), i = o(i, n, l, c, t[u + 4], 7, -176418897), c = o(c, i, n, l, t[u + 5], 12, 1200080426), l = o(l, c, i, n, t[u + 6], 17, -1473231341), n = o(n, l, c, i, t[u + 7], 22, -45705983), i = o(i, n, l, c, t[u + 8], 7, 1770035416), c = o(c, i, n, l, t[u + 9], 12, -1958414417), l = o(l, c, i, n, t[u + 10], 17, -42063), n = o(n, l, c, i, t[u + 11], 22, -1990404162), i = o(i, n, l, c, t[u + 12], 7, 1804603682), c = o(c, i, n, l, t[u + 13], 12, -40341101), l = o(l, c, i, n, t[u + 14], 17, -1502002290), n = o(n, l, c, i, t[u + 15], 22, 1236535329), i = p(i, n, l, c, t[u + 1], 5, -165796510), c = p(c, i, n, l, t[u + 6], 9, -1069501632), l = p(l, c, i, n, t[u + 11], 14, 643717713), n = p(n, l, c, i, t[u + 0], 20, -373897302), i = p(i, n, l, c, t[u + 5], 5, -701558691), c = p(c, i, n, l, t[u + 10], 9, 38016083), l = p(l, c, i, n, t[u + 15], 14, -660478335), n = p(n, l, c, i, t[u + 4], 20, -405537848), i = p(i, n, l, c, t[u + 9], 5, 568446438), c = p(c, i, n, l, t[u + 14], 9, -1019803690), l = p(l, c, i, n, t[u + 3], 14, -187363961), n = p(n, l, c, i, t[u + 8], 20, 1163531501), i = p(i, n, l, c, t[u + 13], 5, -1444681467), c = p(c, i, n, l, t[u + 2], 9, -51403784), l = p(l, c, i, n, t[u + 7], 14, 1735328473), n = p(n, l, c, i, t[u + 12], 20, -1926607734), i = r(i, n, l, c, t[u + 5], 4, -378558), c = r(c, i, n, l, t[u + 8], 11, -2022574463), l = r(l, c, i, n, t[u + 11], 16, 1839030562), n = r(n, l, c, i, t[u + 14], 23, -35309556), i = r(i, n, l, c, t[u + 1], 4, -1530992060), c = r(c, i, n, l, t[u + 4], 11, 1272893353), l = r(l, c, i, n, t[u + 7], 16, -155497632), n = r(n, l, c, i, t[u + 10], 23, -1094730640), i = r(i, n, l, c, t[u + 13], 4, 681279174), c = r(c, i, n, l, t[u + 0], 11, -358537222), l = r(l, c, i, n, t[u + 3], 16, -722521979), n = r(n, l, c, i, t[u + 6], 23, 76029189), i = r(i, n, l, c, t[u + 9], 4, -640364487), c = r(c, i, n, l, t[u + 12], 11, -421815835), l = r(l, c, i, n, t[u + 15], 16, 530742520), n = r(n, l, c, i, t[u + 2], 23, -995338651), i = s(i, n, l, c, t[u + 0], 6, -198630844), c = s(c, i, n, l, t[u + 7], 10, 1126891415), l = s(l, c, i, n, t[u + 14], 15, -1416354905), n = s(n, l, c, i, t[u + 5], 21, -57434055), i = s(i, n, l, c, t[u + 12], 6, 1700485571), c = s(c, i, n, l, t[u + 3], 10, -1894986606), l = s(l, c, i, n, t[u + 10], 15, -1051523), n = s(n, l, c, i, t[u + 1], 21, -2054922799), i = s(i, n, l, c, t[u + 8], 6, 1873313359), c = s(c, i, n, l, t[u + 15], 10, -30611744), l = s(l, c, i, n, t[u + 6], 15, -1560198380), n = s(n, l, c, i, t[u + 13], 21, 1309151649), i = s(i, n, l, c, t[u + 4], 6, -145523070), c = s(c, i, n, l, t[u + 11], 10, -1120210379), l = s(l, c, i, n, t[u + 2], 15, 718787259), n = s(n, l, c, i, t[u + 9], 21, -343485551), i = a(i, g), n = a(n, d), l = a(l, h), c = a(c, f) } return 16 == v ? Array(n, l) : Array(i, n, l, c) } function n(t, e, i, n, o, p) { return a(l(a(a(e, t), a(n, p)), o), i) } function o(t, e, i, o, p, r, s) { return n(e & i | ~e & o, t, e, p, r, s) } function p(t, e, i, o, p, r, s) { return n(e & o | i & ~o, t, e, p, r, s) } function r(t, e, i, o, p, r, s) { return n(e ^ i ^ o, t, e, p, r, s) } function s(t, e, i, o, p, r, s) { return n(i ^ (e | ~o), t, e, p, r, s) } function a(t, e) { var i = (65535 & t) + (65535 & e); return (t >> 16) + (e >> 16) + (i >> 16) << 16 | 65535 & i } function l(t, e) { return t << e | t >>> 32 - e } function c(t) { for (var e = Array(), i = (1 << m) - 1, n = 0; n < t.length * m; n += m) e[n >> 5] |= (t.charCodeAt(n / m) & i) << n % 32; return e } function u(t) { for (var e = _ ? "0123456789ABCDEF" : "0123456789abcdef", i = "", n = 0; n < 4 * t.length; n++) i += e.charAt(t[n >> 2] >> n % 4 * 8 + 4 & 15) + e.charAt(t[n >> 2] >> n % 4 * 8 & 15); return i } function g(t) { for (var e = [], i = 0; i < t.length; i += 2) e.push(String.fromCharCode(parseInt(t.substr(i, 2), 16))); return e.join("") } function d(t, e) { if (!(Math.random() > (e || 1))) try { var i = location.protocol + "//ui.ptlogin2.qq.com/cgi-bin/report?id=" + t; document.createElement("img").src = i } catch (t) {} } function h(e, i, n, o) { n = n || "", e = e || ""; for (var p = o ? e : t(e), r = g(p), s = t(r + i), a = TEA.strToBytes(n.toUpperCase(), !0), l = Number(a.length / 2).toString(16); l.length < 4; ) l = "0" + l; TEA.initkey(s); var c = TEA.encrypt(p + TEA.strToBytes(i) + l + a); TEA.initkey(""); for (var u = Number(c.length / 2).toString(16); u.length < 4; ) u = "0" + u; var h = $pt.RSA.rsa_encrypt(g(u + c)); return setTimeout(function() { d(488358, 1) }, 0), btoa(g(h)).replace(/[\/\+=]/g, function(t) { return { "/": "-", "+": "*", "=": "_" }[t] }) } function f(e, i, n) { var o = n ? e : t(e) , p = o + i.toUpperCase(); return $.RSA.rsa_encrypt(p) } var _ = 1 , m = 8 , v = 32; return { getEncryption: h, getRSAEncryption: f, md5: t } }(), 主函数是h(e,i,n,o),当然该函数内部也调用了其他位置的函数需要整理到一个js文件中没有发现标准的加密函数名那么应该是自定义的加密函数其中有个特殊字符参数" ½"需要注意。
以上是对该过程的简单分析。
------------------------------
IDPython之战
|作|者|公(zhong)号:python之战
专注Python专注于网络爬虫、RPA的学习-践行-总结
喜欢研究技术瓶颈并分享欢迎围观共同学习。
独学而无友,则孤陋而寡闻
---------------------------
转载地址:http://dhmjl.baihongyu.com/
你可能感兴趣的文章
数据结构—栈和队列
查看>>
windows 平台下编程语询字典
查看>>
js中常用的正则表达式总结
查看>>
MySql下实现先排序后分组
查看>>
时光煮雨 Unity3d 序列目标点的移动①
查看>>
Unity3D 装备系统学习Inventory Pro 2.1.2 总结
查看>>
Axure教程
查看>>
20172307 2018-2019-1 《程序设计与数据结构》第1周学习总结
查看>>
Marshal.Copy 之 startIndex 参数的含义
查看>>
python 模拟 java hashcode
查看>>
makefile missing separator. Stop
查看>>
Exception in thread "main" org.hibernate.MappingException: Unknown entity: com.mao.PersonSet
查看>>
maven学习--1.项目结构及简单使用
查看>>
iPhone名称解释专业术语解析汇总
查看>>
Hadoop大数据之准备工作/环境安装
查看>>
备忘录模式(Memento Pattern)
查看>>
C#基础(一)
查看>>
[51nod1190]最小公倍数之和V2(莫比乌斯反演)
查看>>
vc2013使用经验
查看>>
mysql容灾备份脚本
查看>>