【web_逆向09】AES加密逆向实战

目标网站

• 话不多说，直接干：https://www.XXXX.com/rank_m/c7/, 可以联系本人微信号：wxid_ps0bm4kbsl0t22

寻找加密入口

• 查看接口数据，发现入参、出参都是经过加密的，需要加密、解密
  
• 查看Initiator中，发现promise。异步
  
• 通过interceptors搜索，往回找不一定能找到，可以考虑正向搜索
  
• 注意事项，固定逻辑

/**

 # 异步框架....固定的逻辑.
 # 执行过程
 #    next表示下一步执行哪里...
 #    return 语句表示给下一步传递的消息.  上一步return的东西是下一步. 接受到的东西
 #    sent 是接受上一步return回来的东西.
 #    abrupt 第一个参数如果是return. 表示该异步逻辑. 彻底结束. 第二个参数是真正的返回值.
 #    stop 终止该异步逻辑....
 # 该异步框架是对promise和async await 的封装.
 #
return tianwanglaozi.....wrap((function(e) {  # 事件循环...event loop
    for (; ; ) // 死循环
        switch (e.prev = e.next) { // switch
        case 0: // 第一次执行....
            e.next = 2 ; //  下一步是2
            // 百分之百是promise
            return me.search.getSearchSalaryList(pe(pe({}, y), {}, {
                pageNum: f.current,
                limit: 15
            }));
        case 2:
            t = e.sent,
            a = t.resdata,
            1 == t.rescode && a && (n = a.salarys,
            r = a.pageCount,
            c = a.totalCountStr,
            l = a.company,
            s = a.recCompany,
            x((function(e) {
                return (0,
                F.JO)(f.current, e, n)
            }
            )),
            z(+r || 0),
            K(c || ""),
            Z(l || null),
            D(s || []),
            J(!1));
        case 3:
            e.abrupt("return", xxx)  #  结束了...真的结束了.
        case 6:
        case "end":
            return e.stop()  # 彻底停止...
        }
}
), e)



a: 随机  -> 作为AES加密的IV
 mode: cbc模式
n: 参数(json字符串)

 */

• 入口步骤
  

数组类型的key处理方式

如果见到的东西. 是这个样子的.
{
    "words": [
        1193550929,
        1635214187,
        1197891916,
        1111046002
    ],
    "sigBytes": 16
}

• 1、先转换成字符串子

  • key.toString() => 16进制的数字....hex... => 字节....
    

• 2、直接使用console转换成功字节
  

• 3、使用python处理

import binascii
s = "472424516177636b4766614c42393772"

bs = binascii.a2b_hex(s)
print(bs)   #'G$$QawckGfaLB97r'

python代码完成加解密

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad
import base64,json
import requests

def encrypt(data):
    aes = AES.new(key=b'G$$QawckGfaLB97r',mode=AES.MODE_CBC,iv=b'GKLqVnx1kHNt286G')
    data_json = json.dumps(data,separators=(',', ':'))
    data_bs = pad(data_json.encode('utf-8'),16)

    miwen = aes.encrypt(data_bs)
    b = base64.b64encode(miwen).decode()
    b.replace("/", "_").replace("+", "-").replace("=", "~")
    return b

def decrypt(s):
    aes = AES.new(key=b'G$$QawckGfaLB97r',mode=AES.MODE_CBC,iv=b'GKLqVnx1kHNt286G')
    bs_s = base64.b64decode(s)
    ming_bs = unpad(aes.decrypt(bs_s),16)
    data_dic = json.loads(ming_bs.decode())
    return data_dic

if __name__ == '__main__':
    data = {
        "cityCode": 7,
        "industryCode": "",
        "curPage": 1
    }

    session = requests.Session()
    session.headers = {
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
    }
    url = 'https://www.xxx.com/api_to/channel/salary/list.json'
    param = {
        "b" :encrypt(data),
        "kiv":'GKLqVnx1kHNt286G'
    }
    res = session.get(url=url,params=param).text
    # print(res)

    # 解密数据
    shuju = decrypt(res)
    print(shuju)

使用JS加解密，python调用

• js代码，xxx.js

var CryptoJS = require("crypto-js");


var n = function() {
        var e, t, n, r, i = null;
        return i || (t = new RegExp("\\u200c","g"),
        n = new RegExp("\\u200d","g"),
        r = new RegExp(".{8}","g"),
        e = "‍‌‍‍‍‌‌‌‍‍‌‍‍‌‍‍‍‍‌‍‍‌‍‍‍‌‍‌‍‍‍‌‍‌‌‍‍‍‍‌‍‌‌‌‍‌‌‌‍‌‌‍‍‍‌‌‍‌‌‍‌‍‌‌‍‌‍‍‍‌‌‌‍‌‌‍‍‌‌‍‍‌‌‍‍‍‍‌‍‌‍‍‌‌‍‍‍‌‍‍‍‍‌‍‍‍‌‌‌‍‍‌‍‍‌‌‍‌‌‌‍‌‌‌‍‍‌‍".replace(r, (function(e) {
            return String.fromCharCode(parseInt(e.replace(t, 1).replace(n, 0), 2))
        }
        )),
        i = {
        key: CryptoJS.enc.Utf8.parse(e),
        mode: CryptoJS.mode.CBC,
        pad: CryptoJS.pad.Pkcs7
    }),
    i
}();

var iv = "GKLqVnx1kHNt286G";

function encrypt(data){
    let s = JSON.stringify(data);
    let r = CryptoJS.AES.encrypt(s, n.key, {
        iv: CryptoJS.enc.Utf8.parse(iv),
        mode: n.mode,
        padding: n.pad
    });
    return r.toString().replace(/\//g, "_").replace(/\+/g, "-").replace(/=/g, "~")
}

function decrypt(s){
    let r = CryptoJS.AES.decrypt(s, n.key, {
        iv: CryptoJS.enc.Utf8.parse(iv),
        mode: n.mode,
        padding: n.pad
    });
    return JSON.parse(r.toString(CryptoJS.enc.Utf8));
}

• python代码

import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding='utf-8')

import execjs
import requests

session = requests.session()
session.headers = {
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}

f = open("xxx.js", mode='r', encoding="utf-8")
js = execjs.compile(f.read())
f.close()

url = "https://www.xxx.com/api_to/search/salary.json"

data = {
        "cityCode": 7,
        "industryCode": "",
        "curPage": 1
    }
params = {
    "b": js.call("encrypt", data),
    "kiv": 'GKLqVnx1kHNt286G'
}

resp = session.get(url, params=params)
print(resp.text)

# 数据解密....
print(js.call("decrypt", resp.text))