url:https://www.doyo.cn/passport/login?next=/
1、抓包得到2个Ajax文件,根据名字猜测与登录相关的请求名字为login
# 多次抓包,分析可得:
- 请求地址:https://www.doyo.cn/User/Passport/login
- 请求方式:POST
- 请求头:无特殊
- 请求体:
username: ahxbhhjbq
password: bfdadc43792dfce972e2a8f06b994160828e088e # 变化
remberme: 1
next: JTJG
2、通过观察发现请求体中只有password参数变化,其余三个参数固定
3、通过请求地址进行搜索,发现只有一个搜索结果,其中第103行可疑:
4、双击进入第103行代码,发现:
// 发现:
// 1.password的生成与nonce、ts有关,而nonce、ts在 https://www.doyo.cn/User/Passport/token 的请求结果中,故可先通过发送请求到该网址以获取nonce、ts值
// 2.password加密方式:Sha1.hash(...)
pwd = Sha1.hash($(".login_grey[name='user_password']").val());
pwd = Sha1.hash(nonce+ts+pwd);
5、进入Sha1.hash内部,将代码复制黏贴到 douyou.js 中
python代码整合:
import json
import requests
import random
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding='utf-8')
import execjs
headers = {
"Referer": "https://www.doyo.cn/passport/login?next=https://www.doyo.cn/",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
}
def get_nonce_and_ts():
url = "https://www.doyo.cn/User/Passport/token"
params = {
"username": "awacaerv",
"random": random.random()
}
res = requests.get(url, params=json.dumps(params), headers=headers)
nonce = res.json()['nonce']
ts = res.json()['ts']
return nonce, ts
def get_password(nonce, ts):
input_pwd = "1234567"
with open("douyou.js", 'r', encoding='utf8') as f:
JS_code = f.read()
JS = execjs.compile(JS_code)
password = JS.call("Sha1.hash", input_pwd)
password = JS.call("Sha1.hash", nonce + str(ts) + password)
return password
if __name__ == '__main__':
nonce, ts = get_nonce_and_ts()
password = get_password(nonce, ts)
print(password)
url = "https://www.doyo.cn/User/Passport/login"
data = {
'username': 'awacaerv',
'password': password, # 变化
'remberme': '1',
'next': 'JTJG',
}
res2 = requests.post(url, data=data, headers=headers)
print(res2.text)
标签:nonce,逆向,www,逗游网,ts,js,https,password,cn From: https://www.cnblogs.com/SyrLy/p/17591799.html