Disclaimer: This article is only for learning and communication, and it is prohibited to be used for illegal purposes, commercial activities, etc. Otherwise, do so at your own risk. If there is any infringement, please inform and delete, thank you! This tutorial is not written specifically for a certain website, purely technical research
Table of contents
case analysis
Target case: aHR0cHM6Ly93d3cuY2VhaXIuY29tLw==
1. Corresponding interfaces and difficulties
Note: flight search interface
Parametric analysis
Deleted some cookies through the cookies in the Application and found that he only verified three
acw_tc: set-cookie returns
HMF_CI: set-cookie returns
inter: if this value remains unchanged, no data can be requested
When we came in, we can see that he first requested twice and returned two cookie values. The
inter cookie was returned through newCheckToken.
This is the end of it. Let’s continue to see
We can find that the code from copy curl can’t run. We tried many times and found that it can’t run, but it’s possible to retry through the browser.
The request sent through request can’t pass. At first, we don’t understand
how to turn the page. The packet capture comparison found that this value is being modified every time. We can see that the first half of it has not changed. We can copy it and request it again. Let’s see how
it is generated. Here you can see He divided the time stamp by 1e9
, so we modified it and
found that it can be passed by adding the value returned by the cookie,
but we found that the data submitted did not include the data from Shanghai to Beijing. Through analysis, it was found that it was a referer. We found that this value was submitted above, but the searchKey value is encrypted. We continued to search and found that it was at our breakpoint
in the main.
You can cancel the formatting of main.js through sources by modifying this setting in the setting
. We find that it can be downloaded and uploaded at the next breakpoint. Through the breakpoint, we find that it is the city and ticket data we chose, and the conversion is carried out through encoding. base64, and then splicing r
. The r value is fixed on the top, so we can also fix it. We continue to
execute and find that if the value of shakehand is killed, there will be no data, but it is always the same, except for different interfaces, so we still need to look at it directly. Search Dafa on the Internet and find that it is the second half of the link spliced with a value.
Here you can see that it is the md5 of the spliced data. We can try it online. If it is native, it can be restored directly by python. It is found online that it
is native , called by python, I wrote it as a function
def get_md5(data):
md5 = hashlib.md5()
md5.update(data.encode('utf-8'))
return md5.hexdigest()
After encrypting through md5, it is found that it is completely feasible, so this issue is over here! ! !
Bye-Bye! ! !
Show results
code analysis
Remarks: This is too simple, so I won’t share the code. It mainly talks about the way of thinking when encountering this kind of problem