Python登录百度 - doranbai/Note GitHub Wiki
这就是登录接口,会向这个登录接口post数据,首先看看post的数据是什么 这是headers
POST /v2/api/?login HTTP/1.1
Host: passport.baidu.com
Connection: keep-alive
Content-Length: 3065
Pragma: no-cache
Cache-Control: no-cache
Origin: https://www.baidu.com
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: nested-navigate
Referer: https://www.baidu.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: HOSUPPORT=1; BAIDUID=11E6A4C8A28B18418B1B1A84ECBF8D17:FG=1; UBI=fi_PncwhpxZ%7ETaL93wQc-oO%7EP9Y3dIKWno10QsgD%7EvNqhnXBbZCOGYK9Z5xqD%7ExrZgA4ypsVroe4QVG%7E9Sw; BIDUPSID=11E6A4C8A28B18418B1B1A84ECBF8D17; PSTM=1577099419; delPer=0; H_PS_PSSID=1442_21081_30210_30283_26350; pplogid=1871qFi5zy2TXXUrpwLOJDtvMTRgxHGKmpv%2BK4993qY29lSiFVr5q6tiHKXkLJuL0dP8hj%2FYcUGwDbPdM2zBCJLegw%3D%3D
这是post的data
staticpage: https://www.baidu.com/cache/user/html/v3Jump.html
charset: UTF-8
token: c82bc1b17932b83ece6071ef63bde672
tpl: mn
subpro:
apiver: v3
tt: 1577099446030
codestring:
safeflg: 0
u: https://www.baidu.com/
isPhone:
detect: 1
gid: 0ECFF34-38E3-4022-8C51-D2BE781194FE
quick_user: 0
logintype: dialogLogin
logLoginType: pc_loginDialog
idc:
loginmerge: true
mkey:
splogin: rate
username: qqq
password: g2mumKU9dd1rhslescikg9Ibzc/VucPlbGYmQw2RmL6lGprvtUVAkguPGRjvMGvBSU78JuUWx4hqRdQ2a8+Xz0jmqbOcNSemAFtd7wwncWQzZJevX6g9ThGAas+2whX3iR932Z6P3Y/GlPT0e2Hnj45f73A9+CGJdKvSzHYgLv0=
rsakey: VSRO1TEidxrJdzdSrCT2TpXCP0ftlnNQ
crypttype: 12
ppui_logintime: 17315
countrycode:
fp_uid:
fp_info:
loginversion: v4
supportdv: 1
ds: tSqy9NaZEbjzrmCbS5/KQeXKwf8tf1GBdUsaHYFV9bwGIP01GPbtCH6tg9pSS+og1xQwA8eWE2kGJWtD6ceFqPtPlPPpYDM9Fg7nfrOCIlB6vnNb+8jXCJImA4OYnNfusER2gytokZcH260E4lJmKGLWyma9m8Axde2pR8CvRpoojpyEOKtQRE3Rn6SXZY9vSbVN8EQQfNBVv11Y1z7GLdPEO0eJKCxcoxBA6ssSoUIAUmJvcHbHLeHQDHZg6QwgIL9PRB4Zw2OwI1WrmZ0u3KEb1fxKbtats8FXI1CIny86LH+kUlPzAs54oEh6Uj41PbJI7ce3ZLQ7naSNXPTa6Xdl47ni/3uqCqB5cJ8ewtjBn5u956AXeUHHXnfGucyFs99oT2jVUlvtN2Q5Izj0UP/hgi5B9wUS2DFaZeNcKf+MQahSMmzi/I6uIbpG2wc0yqRqCOzY70tMBcsUQDmCd+Xjv7bB9HTsQqQ2+LlrCxO/zBsXQ4PwIgCnbdRfeoFIspNj58nmNRbgtP+R5+bL94M2ba3fzhghbi2srJc+4W1aD0ck6NlorcWdXKpTKyIHglAD8uwr5UpEvwiUcMWQ2T5MMml0BJmxzD/kvRaHGROEYQzdjnMI1lxos7QqVa9UUVsmkh6UPEDr3BwGbgXJMuswHpXtHxXAiT3KCX0LVOxfQajo6CGZEjbIrZAH7Ej6rNq7+H+Rm4D4dVMi3z/+UpkzUlzouvZsL6IJOVrQ/ca/dqtiJl1Tae3+LZhRzTunIRu2c75wthhGZG8euUI/4UIuv28CgmpX92QYjXZfDidG2J6gryalERkYiMzd9WJ0ptYtZnKr9MI+Y8fZViQ8MLI1J+3/+1B9NhnHnYDOenbwpHuEPv+w5jM0KklIYiaQJbFuQV+Oo3xV9KyYLmjU78xwcxbUMtjfRw/owJjaYxsA3eSs8wjMdkxUQ3U2edt55SgYInDR71uG6/h/bF042r1ECXgZsqhj3qvKPtcfY5OoZ6tZO8bREeWRAuEczijyFtwvcOioJb7iBGjQWQZ46wP0LgNT1PGTAoo8q0Tft450tVV+pQaMVRRvaEJ0S3ck2jRUG3KtaOs3XEYf8wkDHAUr2SvLSm6FxVwyuqDdM2GkgXcd6yVc8xHZAC9YAPLdJ6mLBW3UCEI3hYuUYyK470Pf/eAnokzmQd+nwbDR5norhC83pwvzewDOYStwM7sMF7LKKtoIxnjzt68B1fWhag==
tk: 1871qFi5zy2TXXUrpwLOJDtvMTRgxHGKmpv+K4993qY29lSiFVr5q6tiHKXkLJuL0dP8hj/YcUGwDbPdM2zBCJLegw==
dv: tk0.7316092452598511577099428986@oon0C~CktKrmbHuHzsHMpA8aeuHah7rIh78U4jO8vCFLa50ktdr3Mj7kQb0kqK4tpCEavhI4e7HpAu8jtd8aeaG~4xIJpgO6dbrkudCsd-r6dd0pEhIMP6uHa78ahIHplbrpe7P8A5GMz1DLHKrIqaAk5lCktKrmbHuHzsHMpA8aeuHah7rIh78Uh1GUAUDUvM0ktbrItU7kQb0kqK4tpCEavhI4e7HpAu8jtd8aedF8AjP~exOmdbrIujrVd_vn0svr3Fw0ku-AxdUCIHK7krxr6djCIGKrIQzC6bHuHzsHMpA8aeuHah7rIh78UAaFJaTPsdarjqKr3Gb0k2jrIFK4tpCEavhI4e7HpAu8jtd8aeJDUvg7kHjrNdwrIMKr3QUrxbHuHzsHMpA8aeuHah7rIh78~OfGJalAkGd0krUrxdarjt~0pEhIMP6uHa78ahIHplbrpe7OJexD8d_~rrBzrxMmoqShxngr6dx0kG-InhPnKd03GjrIFdCI2wAI2aCIQarItaAjGdCIMwr3QzCkF_gnhBsEwGsrc0xeUPUGiFJpTOsHiF~eg0xbaDJE5OJ5iOLu_unermdd0kGxCmdUrkFKrIHjANd-A3uKrIHjANdbAIr~0kQxAq__
traceid: 39C19501
callback: parent.bd__pcbs__8sxpnd
time: 1577099446
alg: v3
sig: bUFxNFJHdW03NUowQU9jTWlqdTBHSk9Gc1MwWml1OGxidHpsVElTT3czU2VJR2toU3RiRWNOYnRrWFhtOG5ieA==
elapsed: 5
shaOne: 00867cbbc4abc8a9c8d56fc54c36ea99431e7827
也就是说,只要能构造出这个data,并post接口上,就能登录成功了
用bc一比就出来了,没图
token:
tt:
gid
rsakey:
ppui_logintime:
ds:
tk:
dv:
traceid:
callback:
time:
sig:
elapsed:
shaOne:
现在network搜一下,看看能不能直接找到,找不到就去source下搜js源码
搜搜token,token值,很容易的找到了连接
https://passport.baidu.com/v2/api/?getapi&token=&tpl=mn&subpro=&apiver=v3&tt=1577170546700&class=login&gid=0DEFF80-6895-46DE-A028-6EB29DA35852&loginversion=v4&logintype=dialogLogin&traceid=&time=1577170547&alg=v3&sig=RlFUT2lkTXdCOUtVZCszd041ZW9TZzZzeFAvSndFSlIra1FSTWY0MTdmZHoxd0lpcHp4ZS9xbS9FU05GTWxieQ%3D%3D&elapsed=27&shaOne=0019de86fc4ab8a5f63fffa7f1ba0106c42ec103&callback=bd__cbs__kjmkmm
返回值是json,里面就有token
bd__cbs__kjmkmm({
"errInfo": {
"no": "0"
},
"data": {
"rememberedUserName": "",
"codeString": "",
"token": "a11b52f4eb13bfdd9c0aafb327ea2ae7",
"cookie": "1",
"usernametype": "",
"spLogin": "rate",
"disable": "",
"loginrecord": {
'email': [],
'phone': []
}
},
"traceid": ""
})
不过问题又来了,我们得构造一个链接去请求GET啊,盖中盖啊
url= https://passport.baidu.com/v2/api/
同样看一下请求参数
getapi:
token:
tpl: mn
subpro:
apiver: v3
tt: 1577170546700
class: login
gid: 0DEFF80-6895-46DE-A028-6EB29DA35852
loginversion: v4
logintype: dialogLogin
traceid:
time: 1577170547
alg: v3
sig: RlFUT2lkTXdCOUtVZCszd041ZW9TZzZzeFAvSndFSlIra1FSTWY0MTdmZHoxd0lpcHp4ZS9xbS9FU05GTWxieQ==
elapsed: 27
shaOne: 0019de86fc4ab8a5f63fffa7f1ba0106c42ec103
callback: bd__cbs__kjmkmm
tt:
gid:
time:
elapsed:
shaOne:
callback:
这个一看就是timestamp,(new Date).getTime(),返回距 1970 年 1 月 1 日之间的毫秒数。如果有时间的话,可以在source界面搜索tt,慢慢找能找到
network中没什么内容,去source搜索,发现在loginv4_19d79ee.js文件 里面gid不少,但是最终都调用了guideRandom 搜索,找到函数定义
function() {
return "xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(e) {
var t = 16 * Math.random() | 0
, n = "x" === e ? t : 3 & t | 8;
return n.toString(16)
}).toUpperCase()
}
看着像时间戳除了1000
搜了下发现在static/waplib/moonshad.js
for (n = i = (new Date)[_0x19c3("0x95")](); "00" !== (i = f(u(i)))[_0x19c3("0x14")]()[_0x19c3("0x20")](0, 2); )
;
t = {
time: r.time,
alg: r[_0x19c3("0x92")],
sig: o[_0x19c3("0x9b")](r, c, _),
elapsed: (new Date)[_0x19c3("0x95")]() - n || "",
shaOne: i
}
略复杂,貌似还有shaOne,alg,sig,上面的time,上动态调试 先翻译翻译
_0x19c3("0x95") gettime
_0x19c3("0x14") toString
_0x19c3("0x20") substr
_0x19c3("0x92") alg
_0x19c3("0x9b") "encryption"
for(n=i=getTime(),i= f(u(i)).toString().substr(0,2) !="00";);
t = {
time: r.time, //Math['round']((new Date).getTime() / 1e3),
alg: r['alg'],
sig: o["encryption"](r, c, _),
elapsed: (new Date).getTime() - n || "",
shaOne: i
}
n的初始值为timestamp,elapsed即为当前timestamp - 初始timestamp i的值为f(u(i)),且开头两位为00,即为shaOne值,看下f(u(i))代码 直接扣代码也行f(u(i))
var _0xe7d2 = ["words", "sigBytes", "length", "stringify", "ceil", "slice", "random", "enc", "Hex", "join", "substr", "push", "fromCharCode", "charCodeAt", "Utf8", "Malformed UTF-8 data", "parse", "BufferedBlockAlgorithm", "_data", "_nDataBytes", "concat", "blockSize", "max", "_minBufferSize", "min", "_doProcessBlock", "splice", "clone", "Hasher", "cfg", "reset", "_append", "_doFinalize", "finalize", "HMAC", "algo", "Cipher", "WordArray", "EvpKDF", "_ENC_XFORM_MODE", "_DEC_XFORM_MODE", "_xformMode", "_key", "_doReset", "_process", "encrypt", "decrypt", "flush", "mode", "BlockCipherMode", "Encryptor", "Decryptor", "_cipher", "_iv", "CBC", "encryptBlock", "_prevBlock", "pad", "Pkcs7", "BlockCipher", "createEncryptor", "createDecryptor", "_mode", "__creator", "unpad", "CipherParams", "formatter", "format", "ciphertext", "_parse", "kdf", "OpenSSL", "PasswordBasedCipher", "ivSize", "key", "execute", "keySize", "salt", "MD5", "hasher", "update", "compute", "Base64", "_map", "clamp", "_reverseMap", "charAt", "indexOf", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "abs", "sin", "_hash", "floor", "HmacMD5", "_createHmacHelper", "Word", "high", "low", "SHA1", "_createHelper", "HmacSHA1", "_iKey", "_hasher", "_oKey", "0123456789abcdef", "sqrt", "SHA256", "HmacSHA256", "x64", "toX32", "SHA512", "HmacSHA512", "moonshad5moonsh2", "moonshad3moonsh0", "moonshad8moonsh6", "moonshad0moonsh1", "moonshad1moonsh9", "OOOO0O", "O0000O", "O00O0O", "OO0OOO", "screen", "width", "height", "alg", "version", "round", "getTime", "sig", "traceid", "callback", "elapsed", "shaOne", "encryption", "sort", "split", "substring", "ECB", "byteOffset", "byteLength", "Utf16BE", "Utf16LE", "Utf16", "SHA224", "SHA384", "HmacSHA384", "SHA3", "_state", "outputLength", "HmacSHA3", "RIPEMD160", "HmacRIPEMD160", "iterations", "PBKDF2", "CFB", "CTR", "_counter", "OFB", "_keystream", "decryptBlock", "AnsiX923", "Ansix923", "Iso10126", "Iso97971", "ZeroPadding", "NoPadding", "AES", "_nRounds", "_keyPriorReset", "_keySchedule", "_invKeySchedule", "_doCryptBlock", "DES", "_subKeys", "_invSubKeys", "_lBlock", "_rBlock", "TripleDES", "_des2", "_des3", "_des1", "StreamCipher", "RC4", "drop", "RC4Drop", "Rabbit", "RabbitLegacy", "location", "protocol", "//nsclick.baidu.com/v.gif?", "pid=111&type=1023&v=", "&data_source=fe", "&extrajson=", "&monitorType=moonshadErrors", "{eventType:na-moonshad-error}", "&auto_en=na-monitor", "onload", "onerror", "src", "exports", "defineProperty", "undefined", "toStringTag", "Module", "__esModule", "object", "create", "default", "string", "bind", "prototype", "hasOwnProperty", "call", "lib", "Base", "mixIn", "init", "$super", "apply", "toString", "extend"];
!function(c) {
!function(x) {
for (; --x; )
c.push(c.shift())
}(421)
}(_0xe7d2);
var _0x19c3 = function(x, c) {
return _0xe7d2[x -= 0]
};
function pppp(x, c) {
var i = 0;
function _(x) {
return function r(x) {
for (var c = i ? "0123456789ABCDEF" : "0123456789abcdef", _ = "", t = 0; t < 4 * x[_0x19c3("0x18")]; t++)
_ += c[_0x19c3("0x6c")](x[t >> 2] >> 8 * (3 - t % 4) + 4 & 15) + c[_0x19c3("0x6c")](x[t >> 2] >> 8 * (3 - t % 4) & 15);
return _
}(function p(x) {
for (var c = x, _ = Array(80), t = 1732584193, r = -271733879, n = -1732584194, i = 271733878, e = -1009589776, o = 0; o < c[_0x19c3("0x18")]; o += 16) {
for (var a = t, s = r, f = n, u = i, h = e, v = 0; v < 80; v++) {
_[v] = v < 16 ? c[o + v] : g(_[v - 3] ^ _[v - 8] ^ _[v - 14] ^ _[v - 16], 1);
var d = y(y(g(t, 5), b(v, r, n, i)), y(y(e, _[v]), (l = v) < 20 ? 1518500249 : l < 40 ? 1859775393 : l < 60 ? -1894007588 : -899497514));
e = i,
i = n,
n = g(r, 30),
r = t,
t = d
}
t = y(t, a),
r = y(r, s),
n = y(n, f),
i = y(i, u),
e = y(e, h)
}
var l;
return new Array(t,r,n,i,e)
}(function n(x) {
for (var c = 1 + (x.length + 8 >> 6), _ = new Array(16 * c), t = 0; t < 16 * c; t++)
_[t] = 0;
for (t = 0; t < x[_0x19c3("0x18")]; t++)
_[t >> 2] |= x[_0x19c3("0x23")](t) << 24 - 8 * (3 & t);
return _[t >> 2] |= 128 << 24 - 8 * (3 & t),
_[16 * c - 1] = 8 * x[_0x19c3("0x18")],
_
}(x)))
}
function b(x, c, _, t) {
return x < 20 ? c & _ | ~c & t : x < 40 ? c ^ _ ^ t : x < 60 ? c & _ | c & t | _ & t : c ^ _ ^ t
}
function y(x, c) {
var _ = (65535 & x) + (65535 & c);
return (x >> 16) + (c >> 16) + (_ >> 16) << 16 | 65535 & _
}
function g(x, c) {
return x << c | x >>> 32 - c
}
x[_0x19c3("0x0")] = _
console.log('ppppp',x);
console.log('ppppp',_(x));
}
function a(x, c) {
function f(x, c) {
var _ = (65535 & x) + (65535 & c);
return (x >> 16) + (c >> 16) + (_ >> 16) << 16 | 65535 & _
}
function e(x, c, _, t, r, n) {
return f(function i(x, c) {
return x << c | x >>> 32 - c
}(f(f(c, x), f(t, n)), r), _)
}
function u(x, c, _, t, r, n, i) {
return e(c & _ | ~c & t, x, c, r, n, i)
}
function h(x, c, _, t, r, n, i) {
return e(c & t | _ & ~t, x, c, r, n, i)
}
function v(x, c, _, t, r, n, i) {
return e(c ^ _ ^ t, x, c, r, n, i)
}
function d(x, c, _, t, r, n, i) {
return e(_ ^ (c | ~t), x, c, r, n, i)
}
function o(x, c) {
x[c >> 5] |= 128 << c % 32,
x[14 + (c + 64 >>> 9 << 4)] = c;
var _, t, r, n, i, e = 1732584193, o = -271733879, a = -1732584194, s = 271733878;
for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 16)
o = d(o = d(o = d(o = d(o = v(o = v(o = v(o = v(o = h(o = h(o = h(o = h(o = u(o = u(o = u(o = u(r = o, a = u(n = a, s = u(i = s, e = u(t = e, o, a, s, x[_], 7, -680876936), o, a, x[_ + 1], 12, -389564586), e, o, x[_ + 2], 17, 606105819), s, e, x[_ + 3], 22, -1044525330), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 4], 7, -176418897), o, a, x[_ + 5], 12, 1200080426), e, o, x[_ + 6], 17, -1473231341), s, e, x[_ + 7], 22, -45705983), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 8], 7, 1770035416), o, a, x[_ + 9], 12, -1958414417), e, o, x[_ + 10], 17, -42063), s, e, x[_ + 11], 22, -1990404162), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 12], 7, 1804603682), o, a, x[_ + 13], 12, -40341101), e, o, x[_ + 14], 17, -1502002290), s, e, x[_ + 15], 22, 1236535329), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 1], 5, -165796510), o, a, x[_ + 6], 9, -1069501632), e, o, x[_ + 11], 14, 643717713), s, e, x[_], 20, -373897302), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 5], 5, -701558691), o, a, x[_ + 10], 9, 38016083), e, o, x[_ + 15], 14, -660478335), s, e, x[_ + 4], 20, -405537848), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 9], 5, 568446438), o, a, x[_ + 14], 9, -1019803690), e, o, x[_ + 3], 14, -187363961), s, e, x[_ + 8], 20, 1163531501), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 13], 5, -1444681467), o, a, x[_ + 2], 9, -51403784), e, o, x[_ + 7], 14, 1735328473), s, e, x[_ + 12], 20, -1926607734), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 5], 4, -378558), o, a, x[_ + 8], 11, -2022574463), e, o, x[_ + 11], 16, 1839030562), s, e, x[_ + 14], 23, -35309556), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 1], 4, -1530992060), o, a, x[_ + 4], 11, 1272893353), e, o, x[_ + 7], 16, -155497632), s, e, x[_ + 10], 23, -1094730640), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 13], 4, 681279174), o, a, x[_], 11, -358537222), e, o, x[_ + 3], 16, -722521979), s, e, x[_ + 6], 23, 76029189), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 9], 4, -640364487), o, a, x[_ + 12], 11, -421815835), e, o, x[_ + 15], 16, 530742520), s, e, x[_ + 2], 23, -995338651), a = d(a, s = d(s, e = d(e, o, a, s, x[_], 6, -198630844), o, a, x[_ + 7], 10, 1126891415), e, o, x[_ + 14], 15, -1416354905), s, e, x[_ + 5], 21, -57434055), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 12], 6, 1700485571), o, a, x[_ + 3], 10, -1894986606), e, o, x[_ + 10], 15, -1051523), s, e, x[_ + 1], 21, -2054922799), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 8], 6, 1873313359), o, a, x[_ + 15], 10, -30611744), e, o, x[_ + 6], 15, -1560198380), s, e, x[_ + 13], 21, 1309151649), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 4], 6, -145523070), o, a, x[_ + 11], 10, -1120210379), e, o, x[_ + 2], 15, 718787259), s, e, x[_ + 9], 21, -343485551),
e = f(e, t),
o = f(o, r),
a = f(a, n),
s = f(s, i);
return [e, o, a, s]
}
function a(x) {
var c, _ = "";
for (c = 0; c < 32 * x[_0x19c3("0x18")]; c += 8)
_ += String[_0x19c3("0x22")](x[c >> 5] >>> c % 32 & 255);
return _
}
function s(x) {
var c, _ = [];
for (_[(x[_0x19c3("0x18")] >> 2) - 1] = undefined,
c = 0; c < _.length; c += 1)
_[c] = 0;
for (c = 0; c < 8 * x[_0x19c3("0x18")]; c += 8)
_[c >> 5] |= (255 & x[_0x19c3("0x23")](c / 8)) << c % 32;
return _
}
function n(x) {
var c, _, t = _0x19c3("0x7e"), r = "";
for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 1)
c = x[_0x19c3("0x23")](_),
r += t.charAt(c >>> 4 & 15) + t.charAt(15 & c);
return r
}
function _(x) {
return unescape(encodeURIComponent(x))
}
function i(x) {
return function c(x) {
return a(o(s(x), 8 * x.length))
}(_(x))
}
function l(x, c) {
return function e(x, c) {
var _, t, r = s(x), n = [], i = [];
for (n[15] = i[15] = undefined,
16 < r.length && (r = o(r, 8 * x[_0x19c3("0x18")])),
_ = 0; _ < 16; _ += 1)
n[_] = 909522486 ^ r[_],
i[_] = 1549556828 ^ r[_];
return t = o(n[_0x19c3("0x2a")](s(c)), 512 + 8 * c[_0x19c3("0x18")]),
a(o(i[_0x19c3("0x2a")](t), 640))
}(_(x), _(c))
}
function p(x, c, _) {
return c ? _ ? l(c, x) : function t(x, c) {
return n(l(x, c))
}(c, x) : _ ? i(x) : function r(x) {
return n(i(x))
}(x)
}
console.log('当前域名配置',x[_0x19c3("0x0")]);
b= (new Date).getTime()
b=1577180869309
console.log('当前域名配置',p(b));
return p(b)
}
uuuu= a(2)
pppp(uuuu)
//for(n=i=(new Date).getTime();i= f(u(i)).toString().substr(0,2) !="00";)
上面抠出来的能直接运行。其实仔细看看,u函数时md5加密,f函数就是sha1加密,不扣代码,python里直接搞起
还有个sig,这个比较复杂,加密,算了,直接弄代码进去吧 o["encryption"](r, c, _)的代码大概是这样,关键函数r,n,i
encryption:function(x, c, _) {
var t = r(x, c);
return i(n(t, _))
}
这是个加密函数
var _0xe7d2 = ["words", "sigBytes", "length", "stringify", "ceil", "slice", "random", "enc", "Hex", "join", "substr", "push", "fromCharCode", "charCodeAt", "Utf8", "Malformed UTF-8 data", "parse", "BufferedBlockAlgorithm", "_data", "_nDataBytes", "concat", "blockSize", "max", "_minBufferSize", "min", "_doProcessBlock", "splice", "clone", "Hasher", "cfg", "reset", "_append", "_doFinalize", "finalize", "HMAC", "algo", "Cipher", "WordArray", "EvpKDF", "_ENC_XFORM_MODE", "_DEC_XFORM_MODE", "_xformMode", "_key", "_doReset", "_process", "encrypt", "decrypt", "flush", "mode", "BlockCipherMode", "Encryptor", "Decryptor", "_cipher", "_iv", "CBC", "encryptBlock", "_prevBlock", "pad", "Pkcs7", "BlockCipher", "createEncryptor", "createDecryptor", "_mode", "__creator", "unpad", "CipherParams", "formatter", "format", "ciphertext", "_parse", "kdf", "OpenSSL", "PasswordBasedCipher", "ivSize", "key", "execute", "keySize", "salt", "MD5", "hasher", "update", "compute", "Base64", "_map", "clamp", "_reverseMap", "charAt", "indexOf", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "abs", "sin", "_hash", "floor", "HmacMD5", "_createHmacHelper", "Word", "high", "low", "SHA1", "_createHelper", "HmacSHA1", "_iKey", "_hasher", "_oKey", "0123456789abcdef", "sqrt", "SHA256", "HmacSHA256", "x64", "toX32", "SHA512", "HmacSHA512", "moonshad5moonsh2", "moonshad3moonsh0", "moonshad8moonsh6", "moonshad0moonsh1", "moonshad1moonsh9", "OOOO0O", "O0000O", "O00O0O", "OO0OOO", "screen", "width", "height", "alg", "version", "round", "getTime", "sig", "traceid", "callback", "elapsed", "shaOne", "encryption", "sort", "split", "substring", "ECB", "byteOffset", "byteLength", "Utf16BE", "Utf16LE", "Utf16", "SHA224", "SHA384", "HmacSHA384", "SHA3", "_state", "outputLength", "HmacSHA3", "RIPEMD160", "HmacRIPEMD160", "iterations", "PBKDF2", "CFB", "CTR", "_counter", "OFB", "_keystream", "decryptBlock", "AnsiX923", "Ansix923", "Iso10126", "Iso97971", "ZeroPadding", "NoPadding", "AES", "_nRounds", "_keyPriorReset", "_keySchedule", "_invKeySchedule", "_doCryptBlock", "DES", "_subKeys", "_invSubKeys", "_lBlock", "_rBlock", "TripleDES", "_des2", "_des3", "_des1", "StreamCipher", "RC4", "drop", "RC4Drop", "Rabbit", "RabbitLegacy", "location", "protocol", "//nsclick.baidu.com/v.gif?", "pid=111&type=1023&v=", "&data_source=fe", "&extrajson=", "&monitorType=moonshadErrors", "{eventType:na-moonshad-error}", "&auto_en=na-monitor", "onload", "onerror", "src", "exports", "defineProperty", "undefined", "toStringTag", "Module", "__esModule", "object", "create", "default", "string", "bind", "prototype", "hasOwnProperty", "call", "lib", "Base", "mixIn", "init", "$super", "apply", "toString", "extend"];
!function(c) {
!function(x) {
for (; --x; )
c.push(c.shift())
}(421)
}(_0xe7d2);
var _0x19c3 = function(x, c) {
return _0xe7d2[x -= 0]
};
function fun_8(x, c) {
function f(x, c) {
var _ = (65535 & x) + (65535 & c);
return (x >> 16) + (c >> 16) + (_ >> 16) << 16 | 65535 & _
}
function e(x, c, _, t, r, n) {
return f(function i(x, c) {
return x << c | x >>> 32 - c
}(f(f(c, x), f(t, n)), r), _)
}
function u(x, c, _, t, r, n, i) {
return e(c & _ | ~c & t, x, c, r, n, i)
}
function h(x, c, _, t, r, n, i) {
return e(c & t | _ & ~t, x, c, r, n, i)
}
function v(x, c, _, t, r, n, i) {
return e(c ^ _ ^ t, x, c, r, n, i)
}
function d(x, c, _, t, r, n, i) {
return e(_ ^ (c | ~t), x, c, r, n, i)
}
function o(x, c) {
x[c >> 5] |= 128 << c % 32,
x[14 + (c + 64 >>> 9 << 4)] = c;
var _, t, r, n, i, e = 1732584193, o = -271733879, a = -1732584194, s = 271733878;
for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 16)
o = d(o = d(o = d(o = d(o = v(o = v(o = v(o = v(o = h(o = h(o = h(o = h(o = u(o = u(o = u(o = u(r = o, a = u(n = a, s = u(i = s, e = u(t = e, o, a, s, x[_], 7, -680876936), o, a, x[_ + 1], 12, -389564586), e, o, x[_ + 2], 17, 606105819), s, e, x[_ + 3], 22, -1044525330), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 4], 7, -176418897), o, a, x[_ + 5], 12, 1200080426), e, o, x[_ + 6], 17, -1473231341), s, e, x[_ + 7], 22, -45705983), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 8], 7, 1770035416), o, a, x[_ + 9], 12, -1958414417), e, o, x[_ + 10], 17, -42063), s, e, x[_ + 11], 22, -1990404162), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 12], 7, 1804603682), o, a, x[_ + 13], 12, -40341101), e, o, x[_ + 14], 17, -1502002290), s, e, x[_ + 15], 22, 1236535329), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 1], 5, -165796510), o, a, x[_ + 6], 9, -1069501632), e, o, x[_ + 11], 14, 643717713), s, e, x[_], 20, -373897302), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 5], 5, -701558691), o, a, x[_ + 10], 9, 38016083), e, o, x[_ + 15], 14, -660478335), s, e, x[_ + 4], 20, -405537848), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 9], 5, 568446438), o, a, x[_ + 14], 9, -1019803690), e, o, x[_ + 3], 14, -187363961), s, e, x[_ + 8], 20, 1163531501), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 13], 5, -1444681467), o, a, x[_ + 2], 9, -51403784), e, o, x[_ + 7], 14, 1735328473), s, e, x[_ + 12], 20, -1926607734), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 5], 4, -378558), o, a, x[_ + 8], 11, -2022574463), e, o, x[_ + 11], 16, 1839030562), s, e, x[_ + 14], 23, -35309556), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 1], 4, -1530992060), o, a, x[_ + 4], 11, 1272893353), e, o, x[_ + 7], 16, -155497632), s, e, x[_ + 10], 23, -1094730640), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 13], 4, 681279174), o, a, x[_], 11, -358537222), e, o, x[_ + 3], 16, -722521979), s, e, x[_ + 6], 23, 76029189), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 9], 4, -640364487), o, a, x[_ + 12], 11, -421815835), e, o, x[_ + 15], 16, 530742520), s, e, x[_ + 2], 23, -995338651), a = d(a, s = d(s, e = d(e, o, a, s, x[_], 6, -198630844), o, a, x[_ + 7], 10, 1126891415), e, o, x[_ + 14], 15, -1416354905), s, e, x[_ + 5], 21, -57434055), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 12], 6, 1700485571), o, a, x[_ + 3], 10, -1894986606), e, o, x[_ + 10], 15, -1051523), s, e, x[_ + 1], 21, -2054922799), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 8], 6, 1873313359), o, a, x[_ + 15], 10, -30611744), e, o, x[_ + 6], 15, -1560198380), s, e, x[_ + 13], 21, 1309151649), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 4], 6, -145523070), o, a, x[_ + 11], 10, -1120210379), e, o, x[_ + 2], 15, 718787259), s, e, x[_ + 9], 21, -343485551),
e = f(e, t),
o = f(o, r),
a = f(a, n),
s = f(s, i);
return [e, o, a, s]
}
function a(x) {
var c, _ = "";
for (c = 0; c < 32 * x[_0x19c3("0x18")]; c += 8)
_ += String[_0x19c3("0x22")](x[c >> 5] >>> c % 32 & 255);
return _
}
function s(x) {
var c, _ = [];
for (_[(x[_0x19c3("0x18")] >> 2) - 1] = undefined,
c = 0; c < _.length; c += 1)
_[c] = 0;
for (c = 0; c < 8 * x[_0x19c3("0x18")]; c += 8)
_[c >> 5] |= (255 & x[_0x19c3("0x23")](c / 8)) << c % 32;
return _
}
function n(x) {
var c, _, t = _0x19c3("0x7e"), r = "";
for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 1)
c = x[_0x19c3("0x23")](_),
r += t.charAt(c >>> 4 & 15) + t.charAt(15 & c);
return r
}
function _(x) {
return unescape(encodeURIComponent(x))
}
function i(x) {
return function c(x) {
return a(o(s(x), 8 * x.length))
}(_(x))
}
function l(x, c) {
return function e(x, c) {
var _, t, r = s(x), n = [], i = [];
for (n[15] = i[15] = undefined,
16 < r.length && (r = o(r, 8 * x[_0x19c3("0x18")])),
_ = 0; _ < 16; _ += 1)
n[_] = 909522486 ^ r[_],
i[_] = 1549556828 ^ r[_];
return t = o(n[_0x19c3("0x2a")](s(c)), 512 + 8 * c[_0x19c3("0x18")]),
a(o(i[_0x19c3("0x2a")](t), 640))
}(_(x), _(c))
}
_8 = function p(x, c, _) {
return c ? _ ? l(c, x) : function t(x, c) {
return n(l(x, c))
}(c, x) : _ ? i(x) : function r(x) {
return n(i(x))
}(x)
}
}
function fun_14(x, c, _) {
var u = _8
, h = {
a: "3",
b: "4",
c: "5",
d: "9",
e: "8",
f: "7",
g: "1",
h: "2",
i: "6",
j: "0",
k: "a",
l: "b",
m: "c",
n: "d",
o: "e",
p: "f",
q: "g",
r: "z",
s: "y",
t: "x",
u: "w",
v: "v",
w: "u",
x: "o",
y: "p",
z: "q",
0: "s",
1: "t",
2: "r",
3: "h",
4: "i",
5: "j",
6: "k",
7: "l",
8: "m",
9: "n"
};
_14 = function(x, c) {
var _ = [];
for (var t in x)
x.hasOwnProperty(t) && _.push(t);
_[_0x19c3("0x9c")]();
for (var r = [], n = 0, i = _.length; n < i; n++) {
var e = _[n];
r[_0x19c3("0x21")](e + "=" + x[e])
}
var o = u(r.join("&"))
, a = ""
, s = (window[_0x19c3("0x8f")][_0x19c3("0x90")] + "" + window[_0x19c3("0x8f")].height)[_0x19c3("0x9d")]("");
for (n = 0; n < s[_0x19c3("0x18")]; n++)
a += h[s[n]];
return function f(x, c) {
var _, t = "", r = x[_0x19c3("0x9d")](""), n = c[_0x19c3("0x9d")]("");
if (r[_0x19c3("0x18")] >= n[_0x19c3("0x18")]) {
for (_ = 0; _ < n[_0x19c3("0x18")]; _++)
t += r[_] + n[_];
t += x[_0x19c3("0x9e")](_)
} else {
for (_ = 0; _ < r.length; _++)
t += r[_] + n[_];
t += c[_0x19c3("0x9e")](_)
}
return t
}(o, a)
}
}
x= {
"alg": "v3",
"apiver": "v3",
"class": "login",
"gid": "78352A1-5EE0-4F5C-B308-7E6A28882517",
"logintype": "dialogLogin",
"loginversion": "v4",
"subpro": "",
"time": 1577260418,
"token": "",
"tpl": "mn",
"tt": 1577260352645,
}
fun_8()
fun_14()
var t = _14(x);
console.log('当前域名配置',t);
算了,扣不动了,上面的是r函数的代码
我们仔细看一下的的话,能看出r函数用了md5,里面还用了窗口宽高,修改了md5串。
看看n函数是eas加密,之后用的i函数是base64
aes加密用的key就是_参数,
var t = r(x, c);
return i(n(t, _))
_参数就是aes加密用的key,这个key是随时间变化的,各种OO00看的头大
e为bd__cbs__ getUniqueId = function(e) { return e + Math.floor(2147483648 * Math.random()).toString(36) } 这个callback是个随机的,其实可以直接用,不变也可以。
这样整个token搞定 写段python,获取token部分测试一下。纯按顺序写python,无封装
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import base64
import hashlib
import time
import requests
import execjs
import json
import math
import random
def baseN(num, b):
return ((num == 0) and "0") or (baseN(num // b, b).lstrip("0") + "0123456789abcdefghijklmnopqrstuvwxyz"[num % b])
# 获取gid,返回值为str
def getgid():
"""
:return:
"""
js = execjs.compile("""
function gid(){
return 'xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (e) {
var t = 16 * Math.random() | 0,
n = 'x' == e ? t : 3 & t | 8;
return n.toString(16)
}).toUpperCase()
}
""")
return js.call("gid")
data = {
"alg": "v3",
"apiver": "v3",
"class": "login",
"gid": "",
"logintype": "dialogLogin",
"loginversion": "v4",
"subpro": "",
"time": 1577270095,
"token": "",
"tpl": "mn",
"tt": 1577270095354,
}
data["gid"] = getgid()
print("gid", data["gid"])
data["tt"] = int(time.time() * 1000)
data["time"] = int(time.time())
#计算shaOne和elapsed
n_time = int(time.time() * 1000)
while True:
current = int(time.time() * 1000)
md = hashlib.md5()
md.update(str(current).encode('utf-8'))
sha = hashlib.sha1()
sha.update(md.hexdigest().encode('utf-8'))
if sha.hexdigest()[0:2] == '00':
break;
shaOne = current
print("shaOne", shaOne)
elapsed = int(time.time() * 1000) - n_time
print("elapsed", elapsed)
# ***************************************
# 计算sig
# 1.将data变成一个串,计算md5,之后会根据窗口宽高对md5串做处理,然后形成一个新串(变量名字按照js混淆后的名字,可以对应)
data2str = str(data)[1:-1].replace(':', '=').replace(',', '&').replace('\'', '').replace(' ', '')
print("data2str",data2str)
md5 = hashlib.md5()
md5.update(data2str.encode('utf-8'))
print("md5",md5.hexdigest())
# md5 = 'alg=v3&apiver=v3&class=login&gid=78352A1-5EE0-4F5C-B308-7E6A28882517&logintype=dialogLogin&loginversion=v4&subpro=&time=1577260418&token=&tpl=mn&tt=1577260352645'
r = x = md5.hexdigest()
s = ["1", "5", "3", "6", "8", "6", "4"]
h = {
"a": "3", "b": "4", "c": "5", "d": "9", "e": "8", "f": "7", "g": "1", "h": "2", "i": "6", "j": "0", "k": "a",
"l": "b",
"m": "c", "n": "d", "o": "e", "p": "f", "q": "g", "r": "z", "s": "y", "t": "x", "u": "w", "v": "v", "w": "u",
"x": "o",
"y": "p", "z": "q", "0": "s", "1": "t", "2": "r", "3": "h", "4": "i", "5": "j", "6": "k", "7": "l", "8": "m",
"9": "n"
}
a = ''
for i in range(len(s)):
a += h[s[i]]
# a的结果为tjhkmki
t = ''
n = a
if (len(r) > len(n)):
for _ in range(len(n)):
t += r[_] + n[_]
t += x[_ + 1:]
else:
for _ in range(len(r)):
t += r[_] + n[_]
t += n[_ + 1:]
print("md5 to new str:",t)
# 完成,t就是新生成的串
# 2 接下来将新生成的t串做aes-128加密,mode为ecb,pad为pkcs7
# h key value,v参数是key,表明第几个h的value,h的value对应moonshadV3的key,moonshadV3的value即为函数。
# h的value转换后还对应了t的key
h = {"OOOOO0": "OOOO00", "O00000": "OOO00O", "O0O00O": "OOO000", "O000OO": "OOO0OO", "O0O000": "O0OOO0"}
trans = {
"OOOO00": "OOOO0O", "OOO00O": "O0000O", "OOO000": "O00O0O", "OOO0OO": "OO0OOO", "O0OOO0": "OO0O0O" }
t_dict = {
"O00O0O": "moonshad8moonsh6",
"O0000O": "moonshad3moonsh0",
"OO0O0O": "moonshad1moonsh9",
"OO0OOO": "moonshad0moonsh1",
"OOOO0O": "moonshad5moonsh2"
}
v = (int(time.time()) // 86400) % 5
b = list(h.keys())
# key值为aes加密key
#key = 'moonshad5moonsh2'
key = t_dict[trans[h[b[v]]]]
print("aes key:",key)
# s = '1tcj2hbk7mbk7i55ed2c91a7027bbeea0e3dd3e'
s = t
aes = AES.new(key=key.encode("utf-8"), mode=AES.MODE_ECB)
s_pad = pad(s.encode('utf-8'), AES.block_size, style='pkcs7')
s_text = aes.encrypt(s_pad)
print("aes encrypt:",s_text, type(s_text))
# 3 将aes加密后的串进行base64加密
base64_text = base64.encodebytes(s_text).replace(b'\n', b'')
sig = base64.encodebytes(base64_text).replace(b'\n', b'')
print("sig:",sig)
post_data = {
# "getapi":"" ,
"token": "",
"tpl": "mn",
"subpro": "",
"apiver": "v3",
"tt": "1577270095354",
"class": "login",
"gid": "0E2A49B-9083-40AA-9E55-C4855C751735",
"loginversion": "v4",
"logintype": "dialogLogin",
"traceid": "",
"time": "1577270095",
"alg": "v3",
"sig": "VUtmamUvKzdWRGpIUi9LRUY5b3VScGthaEszampKUDNlZlpTSWMzdUVGelVKbnFSVWRuOVkrZm1yWS9LQ0tXZw==",
"elapsed": "30",
"shaOne": "0030cb20e20293d942ae96d0f756fa7fdc40b390",
"callback": "bd__cbs__alo4yw"
}
post_data["gid"] = data["gid"]
post_data["time"] = data["time"]
post_data["tt"] = data["tt"]
rand = math.floor(2147483648 * random.random())
post_data["callback"] = 'bd__cbs__' + baseN(rand, 36)
post_data["elapsed"] = elapsed
post_data["shaOne"] = shaOne
post_data["sig"] = sig
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'}
session = requests.session()
request = session.get('https://www.baidu.com', headers=headers)
headers = {
'Referer': 'https://www.baidu.com/',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'}
request = session.get('https://passport.baidu.com/v2/api/?getapi', params=post_data, headers=headers,
allow_redirects=False)
print(request.url)
print(request.status_code)
request.encoding = request.apparent_encoding
#print(request.text)
text = request.text.split("(", 1)[1].rsplit(")",1)[0].replace("\'","\"")
#print(text)
res_data = json.loads(text) #dict
token = res_data["data"]["token"]
print(token)
timestamp
这个和上面token的一致
在network中一搜就有
https://passport.baidu.com/v2/getpublickey?
responce
bd__cbs__ii2fve({
"errno": '0',
"msg": '',
"pubkey": '-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUgNsdqndDCdKfsf1rMd0zB6OT\n448Nh+O5x1xVInB\/7Hb4OoOMreTJe\/45X+RDyxHNt8WLOYl57MCjvTDAsjK+vvAw\nwG+GvX4Iy0\/WRWswYUCSHpcgm2Uv+pwpgnA5Q+MRFXGolcjZqd26pMWqxQCces3B\npBLRkKuyMZ+Qhs0A6wIDAQAB\n-----END PUBLIC KEY-----\n',
"key": 'RCKEYjwblMiriSRxnw60AYbT7aAZ7REK',
"traceid": ""
})
那个key就是了
继续构造请求参数
token: 08963795d8d87eede02e445936ea5aec
tpl: mn
subpro:
apiver: v3
tt: 1577182097629
gid: 04C5389-B2B7-480B-B12C-CEA5440344F1
loginversion: v4
traceid:
time: 1577182098
alg: v3
sig: ZGFleGhiMkdrbUsxSzBkNWsvdDhVV2pyazMzdHBKaDR1MGtva2dmWWl6Si9yUXNyOFBRYUpVQzVzK2lmMStHUA==
elapsed: 1
shaOne: 004736d0ea345a1ed60d72d06decd8b277e89763
callback: bd__cbs__ii2fve
这些参数一看,都是我们刚才获得的,直接get一次请求,得到rsakey
network里面没有,source里面一搜就有
timeSpan: "ppui_logintime",
发现了timeSpan,继续搜索
n.timeSpan = (new Date).getTime() - e.initTime
搜索initTime ,看到_initApi,搜索_initApi,发现跟点击事件有关系
直接在_initApi打上断点,然后发现在首页点击登录事件会停下来,所以ppui_logintime代表的是点击登录到登录请求的时间差
https://passport.baidu.com/viewlog?ak=1e3f2dd1c81f2075171a547893391274&callback=jsonpCallbackA19216&v=10211&t=1577349087131 访问一次这个链接就能返回tk,ds,而且还会pplogid cookie ,貌似可以直接请求
ak: 1e3f2dd1c81f2075171a547893391274
callback: jsonpCallbackA18383
v: 1797
t: 1577428128429
ak: 1e3f2dd1c81f2075171a547893391274
这值一搜就有,是个固定值
ak是个固定值,t是时间戳,
这些搜搜就能发现在mkd.js
callback是 jsonpCallbackA + 一个随机数
v也是个随机数,同样的算法
function o() {
return Math.floor(1e4 * Math.random() + 500)
}
搜dv: 很快能定位到window.LG_DV_ARG.dvjsInput 继续搜LG_DV_ARG,两个文件里有,只有g.min里面有赋值操作
function c(n) {
var r = t.getElementById("dv_Input");
r && (r.value = n),
e.LG_DV_ARG.dvjsInput = n
}
打断点,继续查看下调用栈
t就是document,里面没有dv_input的元素 所以n很关键了
调用者就在它上面
function d(e) {
M && (x = e.token + "@" + S(e, e.token),
(1 & F.SendMethod) > 0 && c(x))
}
x就是传递的n, x = e.token + "@" + S(e, e.token)
function m(t) {
try {
if (F.RCKSEvent > 0 && G >= F.RCKSEvent)
return;
var n = t || e.event
, r = n.target || n.srcElement
, o = n.keyCode
, a = 0;
n.ctrlKey && 17 != o && (a += 1),
n.altKey && 18 != o && (a += 2),
n.shiftKey && 16 != o && (a += 4);
var i = "null";
r && (i = r.id ? encodeURIComponent(r.id) : r.name ? encodeURIComponent(r.name) : i);
for (var c = 0; c < F.ExcludeTarget.length; c++)
if (F.ExcludeTarget[c] == i)
return;
var f = (new Date).getTime() - q;
G++,
w.keyDown += [o, a, i, f].join(",") + "|",
d(w)
} catch (u) {}
}
此时w就是传进去的e
call stack已经到头了,此函数中也没有发现w赋值,这个函数形成闭包,w一定在此文件某个地方赋值了。
function I() {
w.mouseDown = "",
w.keyDown = "",
w.mouseMove = "",
0 == _ && (_ = 1,
i(),
(2 & F.SendMethod) > 0 && setInterval(Y, F.SendTimer),
w.version = l(),
w.loadTime = q / 1e3,
F.BrowserInfo && (w.browserInfo = u()),
w.token = F.PageToken,
F.Location && (w.location = E()),
F.ScreenInfo && (w.screenInfo = v()),
F.FlashInfo && (w.flashInfo = y()),
d(w))
}
没错,找到了,就是在这里,继续找F变量
function R() {
if ("undefined" == typeof b)
return 1;
if ("number" != typeof b.Flag)
return 1;
var e = new Object;
if ("undefined" != typeof b.FormId && "" != b.FormId && (e.FormId = b.FormId),
"undefined" != typeof b.RecordStr && "" != b.RecordStr && (e.RecordStr = b.RecordStr),
e.EnableKSEvent = b.Flag >> 1 & 1,
e.EnableMCEvent = b.Flag >> 2 & 1,
e.EnableMPEvent = b.Flag >> 3 & 1,
e.RecordTimeInterval = b.Flag >> 6 & 1,
e.BrowserInfo = b.Flag >> 7 & 1,
e.LSIDInfo = b.Flag >> 10 & 1,
e.Location = b.Flag >> 11 & 1,
e.Token = b.Flag >> 12 & 1,
e.ScreenInfo = b.Flag >> 13 & 1,
e.FlashInfo = b.Flag >> 16 & 1,
e.DVID = b.Flag >> 17 & 1,
"string" == typeof b.Token ? e.PageToken = b.Token : e.Token = 0,
e.ImgUrl = "string" == typeof b.ImgUrl ? b.ImgUrl : "",
e.EltAttrs = [],
"undefined" != typeof b.EltAttrs)
for (var t = 0; t < b.EltAttrs.length; t++)
e.EltAttrs.push(b.EltAttrs[t]);
if (e.ExcludeTarget = [],
"undefined" != typeof b.ExcludeTarget)
for (var t = 0; t < b.ExcludeTarget.length; t++)
e.ExcludeTarget.push(b.ExcludeTarget[t]);
return e.RCInterval = "undefined" != typeof b.RCInterval && b.RCInterval > 0 ? b.RCInterval : 50,
e.RCMSEvent = "undefined" != typeof b.RCMSEvent && b.RCMSEvent > 0 ? b.RCMSEvent : 5,
e.RCKSEvent = "undefined" != typeof b.RCKSEvent && b.RCKSEvent > 0 ? b.RCKSEvent : 5,
e.RCMVEvent = "undefined" != typeof b.RCMVEvent && b.RCMVEvent > 0 ? b.RCMVEvent : 5,
e.RCFCEvent = "undefined" != typeof b.RCFCEvent && b.RCFCEvent > 0 ? b.RCFCEvent : 0,
e.SendInterval = "undefined" != typeof b.SendInterval && b.SendInterval > 0 ? b.SendInterval : 1,
e.SendMethod = "undefined" != typeof b.SendMethod && b.SendMethod > 0 ? b.SendMethod : 0,
e.GYInterval = "undefined" != typeof b.GYInterval && b.GYInterval > 0 ? b.GYInterval : 50,
e.RCGPEvent = "undefined" != typeof b.RCGPEvent && b.RCGPEvent > 0 ? b.RCGPEvent : 5,
e.RCTVEvent = "undefined" != typeof b.RCTVEvent && b.RCTVEvent > 0 ? b.RCTVEvent : 5,
e.SendMethod |= 1,
e.DVHost = "string" == typeof b.DVHost ? b.DVHost : "passport.baidu.com",
e.SendTimer = "number" == typeof b.SendTimer ? b.SendTimer : 1e3,
F = e,
F.BrowserInfo = !0,
F.Location = !0,
F.ScreenInfo = !0,
F.FlashInfo = !0,
F.LSIDInfo = !0,
0
}
F=e,然后e.PageToken = b.Token,跪了,又出来了b.Token
终于找到了
b.Token = "tk" + Math.random() + (new Date).getTime()
要干啥来着......
e.token + "@" + S(e, e.token)
扣出S(e, e.token),可直接使用拿出去测试。
function r(e, t) {
for (var n = t.split(""), r = 0; r < e.length; r++) {
var o = r % n.length;
o = n[o].charCodeAt(0),
o %= e.length;
var a = e[r];
e[r] = e[o],
e[o] = a
}
return e
}
function o(e) {
for (var t = [], n = 0; n < e.length; n++)
for (var r = e[n][0]; r <= e[n][1]; r++)
t.push(String.fromCharCode(r));
return t
}
function n(e) {
var t = [[48, 57], [65, 90], [97, 122], [45, 45], [126, 126]]
, n = o(t)
, a = o(t.slice(1));
e && (n = r(n, e),
a = r(a, e)),
this.dict = n,
this.dict2 = a
}
function iary(e) {
for (var t = "", n = 0; n < e.length; n++) {
var r = a(e[n], this.dict2);
t += r.length > 1 ? r.length - 2 + r : r
}
return t
}
function a(e, t) {
var n = ""
, r = Math.abs(parseInt(e));
if (r)
for (; r; )
n += t[r % t.length],
r = parseInt(r / t.length);
else
n = t[0];
return n
}
function bary(e) {
for (var t = 0, n = {}, r = 0; r < e.length; r++)
e[r] > t && (t = e[r],
n[e[r]] = !0);
var o = parseInt(t / 6);
o += t % 6 ? 1 : 0;
for (var a = "", r = 0; o > r; r++) {
for (var i = 6 * r, d = 0, c = 0; 6 > c; c++)
n[i] && (d += Math.pow(2, c)),
i++;
a += this.dict[d]
}
return a
}
function int(e) {
return a(e, this.dict)
}
function str(e) {
for (var t = [], n = 0; n < e.length; n++) {
var r = e.charCodeAt(n);
r >= 1 && 127 >= r ? t.push(r) : r > 2047 ? (t.push(224 | r >> 12 & 15),
t.push(128 | r >> 6 & 63),
t.push(128 | r >> 0 & 63)) : (t.push(192 | r >> 6 & 31),
t.push(128 | r >> 0 & 63))
}
for (var o = "", n = 0, a = t.length; a > n; ) {
var i = t[n++];
if (n >= a) {
o += this.dict[i >> 2],
o += this.dict[(3 & i) << 4],
o += "__";
break
}
var d = t[n++];
if (n >= a) {
o += this.dict[i >> 2],
o += this.dict[(3 & i) << 4 | (240 & d) >> 4],
o += this.dict[(15 & d) << 2],
o += "_";
break
}
var c = t[n++];
o += this.dict[i >> 2],
o += this.dict[(3 & i) << 4 | (240 & d) >> 4],
o += this.dict[(15 & d) << 2 | (192 & c) >> 6],
o += this.dict[63 & c]
}
return o
}
function S(e, t) {
var r = new n(t)
, o = {
flashInfo: 0,
mouseDown: 1,
keyDown: 2,
mouseMove: 3,
version: 4,
loadTime: 5,
browserInfo: 6,
token: 7,
location: 8,
screenInfo: 9
}
;r.iary=iary;var a = [r.iary([2])];
r.str = str,r.int=int,r.bary=bary;
for (var i in e) {
var d = e[i];
if (void 0 !== d && void 0 !== o[i]) {
var c;
"number" == typeof d ? (c = d >= 0 ? 1 : 2,
d = r.int(d)) : "boolean" == typeof d ? (c = 3,
d = r.int(d ? 1 : 0)) : "object" == typeof d && d instanceof Array ? (c = 4,
d = r.bary(d)) : (c = 0,
d = r.str(d + "")),
d && a.push(r.iary([o[i], c, d.length]) + d)
}
}
return a.join("")
}
e={
mouseDown: "",
keyDown: "81,0,TANGRAM__PSP_10__userName,22511|81,0,TANGRAM__PSP_10__userName,29534|81,0,TANGRAM__PSP_10__userName,43673|119,0,TANGRAM__PSP_10__userName,46970|17,0,TANGRAM__PSP_10__userName,50479|",
mouseMove: "538,378,10501,TANGRAM__PSP_10__submit|605,242,15589,TANGRAM__PSP_10__userName|569,265,39495,TANGRAM__PSP_10__form|584,227,57742,TANGRAM__PSP_10__userName|",
version: 26,
loadTime: 1577435194.019,
browserInfo: "1,2,78",
token: "tk0.59217013109449961577435194019",
location: "https://www.baidu.com/,undefined",
screenInfo: "0,0,1536,864,1536,864,1536,1536,824",
flashInfo: undefined
}
t="tk0.59217013109449961577435194019"
console.log(S(e,t))
我们获得了dv
其实traceid在我们之前的请求中可以看到它的身影,但是每次都是空,只有这次请求的时候不为空了
createTraceID: function() {
var e = this;
return e.headID + e.flowID + e.cases
}
e.flowID login是为"01", reg时为"02",我们是login
整理下流程, 下面代码能直接用,有时间用python重写
function createTraceID() {
var e = this;
return e.headID + "01"
}
function createHeadID() {
var e = this
, t = (new Date).getTime() + getRandom().toString()
, n = Number(t).toString(16)
, i = n.length
, s = n.slice(i - 6, i).toUpperCase();
console.log(s)
e.headID = s
}
function getRandom() {
return parseInt(90 * Math.random() + 10, 10)
}
createHeadID()
console.log(createTraceID())
与之前一致
与之前一致
与之前一致
与之前一致
与之前一致
收工,百度首页登录过程参数解析完毕 等等==
https://passport.bdimg.com/passApi/js/loginv4_19d79ee.js
if (e.RSA && e.rsakey) {
var o = s;
o.length < 128 && !e.config.safeFlag && (i.password = baidu.url.escapeSymbol(e.RSA.encrypt(o)),
i.rsakey = e.rsakey,
i.crypttype = 12)
}
核心语句 i.password = baidu.url.escapeSymbol(e.RSA.encrypt(o))
baidu.url.escapeSymbol = function(a) {
return String(a).replace(/[#%&+=\/\\\ \ \f\r\n\t]/g, function(b) {
return "%" + (256 + b.charCodeAt()).toString(16).substring(1).toUpperCase()
})
}
直接rsa,base64就完事了
- 拿到token https://passport.baidu.com/v2/api/?getapi
- tk,ds https://passport.baidu.com/viewlog? ak=1e3f2dd1c81f2075171a547893391274&callback=jsonpCallbackA19056&v=6553&t=1577361340134(返回pplogid cookie)
- rsakey https://passport.baidu.com/v2/getpublickey?token=d707ff8d7ae9f7debe9ee5e7658726fa&tpl=mn&subpro=&apiver=v3&tt=1577361368654&gid=736B
- 登录https://passport.baidu.com/v2/api/?login