微信公众平台作为腾讯的一个重要产品,在登陆密码上的加密显得简单只是密码的md5加密,但是他的重点防护是在微信扫码登陆。
首先打开控制台抓个包:
username:[email protected]
pwd:f379eaf3c831b04de153469d1bec345e
imgcode:
f:json
userlang:zh_CN
redirect_url:
token:
lang:zh_CN
ajax:1
字段信息很简单就是一个pwd,今天我们就分析一下这个pwd对应的js代码。
全局搜索paw,找到下面一段js:
_login: function(e, t) {
var i = this
n.post({
url: t,
data: {
username: this.account,
pwd: r(this.pwd.substr(0, 16)),
imgcode: this.verify,
f: "json",
userlang: this.currentLang,
redirect_url: window.wx.cgiData.redirectUrl
}
}, e ? this._loginCallback : function(e) {
0 === e.grey ? ((new Image).src = "/mp/jsmonitor?idkey=66811_4_1",
i._login(!0, "/cgi-bin/login?loginhook=4")) : i._loginCallback(e)
}
)
},
"use strict"
define("3rd/md5/md5.js", [], function(n, r, t) {
function e(n, r) {
var t = (65535 & n) + (65535 & r)
return (n >> 16) + (r >> 16) + (t >> 16) << 16 | 65535 & t
}
function u(n, r, t, u, o, c) {
return e(function(n, r) {
return n << r | n >>> 32 - r
}(e(e(r, n), e(u, c)), o), t)
}
function o(n, r, t, e, o, c, f) {
return u(r & t | ~r & e, n, r, o, c, f)
}
function c(n, r, t, e, o, c, f) {
return u(r & e | t & ~e, n, r, o, c, f)
}
function f(n, r, t, e, o, c, f) {
return u(r ^ t ^ e, n, r, o, c, f)
}
function i(n, r, t, e, o, c, f) {
return u(t ^ (r | ~e), n, r, o, c, f)
}
function a(n, r) {
n[r >> 5] |= 128 << r % 32,
n[14 + (r + 64 >>> 9 << 4)] = r
var t, u, a, h, d, g = 1732584193, l = -271733879, v = -1732584194, s = 271733878
for (t = 0; t < n.length; t += 16)
u = g,
a = l,
h = v,
d = s,
l = i(l = i(l = i(l = i(l = f(l = f(l = f(l = f(l = c(l = c(l = c(l = c(l = o(l = o(l = o(l = o(l, v = o(v, s = o(s, g = o(g, l, v, s, n[t], 7, -680876936), l, v, n[t + 1], 12, -389564586), g, l, n[t + 2], 17, 606105819), s, g, n[t + 3], 22, -1044525330), v = o(v, s = o(s, g = o(g, l, v, s, n[t + 4], 7, -176418897), l, v, n[t + 5], 12, 1200080426), g, l, n[t + 6], 17, -1473231341), s, g, n[t + 7], 22, -45705983), v = o(v, s = o(s, g = o(g, l, v, s, n[t + 8], 7, 1770035416), l, v, n[t + 9], 12, -1958414417), g, l, n[t + 10], 17, -42063), s, g, n[t + 11], 22, -1990404162), v = o(v, s = o(s, g = o(g, l, v, s, n[t + 12], 7, 1804603682), l, v, n[t + 13], 12, -40341101), g, l, n[t + 14], 17, -1502002290), s, g, n[t + 15], 22, 1236535329), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 1], 5, -165796510), l, v, n[t + 6], 9, -1069501632), g, l, n[t + 11], 14, 643717713), s, g, n[t], 20, -373897302), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 5], 5, -701558691), l, v, n[t + 10], 9, 38016083), g, l, n[t + 15], 14, -660478335), s, g, n[t + 4], 20, -405537848), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 9], 5, 568446438), l, v, n[t + 14], 9, -1019803690), g, l, n[t + 3], 14, -187363961), s, g, n[t + 8], 20, 1163531501), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 13], 5, -1444681467), l, v, n[t + 2], 9, -51403784), g, l, n[t + 7], 14, 1735328473), s, g, n[t + 12], 20, -1926607734), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 5], 4, -378558), l, v, n[t + 8], 11, -2022574463), g, l, n[t + 11], 16, 1839030562), s, g, n[t + 14], 23, -35309556), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 1], 4, -1530992060), l, v, n[t + 4], 11, 1272893353), g, l, n[t + 7], 16, -155497632), s, g, n[t + 10], 23, -1094730640), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 13], 4, 681279174), l, v, n[t], 11, -358537222), g, l, n[t + 3], 16, -722521979), s, g, n[t + 6], 23, 76029189), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 9], 4, -640364487), l, v, n[t + 12], 11, -421815835), g, l, n[t + 15], 16, 530742520), s, g, n[t + 2], 23, -995338651), v = i(v, s = i(s, g = i(g, l, v, s, n[t], 6, -198630844), l, v, n[t + 7], 10, 1126891415), g, l, n[t + 14], 15, -1416354905), s, g, n[t + 5], 21, -57434055), v = i(v, s = i(s, g = i(g, l, v, s, n[t + 12], 6, 1700485571), l, v, n[t + 3], 10, -1894986606), g, l, n[t + 10], 15, -1051523), s, g, n[t + 1], 21, -2054922799), v = i(v, s = i(s, g = i(g, l, v, s, n[t + 8], 6, 1873313359), l, v, n[t + 15], 10, -30611744), g, l, n[t + 6], 15, -1560198380), s, g, n[t + 13], 21, 1309151649), v = i(v, s = i(s, g = i(g, l, v, s, n[t + 4], 6, -145523070), l, v, n[t + 11], 10, -1120210379), g, l, n[t + 2], 15, 718787259), s, g, n[t + 9], 21, -343485551),
g = e(g, u),
l = e(l, a),
v = e(v, h),
s = e(s, d)
return [g, l, v, s]
}
function h(n) {
var r, t = ""
for (r = 0; r < 32 * n.length; r += 8)
t += String.fromCharCode(n[r >> 5] >>> r % 32 & 255)
return t
}
function d(n) {
var r, t = []
for (t[(n.length >> 2) - 1] = void 0,
r = 0; r < t.length; r += 1)
t[r] = 0
for (r = 0; r < 8 * n.length; r += 8)
t[r >> 5] |= (255 & n.charCodeAt(r / 8)) << r % 32
return t
}
function g(n) {
var r, t, e = ""
for (t = 0; t < n.length; t += 1)
r = n.charCodeAt(t),
e += "0123456789abcdef".charAt(r >>> 4 & 15) + "0123456789abcdef".charAt(15 & r)
return e
}
function l(n) {
return unescape(encodeURIComponent(n))
}
function v(n) {
return function(n) {
return h(a(d(n), 8 * n.length))
}(l(n))
}
function s(n, r) {
return function(n, r) {
var t, e, u = d(n), o = [], c = []
for (o[15] = c[15] = void 0,
u.length > 16 && (u = a(u, 8 * n.length)),
t = 0; t < 16; t += 1)
o[t] = 909522486 ^ u[t],
c[t] = 1549556828 ^ u[t]
return e = a(o.concat(d(r)), 512 + 8 * r.length),
h(a(c.concat(e), 640))
}(l(n), l(r))
}
t.exports = function(n, r, t) {
return r ? t ? s(r, n) : function(n, r) {
return g(s(n, r))
}(r, n) : t ? v(n) : function(n) {
return g(v(n))
}(n)
}
})
注释了一个use strict,意思是严格使用,再看define("3rd/md5/md5.js"那就是严格使用md5加密
然后打开一个在线md5工具,输入之前输入的密码测试一下:
import hashlib
def USE_MD5(test):
if not isinstance(test, bytes):
test = bytes(test, 'utf-8')
m = hashlib.md5()
m.update(test)
return m.hexdigest()
USE_MD5('666666')
Out[9]: 'f379eaf3c831b04de153469d1bec345e'
发现是一致的,那就是使用了简单的md5加密,这个案列再次证明:越大的网站他的密码加密越规范,他们的安全验证在于其他身份验证(二维码、短信、邮件),而网站传输请求加密的目的还是在于防止数据被拦截之后泄密。
用Python实现
ID:Python之战
|作|者|公(zhong)号:python之战
专注Python,专注于网络爬虫、RPA的学习-践行-总结
喜欢研究和分享技术瓶颈,欢迎关注
独学而无友,则孤陋而寡闻!