admin 管理员组

文章数量: 1086019

爱qiyi滑块(2

网址:aHR0cHM6Ly93d3cuaXFpeWkuY29tLw==

一、整体流程分析
爱qiyi整个登录滑块流程主要分五步:

1、访问dfp_pcw/sign拿到dfp参数
2、访问login.action拿到token参数
3、访问sbox_init_key拿到sig,sid,sr参数
4、访问verifycenter/initpage拿到滑块相关数据(包括图片的地址以及还原图片的数组)
5、访问verifycenter/verify,然后"msg":"成功"即通过滑块

二、根据每个包需要的参数逐个跟栈

1、dfp_pcw/sign链接,加密参数为dim和sig,主要加密方式分别为RSA和HmacSHA1,这里面会涉及到一些环境值,其他的都固定即可,有两个值是从cookie拿的,都随机一下就行,主要代码如下:

function get_data(){guid1 = guid() //随机 找到相应方法名扣下来就行generateQC0051 = generateQC005() //随机 找到相应方法名扣下来就行var t = '{"jn":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36","cm":"zh-CN","gu":24,"uf":1.25,"jr":[1536,864],"di":[1536,824],"zp":-480,"uh":1,"sh":1,"he":1,"zo":1,"rv":"unknown","nx":"Win32","iw":"unknown","qm":["PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chrome PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chromium PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Microsoft Edge PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","WebKit built-in PDF::Portable Document Format::application/pdf~pdf,text/pdf~pdf"],"fk":false,"rg":false,"xy":false,"jm":false,"ba":false,"tm":[0,false,false],"hl":false,"ht":"","au":true,"mi":"'+guid1+'","cl":"PCWEB","sv":"1.0","jg":"'+generateQC0051+'","ifm":[false,null,null,null],"ex":"","dv":"off"}';var dim = n(o(t));  //base64word = "" + dim + "PCWEB" + "1.0";sig = HmacSHA1_Encrypt(word, 'eade56028e252b77f7a0b8792e58b9cc').toUpperCase()return [dim,sig]
}

2、携带dfp访问login.action链接,加密参数为pwd,加密方式为RSA,网上也有很多博客是讲这个站的pwd的,所以略过

3、sbox_init_key链接,加密参数为secure,加密方式为RSA+SHA256,这个RSA我扣的办法是导出关键函数,加密位置如下

注意,这里会有两个随机字符串(f 和 s),这个我当时找了半天才找到,下面是他们的生成方式(这俩两个字符串是后面生成aeskey和hmackey的关键)

function getRandom(e) {var x = ["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9"];var t = (x = x || [0, 1, 2, 3, 4, 5, 6, 7, 8, 9])["length"];r = (new Date).getTime() + Math["ceil"](10 * Math["random"]() * x["length"]);for (var _ = "", i = 0; i < e; i++) {var n = Math["ceil"]((r = (9301 * r + 49297) % 233280) / 233280 * t) - 1;_ += x[n = t < (n = n < 0 ? 0 : n) ? t : n]}return _
}f = getRandom(32);c = getRandom(64);

4、访问initpage链接,这里的加密参数是 cryptSrcData和cryptVersion ,这里的加密会涉及到上面提到的aeskey和hmackey,加密位置如下:

cryptSrcData生成方式如下:

    extend = {"dfp":dfp,"ptid":"01010021010000000000","agentType":"1","deviceId":"....","cellphoneNumber":phone,"areaCode":"86"}var ee = {"t": time_,"token": token,"width": 290,"height": 170,"clientVersion": 1,"riskData": JSON.stringify(data), //这里是一些鼠标轨迹,稍微仿造一下即可"dfp": dfp,"extend": JSON.stringify(extend)};var e = AES_Encrypt(JSON.stringify(ee),aeskey,"qwertyuiopasdfgh");var cryptSrcData = e + "|" + HmacSHA256_Encrypt(e, hmackey);

cryptVersion生成方式如下:

cryptVersion = 'web|20180418xkdewxe3dkxu9|' + sid

5、拿到滑块数据后,发现是乱序的还得根据所放回的数组进行还原,还原主要思路如下:

至于这个pic_list是怎么来的,打个canvas断点去看下网站是怎么做的就知道了

三、请求验证
注:verifycenter/verify链接所需要的参数和initpage链接的基本一样的,只是轨迹那里需要变化,就不多说啦,这个站轨迹检测还是比较严格的,收工,拜拜!

本文标签: 爱qiyi滑块(2

版权声明:本文标题:爱qiyi滑块(2 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.roclinux.cn/b/1693406195a220075.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。