目标站点: https://xinshangmeng.com/
同样先看看发包过程
j_mmrm是用户名, j_mcmm是密码, 密码被加密了, 下面寻找这个加密的关键函数
首先定位到这个按钮, 然后产看Event Listeners
这里是通过form表单发送请求的, from表单在提交动作完成之前会先触发onsubmit事件,默认返回true。如果返回true,则发送请求;若false,则终止请求。
所以可以看submit事件
通过这个id选择器, 也可以判断出来这个就是关键的函数了, 跟进去如下:
function e() {
var a = L.userName();
if ("" == a)
return Q = !1,
G.alert("请输入用户名!").done(function() {
d(y)
}),
!1;
var b = L.password();
if ("" == b)
return Q = !1,
G.alert("请输入密码!").done(function() {
d(z)
}),
!1;
var c = I.getValue();
if (I.isActive() && !c)
return Q = !1,
G.alert("请输入验证码!").done(function() {
I.focus()
}),
!1;
u();
var e = b;
b = F(F(b) + c);
var g = {
protocol: location.protocol,
loginIndex: location.href
};
return g.j_mmrm = a,
g.j_mcmm = b,
g.j_valcode = c,
P.j_mmrm = a,
P.j_mcmm = F(F(e) + ""),
E.getCookie("usercomcookieId").done(function(b) {
b && "null" !== b && (b = b.split(",")[0]) !== a.toUpperCase() && (g.j_puserId = b,
P.j_puserId = b,
E.getCookie("myguid1234567890").done(function(a) {
g.j_guid = a,
P.j_guid = a
}))
}).always(function() {
J.login(g).done(f).fail(q)
}),
!1
}
该函数首先判断输入的用户名、密码、验证码是否为空
接下来执行u函数, u函数如下:
function u() {
E.clearCookie("/"),
E.clearCookie("/app/"),
E.clearCookie("/", ".xinshangmeng.com"),
E.clearCookie("/", ".preview.xinshangmeng.com"),
E.clearCookie("/", ".test.xinshangmeng.com"),
E.clearCookie("/", ".dynamic.xinshangmeng.com")
}
// E.clearCookie
function j(a, b) {
$.ajax({
type: "GET",
url: XSMConfig.login + "/cookieTool?method=clearCookieAjax",
dataType: "jsonp",
exceptName: "myguid1234567890",
data: {
domain: k.encrypt(b || document.domain),
path: k.encrypt(a)
}
})
}
发送了六个请求, 如下:
u函数清除了cookie
var e = b;
b = F(F(b) + c);
b就是明文密码, c是验证码, 接下来经过F(F(b)+c)对密码进行加密
// F函数
function d(a) {
return n(e(o(m(a + "{1#2%4(5)6@7!poeeww%4(5)djjkkldss}")), 32))
}
F函数里面嵌套了好多次函数, o、e、n
一个一个看, 首先看m
首先将密码与"{1#2%4(5)6@7!poeeww%4(5)djjkkldss}"拼接, 之后交给m
// m函数
function m(a) {
for (var b = a.length, c = new Array(b), d = 0; d < b; d++) {
var e = a.charCodeAt(d); // charCodeAt返回字符串第一个字符的 Unicode 编码(H 的 Unicode 值):
c[d] = 255 & e
}
return c
}
m函数将传入的字符串转换成了对应的Unicode编码
再看o函数, 将密码+"{1#2%4(5)6@7!poeeww%4(5)djjkkldss}"的Unicode值数组传给o
function o(a) {
for (var b = 1 + (a.length + 8 >> 6), c = new Array(16 * b), d = 0; d < 16 * b; d++)
c[d] = 0;
for (var e = 0; e < a.length; e++)
c[e >> 2] |= (255 & a[e]) << e % 4 * 8;
return c[e >> 2] |= 128 << e % 4 * 8, c[16 * b - 2] = 8 * a.length, c
}
最后看e函数, e函数有两个参数, 第一个是o处理过的数组, 第二个是32
function e(a, b) {
for (var c = 1732584193, d = -271733879, e = -1732584194, f = 271733878, l = 0; l < a.length; l += 16) {
var m = c
, n = d
, o = e
, p = f;
c = g(c, d, e, f, a[l + 0], 7, -680876936),
f = g(f, c, d, e, a[l + 1], 12, -389564586),
e = g(e, f, c, d, a[l + 2], 17, 606105819),
d = g(d, e, f, c, a[l + 3], 22, -1044525330),
c = g(c, d, e, f, a[l + 4], 7, -176418897),
f = g(f, c, d, e, a[l + 5], 12, 1200080426),
e = g(e, f, c, d, a[l + 6], 17, -1473231341),
d = g(d, e, f, c, a[l + 7], 22, -45705983),
c = g(c, d, e, f, a[l + 8], 7, 1770035416),
f = g(f, c, d, e, a[l + 9], 12, -1958414417),
e = g(e, f, c, d, a[l + 10], 17, -42063),
d = g(d, e, f, c, a[l + 11], 22, -1990404162),
c = g(c, d, e, f, a[l + 12], 7, 1804603682),
f = g(f, c, d, e, a[l + 13], 12, -40341101),
e = g(e, f, c, d, a[l + 14], 17, -1502002290),
d = g(d, e, f, c, a[l + 15], 22, 1236535329),
c = h(c, d, e, f, a[l + 1], 5, -165796510),
f = h(f, c, d, e, a[l + 6], 9, -1069501632),
e = h(e, f, c, d, a[l + 11], 14, 643717713),
d = h(d, e, f, c, a[l + 0], 20, -373897302),
c = h(c, d, e, f, a[l + 5], 5, -701558691),
f = h(f, c, d, e, a[l + 10], 9, 38016083),
e = h(e, f, c, d, a[l + 15], 14, -660478335),
d = h(d, e, f, c, a[l + 4], 20, -405537848),
c = h(c, d, e, f, a[l + 9], 5, 568446438),
f = h(f, c, d, e, a[l + 14], 9, -1019803690),
e = h(e, f, c, d, a[l + 3], 14, -187363961),
d = h(d, e, f, c, a[l + 8], 20, 1163531501),
c = h(c, d, e, f, a[l + 13], 5, -1444681467),
f = h(f, c, d, e, a[l + 2], 9, -51403784),
e = h(e, f, c, d, a[l + 7], 14, 1735328473),
d = h(d, e, f, c, a[l + 12], 20, -1926607734),
c = i(c, d, e, f, a[l + 5], 4, -378558),
f = i(f, c, d, e, a[l + 8], 11, -2022574463),
e = i(e, f, c, d, a[l + 11], 16, 1839030562),
d = i(d, e, f, c, a[l + 14], 23, -35309556),
c = i(c, d, e, f, a[l + 1], 4, -1530992060),
f = i(f, c, d, e, a[l + 4], 11, 1272893353),
e = i(e, f, c, d, a[l + 7], 16, -155497632),
d = i(d, e, f, c, a[l + 10], 23, -1094730640),
c = i(c, d, e, f, a[l + 13], 4, 681279174),
f = i(f, c, d, e, a[l + 0], 11, -358537222),
e = i(e, f, c, d, a[l + 3], 16, -722521979),
d = i(d, e, f, c, a[l + 6], 23, 76029189),
c = i(c, d, e, f, a[l + 9], 4, -640364487),
f = i(f, c, d, e, a[l + 12], 11, -421815835),
e = i(e, f, c, d, a[l + 15], 16, 530742520),
d = i(d, e, f, c, a[l + 2], 23, -995338651),
c = j(c, d, e, f, a[l + 0], 6, -198630844),
f = j(f, c, d, e, a[l + 7], 10, 1126891415),
e = j(e, f, c, d, a[l + 14], 15, -1416354905),
d = j(d, e, f, c, a[l + 5], 21, -57434055),
c = j(c, d, e, f, a[l + 12], 6, 1700485571),
f = j(f, c, d, e, a[l + 3], 10, -1894986606),
e = j(e, f, c, d, a[l + 10], 15, -1051523),
d = j(d, e, f, c, a[l + 1], 21, -2054922799),
c = j(c, d, e, f, a[l + 8], 6, 1873313359),
f = j(f, c, d, e, a[l + 15], 10, -30611744),
e = j(e, f, c, d, a[l + 6], 15, -1560198380),
d = j(d, e, f, c, a[l + 13], 21, 1309151649),
c = j(c, d, e, f, a[l + 4], 6, -145523070),
f = j(f, c, d, e, a[l + 11], 10, -1120210379),
e = j(e, f, c, d, a[l + 2], 15, 718787259),
d = j(d, e, f, c, a[l + 9], 21, -343485551),
c = k(c, m),
d = k(d, n),
e = k(e, o),
f = k(f, p)
}
return new Array(c,d,e,f)
}
其实就是md5
最后就是n函数, 将e *** 作后的结果传入
function n(a) {
for (var b = "0123456789abcdef", c = "", d = 0; d < 4 * a.length; d++)
c += b.charAt(a[d >> 2] >> d % 4 * 8 + 4 & 15) + b.charAt(a[d >> 2] >> d % 4 * 8 & 15);
return c
}
最后在进行一次F函数 *** 作, 就得到了密文
继续看发包的函数
var g = {
protocol: location.protocol,
loginIndex: location.href
};
return g.j_mmrm = a,
g.j_mcmm = b,
g.j_valcode = c,
P.j_mmrm = a,
P.j_mcmm = F(F(e) + ""),
E.getCookie("usercomcookieId").done(function(b) {
b && "null" !== b && (b = b.split(",")[0]) !== a.toUpperCase() && (g.j_puserId = b,
P.j_puserId = b,
E.getCookie("myguid1234567890").done(function(a) {
g.j_guid = a,
P.j_guid = a
}))
}).always(function() {
J.login(g).done(f).fail(q)
}),
!1
这里首先对对象g、P和E成员进行了赋值, 之后调用E.getCookie, 跟进去看一下该函数
function g(a) {
var b = $.Deferred();
return $.ajax({
type: "GET",
url: XSMConfig.login + "/cookieTool?method=getCookieAjax",
dataType: "jsonp",
timeout: 5e3,
data: {
cookieName: k.encrypt(a)
}
}).done(function(a) {
a && "000" === a.code ? b.resolve(k.decrypt(a.data)) : b.reject()
}).always(function() {
b.reject()
}),
b.promise()
}
这里封装了一个GET请求, 也就是之前抓包中看到的那个请求
之后调用J.login(g)来发送请求数据包
c.login = function(a) {
return $.ajax({
url: XSMConfig.login + "/users/dologin/dfaup",
type: "post",
dataType: "jsonp",
jsonp: "jsonp",
data: a
})
}
补充:
-
always():一定会执行
-
catch():执行出错时执行(本体 object)
-
done():执行成功时执行
-
failed():执行出错时执行(服务器拒绝)
-
pipe():过滤方法
-
progress():当对象生成进度通知时,调用添加处理程序
-
Promise():返回Object(延迟)的Promise(承诺)对象
-
state():确定一个Object(延迟)对象的当前状态
-
then():当(延迟)对象解决,拒绝或仍在进行中时,调用添加处理程序
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)