加密方法远程调用采用了RPC (Remote Procedure Call)协议,即远程过程调用协议。我们让浏览器充当客户端,并通过WebSocket将加密参数值发送给服务端(用Python写一个),这样的话我们就不需要花费大量时间去逆向了。下面我们就通过一个微博登录示例来演示下RPC的用法。
了解登录加密参数
首先打开微博页面,点击右边的立即登录按钮后就会在新窗口中打开登录页面。
随便用什么账号密码登录下后,就可以抓到登录请求链接(验证码通过不在本文考虑范围内)。
接着我们就可以看到加密参数了。
定位加密参数生成位置
我们全局搜索下加密参数rsakv即可快速定位到加密参数生成位置。
添加断点后验证无误。而且现在我们可以知道变量b中就包含了所有加密参数的值。因此,我们将b的值通过RPC发送给服务端即可。
编写客户端和服务端代码
将js文件覆盖重写,然后添加WebSocket客户端代码。
代码目的很明确,就是连接到服务端,接收服务端传过来的账号密码并将加密后的值返回给服务端。
var ws = new WebSocket("ws://127.0.0.1:9999");
ws.open = function(e){};
ws.onmessage = function(e) {var data= e.data;var result = data.split(",");i.form.username = result[0];i.form.password = result[1];console.log(i.form)b.username = i.form.username,b.pass = Jh("".concat([rp(), np()].join(" "), "\n").concat(i.form.password), s.pubkey),b.cid = i.form.mfaId,b.pwencode = "rsa",b.rsakv = s.rsakv,i.showCode && (b.ccode = i.form.ccode)ws.send(JSON.stringify(b));
};
服务端代码编写如下:
import asyncio
from websockets.server import serveasync def send_msg(websocket):username_password_list = ['11111111111,111','12345678900,123','66666666666,666',]for username_password in username_password_list:await websocket.send(username_password)async def recv_msg(websocket):while 1:recv_text = await websocket.recv()print(recv_text)async def execute(websocket):await send_msg(websocket)await recv_msg(websocket)async def main():async with serve(execute, "localhost", 9999):await asyncio.get_running_loop().create_future()asyncio.run(main())
先运行服务端代码,然后在登录页面按下Ctrl+Shift+R重新加载被覆写的js文件。
接着点击登录按钮后就可以看到控制台输出了我们需要的信息。
服务端接收到的值。
{"method":"POST","entry":"miniblog","source":"miniblog","type":1,"url":"https://weibo.com/newlogin?tabtype=weibo&gid=102803&openLoginLayer=0&url=https%3A%2F%2Fweibo.com%2F","username":"11111111111","pass":"1d66f2b206809a66a3a3c8e8a1c164153695ba9e4a7c9ae042b94b740cd609589a9d8d2cebea85dd3f9b0fcd367e29097d60dc6a3ffad801078c48dbef7b549ba4cbc59ae175fc5248f6c45ba9f5df976c91d29b9c2004131bfa5e4dd0d25976275aed9a4ede2f5b050cf2d998b42122ffe6a4988c47b8daf48beb630dccf83a","cid":"","pwencode":"rsa","rsakv":"1330428213","disp":"popup"}
{"method":"POST","entry":"miniblog","source":"miniblog","type":1,"url":"https://weibo.com/newlogin?tabtype=weibo&gid=102803&openLoginLayer=0&url=https%3A%2F%2Fweibo.com%2F","username":"12345678900","pass":"8dc06ec4644537c6a5cee88a392966ff4b5131b7f59eec2dccb97784f860689159f6c0eaa8dae841f7a4f5aae942c81c1397193a506833069f2724bf5ed00bbf3e68f5b5b591fb724d863bc04a279812d7ae8a604bb6791480720d2a432bcad08f979215e145a6c24f84d76e83b3a26a5e002bfcfdf08e03bafa06ef47dff8ec","cid":"","pwencode":"rsa","rsakv":"1330428213","disp":"popup"}
{"method":"POST","entry":"miniblog","source":"miniblog","type":1,"url":"https://weibo.com/newlogin?tabtype=weibo&gid=102803&openLoginLayer=0&url=https%3A%2F%2Fweibo.com%2F","username":"66666666666","pass":"d494239ec4610ec299c390fb62a8970e0110661ab95ba02899c4b92777698c792dd5ba49b9a79c84ad7823722d86a0f918bb328c53137883d3839cb119ce1fba376ee62b694349c6cce4d59bb9e44e67e1f03df4fe36be8f53241ef19106962d7a3eda950e357d0c0486c443ceebf59db71ce91c47df79a6df2018adc9c35c3d","cid":"","pwencode":"rsa","rsakv":"1330428213","disp":"popup"}
![2024.9.9(极客大挑战 2019]EasySQL,[极客大挑战 2019]Knife)](https://i-blog.csdnimg.cn/direct/a3af68333eef4705aff32f7aa134546d.png)
