The direction is wrong, and the effort is in vain. The same goes for reptiles. The case shared today is very illustrative.
Target: Purchasing information of a group company
aHR0cHM6Ly9lYy5taW5tZXRhbHMuY29tLmNuL29wZW4vaG9tZS9wdXJjaGFzZS1pbmZv
The browser captures the packet, and there is only one encrypted parameter param in the request payload
Global search "param:", there are many results, try to search "JSON.stringify(", there are 6 results.
After setting a breakpoint and debugging, it is easy to find the encryption entry located in the encryptLong function below.
Follow up the definition of encryptLong, set a breakpoint at its return, then turn the page or refresh the page, and follow up step by step. It can be found that the encryption parameter param is processed by the encrypt function to process the incoming parameter A, and then generated by the w function.
It is easy to see that parameter A is the string converted from the original payload of the request, as shown in the figure below.
Following up on the above w function, we can find that it is a simple function that calls standard functions and can be used directly without reverse engineering, as shown in the figure below:
To deal with is the above encrypt function. Followed up and found that it is a function of another js file, using the js file packaged by webpack. And it is easy to see that the function calls three non-standard functions internally, which needs to be solved.
At this time, if these three functions are deducted separately, it will be very thankless, and there will always be a lack of various functions.
I wasted a lot of time here at first, and finally got the encrypted result, but the length of the ciphertext is wrong, and the python request cannot be successful from time to time.
Then, the second idea is to build webpack, and achieve the purpose of calling the encrypt function by calling the corresponding module. Following this line of thinking, you can finally get the result, but it will take half an hour or even longer, depending on your proficiency in webpack technology.
This is the easiest way to share. Note that the definition of the above encryptLong function is in the form of prototype.
At the same time, each request has a public package, and the returned result is a string, which is obviously a public key, so it can be imagined that RSA asymmetric encryption is used.
想到这里,也能想到了方案:那就是导入jsencrypt模块,然后通过prototype添加encrytLong函数,即可实现加密。最终加密的JS代码截图如下:
注意:
加密前需要处理原始请求载荷对象(即下图python的字典),
包括添加sign,添加时间戳。要使用下图的b函数,需要抠出来,当然也可以直接手动添加到对象属性。
sign参数就是本文第二张图的第2442行MD5,可以扣代码u函数,或者使用crypto-js库。
以下是python代码:
import requests
import execjs
import time
import json
def get_pubkey():
cookies = {
'SUNWAY-ESCM-COOKIE': '87e7733f-33b7-4477-92b4-daa17e4d74df',
}
headers = {
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
'Cache-Control': 'no-cache',
'Connection': 'keep-alive',
# 'Content-Length': '0',
# 'Cookie': 'SUNWAY-ESCM-COOKIE=87e7733f-33b7-4477-92b4-daa17e4d74df',
'Origin': 'https://ec.minmetals.com.cn',
'Pragma': 'no-cache',
'Referer': 'https://ec.minmetals.com.cn/open/home/purchase-info',
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36',
'sec-ch-ua': '"Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"Windows"',
}
response = requests.post('https://ec.minmetals.com.cn/open/homepage/public', cookies=cookies, headers=headers)
return response.text
cookies = {
'SUNWAY-ESCM-COOKIE': '87e7733f-33b7-4477-92b4-daa17e4d74df',}
headers = {
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
'Cache-Control': 'no-cache',
'Connection': 'keep-alive',
'Content-Type': 'application/json',
# 'Cookie': 'SUNWAY-ESCM-COOKIE=87e7733f-33b7-4477-92b4-daa17e4d74df',
'Origin': 'https://ec.minmetals.com.cn',
'Pragma': 'no-cache',
'Referer': 'https://ec.minmetals.com.cn/open/home/purchase-info/?tablndex=0',
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36',
'sec-ch-ua': '"Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"Windows"',
}
ctll=execjs.compile(open('./wukang3.js','r',encoding='utf-8').read())
for page in range(1,5):
data = {"inviteMethod":"","businessClassfication":"","mc":"","lx":"ZBGG","dwmc":"","pageIndex":page}
# print(data)
params=ctll.call('get_param',data,get_pubkey())
print(params)
json_data = {
'param': params
}
response = requests.post(
'https://ec.minmetals.com.cn/open/homepage/zbs/by-lx-page',
cookies=cookies,
headers=headers,
json=json_data,
)
print(response.status_code)
print(response.text)爬取的结果如下:
如需js代码,请留言。
欢迎大家批评指正!