百度登陸POST引數分析,password及其他欄位的js處理
阿新 • • 發佈:2019-01-14
首先F12填個登陸資訊,抓個包看看有些什麼收穫;在發出post之前後臺Ajax加了了兩個資料,如下
1.返回as、ts、tk三個欄位
jsonpCallbackb770({code: 0, data: {tk: "8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=", as: "6e8eb328",…}}) code:0 data:{tk: "8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=", as: "6e8eb328",…} as:"6e8eb328" ds:"JcXUIDsjOM2GBUMUbkaht+BXxcoiU2xXWpyUkjTvVI+fDmy6BUpiKtfN7q/Uq6spgnEn+Fd1zi8hou5pdCKGk8egB6+Yj2lIYBXkN6clSmAmGdq6O9zhbmmJWOOxG+IBx5x6QoOYc1pnjLoCj7r9AtocQnLCZXVhgMLvJH7hGhCK6IbDjHPXLoRAKq5/EPUW62yelMz/cR4D7C4qU8eG3pIuUfaMPe1arjVYbljSgLB7/rF8ENlXLszMrD1TYFwQo6PjYW0fPJQ7mwcCVc+MRd2uriUv6Va7/MxcuAH3nosGW5I52GmnLCxEp7AA5lx1cPpq6Asvo1iq+oqQPpSqxAhtGIU3ilnjM/JfAzpxUGR3lvBKbsN0GHDBUzFgk3aSLtpTObD0Rtip21qYL6auGMd9VE4wWNa9ND1uolHIA/mvT90g/nMLTLV3TjaIe51Y7LrdONmVp2j+1ZW78fUPYFDv+bn4gYN7/YIoMpFQOnA4KJ5BY944uU+CEFQHWG1Oz5/Jgf0XRWVp6p54hSfr6Qdu60k3eFvRMaaZ+6ODmImX0tSY8zu5AmPxNtspOmvdsfUDUetaQ/8eOKIoiLLZMiLuFPGqpyKjs+DVJDHSfteJBmYuz2xqgBOWyGw8ldkO0Hb+M30zkg9ELVv1eH6HMdDBlAm8WFcPdrHcIGWnTCcQJJnCqIy7OF1chuweDhPmZgfD98YtIykgekTjA8mPIvm1TDXOT4ExMAGGamSm9eijlMrlT8M3YSJsjHmbzj+HonQfFvdCQQ6oIdmG1jQmpnAaeznXcQy//rM/ngQZFIJavel866B6UdnjAydX2GdEOssPQndGJH8gRcCJIDtyoES874rdoArPj/CFge3qwxZ6A+/Uss6Jm8QuP6D0FUFYv9JgAi6/fkeblNoL73VI2TryHA8QYe2CQX4jhlKm7a4TzCkPF1vVKXEL66UDSrjRVvFN+gvSRpSiMQACXmQOaLjAMUkjjwL8jfck3ce/u7xqLX7Edib6P9wNpY9UYiYOee/YCel6txobviQuL2sLtWUaKfG/U1WfKcd+sLgg061aitdnrYhVe3fJbIq/vovTiEPqaGokkI9iPFmtnQJ7OsNY32FpUGmb4IzRf97sag38bTa7eWrOa2j+q6mdJGc1/0q2jGFf8q+q1lfkW4vuFoABeFk53R1oElccevowZkgnKZYAkxw6jxWm/D5U/5SY6kiqSL2SVDrGVXEC8c7myK6uW4bLY6CZ0e2XO0wd670qwbOIt1XSfcMdLCjzSYV31YIF8gWMKch9NNXGfP7vcfb9gE3g6lubE9VMi8PcGKkgM7qMKbPyDxrH7Ki7XrOhRs58PNzgjkHyoOY+iZi7ZDt8Q+npR4RqsDEEb0T+Ms+u80HjdcdN9KA647RozqgKQ+Gl/q4m3/9Kr8KTnhQfgQ==" tk:"8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58="
發出這個get請求需要攜帶的引數如下:
ak:1e3f2dd1c81f2075171a547893391274 as:6e8eb328 fs:fpypRBX8u9Np5BnKjpqxf8CDddYtri+t5vKBcCCtAuzEnvE+/o7x5ophYGMSNDLgsErrSHaRFaok3Ye4AhC8h9dvmgTCFfk2WulgJZopGLPPFpPUh6HJs4YOMVnVXhjjbhh2KC+0VWSkp/PEDmao8HlDc41hB5JSxjDwNkeaKXaOajhrBtlqMJ57Ytl4uQQhA1RezD68R1adokZdMtbcsSIG7LjgzmIHiZeQo6sALoXGLi19qvfqzc6SgDR7Rm28232iKBdva523ot7jcfVZjn4yzqrZvnvr+qexQ9JDKFdh1dkQHz4PsJim27H5xju88ErsfCU73u6Tg2M5E3hPHglsMju53egtzTH1n4oJj7i5Um5S1qbQfrpC9cHpIuCppbj6/bH3i70yiENWjEfMMRhIS74RnGRJFnXyITcErq43gT4yWh0NpOu5bhbxDDzQoAG7iYGa6qOW6f0imjz/3g3vN1n31cc6ETXBwP2X5FdHC7kvDomFDBEgLfeM+7Ie43Pcn9u/embMXhSmB8sjmMrcqhKUn/vSZf4l27Y3QwQCaYt3DwKJCz+H1O3yA+Jzheb1lkGjtXU/T2NyTb+uARntkCxe/FUI3/RDe5PocbWYKKO9MCdTGjyRpUA/BiRuwfDA7dt4LoY0Zf4c3MbMkZh0OEKuMYza7Ul9qKwIjoQLmKRByFHuoco0EUlzT1pJNtTofZ+oW18ZgZw9hrH36lmTsjJ0ZZ+l++XWcKgWKrVLt8l8H96w/hB1HiFzPpngL2TR00W6somXXtOrFJy99m3JOS78yDnNhyOKlXwwwSHeTm2fwGRx2nzurUUaZV18ecXVzvtJTkzmHoMLyUUtJvxEcAfKJiQxkkhs0XjvIRPjLj3ze/tXDCyeuWbm1Tfx7Wbjovp0NvZ+SiZ+ys8GhnvxYnB18JeTh4QCporODhXTLlXQxElQVRvZSaVcryoYnRXuMoqMKKaWo7R6fS2Elv+4M6BuFz7CPj6ENxTWl9C9N4y9+pbHOCIWepy5n2SQSieEzhLdCfzC0IUY6YHmwuEi48HI50RjQNsJcPtaDXlOURR7z5ybEPphYiKCTlPi53bCupmfx+XZXHu/JdEpQqtomznwo857DYjorpkL5wKNuw9GBzOCqUUe2cvmDKhdplav//YBZCtWkH2v/AIAVzrqzLH8RGFIB2Wie7xj9bN+HfIASPfwrH+I/nxih9xMFd340Q7z/WwUDBkUDvhOFSaJm6Bv8scS2Y1hNPJEv1tJ0FIEZS75J0fS9AF7fx/sKEv+e/itlfDuHfXNxYmMbcHziPOR90fo1S6spyXuqGsi0QkVnUSc5tKLaCxWYTGJDiJBk10UIhdgtjxOC7RhRebFiTsiAESL7f8to2zy42oEga5dJBbAVFLNUSKK+uMfM9Wu4DD+JJXHcY+86l03+w== callback:jsonpCallbackb770 v:6633
也就是說我們需要分析出ak、as、fs、v、callback這幾個欄位的來源
2.返回key、pubkey
errno:"0" key:"oqeFiMtTJkyE7rhXq04bEE0xjX3sR09A" msg:"" pubkey:"-----BEGIN PUBLIC KEY-----↵MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNnGNrfFkygOeBatSz8A2bDyIG↵i0DonH36pzjQF10gnI/1flW+Q521/Y+KRUeNZhSS66sscyQkIFwcAgo0dWADX4oS↵B3EfP+l6xoOyu6Xvfq3S7c5xq75Y9g4sDXBDm55We30ca7hHRXvKaZKU9smj/RSd↵BR7UIfFoBFYnIRCEvQIDAQAB↵-----END PUBLIC KEY-----↵" traceid:""
要得到這兩個引數看請求攜帶了什麼東西
token:cfde53efbe26bdef8ad3b2147eb10417
tpl:mn
apiver:v3
tt:1546826783617
gid:EE2ED1E-E4A5-4ABC-9E13-9972E89AE472
loginversion:v4
traceid:
callback:bd__cbs__8sabl9
需要的欄位還挺多看樣子有點棘手.
再看post請求所需的引數
staticpage:https://www.baidu.com/cache/user/html/v3Jump.html
charset:UTF-8
token:cfde53efbe26bdef8ad3b2147eb10417
tpl:mn
subpro:
apiver:v3
tt:1546826812217
codestring:
safeflg:0
u:https://www.baidu.com/s?ie=utf8&oe=utf8&wd=%E7%99%BE%E5%AE%B6%E5%8F%B7&tn=98012088_6_dg&ch=9
isPhone:false
detect:1
gid:EE2ED1E-E4A5-4ABC-9E13-9972E89AE472
quick_user:0
logintype:dialogLogin
logLoginType:pc_loginDialog
idc:
loginmerge:true
splogin:rate
username:18328496803
password:fQ99xuV0uzmnEciyYZYOUYHWIJhh6ttVYy3IkwWfhdgnCaQNCMUVgbr42SKSqOF7evv27tHdHK0SLHQfoodNDVg4g7skCR8qKMX1LYCwXcxxwhqwnabbxT5kie4T/uyygdF26qoizpNZKzTsFM3Uq3z2lsUlwp4vKvBOFoeK3tQ=
mem_pass:on
rsakey:oqeFiMtTJkyE7rhXq04bEE0xjX3sR09A
crypttype:12
ppui_logintime:40718
countrycode:
fp_uid:
fp_info:
loginversion:v4
ds:wfHjARADdpfQhbI+jByC0wNU1p6S2oHEJEmVtSteNLIkXjTbCf6QEAcrj/g+J5WBB1P9WF+yrXZ0BeNi95/F50mSj7s6GvbQd9FPVT10CpVr/aaDtTxJI6rKhv0FgeWIzvedO0D14y6g5mZROSJU8f1kDyQywaFzmbgQWq9KUMk4sumxxnjtx+qmYDsVfv4tmuwVkjWzp8nds1OYyAcnbZ8HIV2qqhqVGRsuTdLJIWMPAq2AwUQMfbhh+s4isjP1Itt/jtOr2HmHp5xA7j5U1pzehy/cUBsoHfNpPuNPVBhOaSnEKalOGUO4tsOF4SWW/u2Xxh3NhT4o8rB7N8Nwf0Fo/zw79e6fWdIQW6c6HQUA4jxHuNRq+xrfFfR+JriP+K2B0LzayO5Ejca/r5JELarFUoCFPv5N+rcdtoOsD3Vi8CmlHHaclQtldXIx/LirlDZ/0nbcYQjcSTE6J8xHPaEJCY9DvLoQymMkzY7S5nnogaiKz+y9CIKph8ux8JaZLoQrjEJ9sKCvZRwFdT3oh/nz6uoxSOl8C1cLnJa+cTTKCen6qicaBjXyajIues99nxZs1hDk2e3TbPrD/oZwlmTq7MA7ZLXVgU4xije9TsyZR6gDEp/lZXAP40gCE/eJUDZe8IcDFU9tSSV27k1PhGFtyfq6ckIezNA6xseQH4rboWX4r1w58HMvOSJDFkU22DIr1Q1CAQ791PyMgf8YnvELL4cMmw/AiVJgcMJtBmmevJTbjTjbsJJi6s1LPcQor01O8L9rs0Eb7pQ7s2PrI0LydgWGiCV21G5otjfjAm98SDEVmyHrFxTM7cy0nHSUw1jfYWlQaZvgjNF/3uxqDfxtNrt5as5raP6rqZ0kZzX/SraMYV/yr6rWV+Rbi+4WgAF4WTndHWgSVxx6+jBmSMue96V5BmUQQ7JISSrD1yjqSKpIvZJUOsZVcQLxzubIrq5bhstjoJnR7Zc7TB3rvSrBs4i3VdJ9wx0sKPNJhXfVggXyBYwpyH001cZ8/u9x9v2ATeDqW5sT1UyLw9wYqSAzuowps/IPGsfsqLtes6FGznw83OCOQfKg5j6JmLtkO3xD6elHhGqwMQRvRP4yz67zQeN1x030oDrjtGjOqApD4aX+ribf/0qvwpOeFB+B
tk:8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=
dv:[email protected]4Gb0lGUwlCG6bSzwyFmlXsbBys2lXskpZsmXH4Hc2HBo6GUw4HUhJsAhJG~hTt~6~O~vB7k0jsAHjJk0lsNll7o8hABS54HUJGUhAHodXsowJtrobt~SetY4ZsA4zsA8dsAqy7kqZn0oD8UvhAnwJHo64Gb0lGUwlCG6bSzwyFmlX6kBUs2lXskpZsmXH4Hc2HBo6GUw4HUhJsAhJG~hTt~6~O~vB7k0Us1QzJq__tl0lesAqbsmlb6AQZ6kpjDmXdDA4y7ksUD5lU6bQb72l~DkqZsA0U7k0lDkqz7o8hABS54HUJGUhAHodXsowJFYwyOGlx61HZsbql7kscskCc72l_-hhIyhBA4VsthBlIs5lXsmlXsq__ClvSrZl714y6AqbDABl61HUDk4bs1BbsAHj61Qy61t~sABy6l__ilEImXUOY83FY3RFE4_ul0eh61HZsABysmlXDAqb7k0xsbHZsABysmlXskQl7k0cs1qZsABysmlc6bt_
traceid:44622A01
callback:parent.bd__pcbs__jf1wx1
上面標紅的就是我們要重點關照的欄位
然後搜尋token的值,發現在一個js檔案裡面,然後提取js檔案url出來分析
URL
https://passport.baidu.com/v2/api/?
getapi&tpl=mn&apiver=v3&
tt=1546834671350
&class=login&
gid=E7C72FB-C518-4030-BB7E-555DD8046BE6
&loginversion=v4
&logintype=dialogLogin&traceid=&
callback=bd__cbs__600yh6:formatted
```
多次測試結果情況就是這個get請求返回的結果之和gid相關,其他引數都可以使用固定值,即使不懈怠tt、callback引數也能返回正常的token並且,不懈怠callback引數請求返回的是標準json格式。
看一下git生成
搜尋一下gid=的生成找到下面一段程式碼
```
o.on("hide", function() {
var o = document.location.protocol.toLowerCase()
, e = n.guideRandom ? n.guideRandom : "";
if ("http:" == o)
var t = "http://nsclick.baidu.com/v.gif?pid=111&url=&logintype=hide&merge=1&gid=" + e + "&tpl=" + i.apiOpt.tpl + "&tt=" + (new Date).getTime();
else if ("https:" == o)
var t = "https://passport.baidu.com/img/v.gif?pid=111&url=&logintype=hide&merge=1&gid=" + e + "&tpl=" + i.apiOpt.tpl + "&tt=" + (new Date).getTime();
```
gid = e= n.guideRandom ? n.guideRandom : "",順藤摸瓜找到生成gid的js
```
this.guideRandom = function() {
return "xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(e) {
var t = 16 * Math.random() | 0
, n = "x" === e ? t : 3 & t | 8;
return n.toString(16)
}).toUpperCase()
}(),那就應該是這樣的了
```
callback
這個引數和返回來的相應檔案開頭相同,猜想應該是可以自定義的,可以用固定值,不過還是看看他的來源;多請求幾次發現固定部分是parent.bd__pcbs__,然後全域性搜尋相關找到兩條js
```
var l = r.timeOut || 0
, d = !1
, u = c.getUniqueId("bd__pcbs__");
e.getUniqueId = function(e) {
return e + Math.floor(2147483648 * Math.random()).toString(36)
}
```
可見核心程式碼:e + Math.floor(2147483648 * Math.random()).toString(36)
接著看tt
tt引數是時間戳*1000取前13位
gid
請求token的gid和post請求的gid是同一個,可以生成,也可以使用一個固定值
password
重點的加密欄位,查詢對應來源js程式碼如下
```
o.password = baidu.url.escapeSymbol(e.RSA.encrypt(a)
```
很明顯是RSA 加密,pubkey是在傳送post請求之前的一個get請求而來,進一步簡化這個get請求,只需要攜帶gid、token就可以返回pubkey
https://passport.baidu.com/v2/getpublickey?token=cfde53efbe26bdef8ad3b2147eb10417&gid=EE2ED1E-E4A5-4ABC-9E13-9972E89AE472
針對password可以直接使用Python實現RSA加密,然後使用Base64編碼結果,對於完整的js實現留在第二篇分析
rsa
rsa是請求pubkey一同返回的key欄位
tk、ds
文章開頭的一個get請求返回的資料
dv
一長串字元看樣子有點難度,尚不知道這個引數的作用,那麼有三種解決方案,複製一個固定值、留空白值、破解生成函式,不到最後是不願意去找js的。下面看看這個引數生成的js出處
```
var a = document.getElementById("dv_Input")
, c = {
gid: n.guideRandom || "",
username: n._SBCtoDBC(i.value),
countrycode: s,
bdstoken: n.bdPsWtoken,
tpl: n.config.product ? n.config.product : "",
vcodestr: n.getElement("smsHiddenFields_smsVcodestr").value,
vcodesign: n.getElement("smsHiddenFields_smsVcodesign").value,
verifycode: n._SBCtoDBC(n.getElement("confirmVerifyCode").value),
flag_code: n.config.voice_sms_flag,
dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || ""
}
```
dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || ""
除錯時在開啟頁面的同時就生成了這個值,那麼可以考慮是一個固定值或者使用固定值,還不確定需要在看看js
function d(e) {
M && (x = e.token + "@" + S(e, e.token),
(1 & F.SendMethod) > 0 && c(x))
}
function c(n) {
var r = t.getElementById("dv_Input");
r && (r.value = n),
e.LG_DV_ARG.dvjsInput = n
}
在c函式上面找到d函式,看樣子應該八九不離十了,在除錯一下看什麼情況,繼續查詢S函式
```
function S(e, t) {
var r = new n(t)
, o = {
flashInfo: 0,
mouseDown: 1,
keyDown: 2,
mouseMove: 3,
version: 4,
loadTime: 5,
browserInfo: 6,
token: 7,
location: 8,
screenInfo: 9
}
, a = [r.iary([2])];
for (var i in e) {
var d = e[i];
if (void 0 !== d && void 0 !== o[i]) {
var c;
"number" == typeof d ? (c = d >= 0 ? 1 : 2,
d = r.int(d)) : "boolean" == typeof d ? (c = 3,
d = r.int(d ? 1 : 0)) : "object" == typeof d && d instanceof Array ? (c = 4,
d = r.bary(d)) : (c = 0,
d = r.str(d + "")),
d && a.push(r.iary([o[i], c, d.length]) + d)
}
}
return a.join("")
}
```
未完待續······
------------------------------
ID:Python之戰
|作|者|公(zhong)號:python之戰
專注Python,專注於網路爬蟲、RPA的學習-踐行-總結
喜歡研究和分享技術瓶頸,歡迎關注
獨學而無友,則孤陋而寡聞!
---------------------------