微信公众平台作为腾讯的一个重要产品,在登陆密码上的加密显得简单只是密码的md5加密,但是他的重点防护是在微信扫码登陆。
首先打开控制台抓个包:
username:2551513277@qq.compwd:f379eaf3c831b04de153469d1bec345eimgcode:f:jsonuserlang:zh_CNredirect_url:token:lang:zh_CNajax:1
字段信息很简单就是一个pwd,今天我们就分析一下这个pwd对应的js代码。
全局搜索paw,找到下面一段js:
_login: function(e, t) { var i = this n.post({ url: t, data: { username: this.account, pwd: r(this.pwd.substr(0, 16)), imgcode: this.verify, f: "json", userlang: this.currentLang, redirect_url: window.wx.cgiData.redirectUrl } }, e ? this._loginCallback : function(e) { 0 === e.grey ? ((new Image).src = "/mp/jsmonitor?idkey=66811_4_1", i._login(!0, "/cgi-bin/login?loginhook=4")) : i._loginCallback(e) } ) },
推测这就是发送post请求的代码,看r(this.pwd.substr(0, 16)),截取密码的前16为,然后传递给r函数,那就顺藤摸瓜,查看r函数内容:
image
"use strict"define("3rd/md5/md5.js", [], function(n, r, t) { function e(n, r) { var t = (65535 & n) + (65535 & r) return (n >> 16) + (r >> 16) + (t >> 16) << 16 | 65535 & t } function u(n, r, t, u, o, c) { return e(function(n, r) { return n << r | n >>> 32 - r }(e(e(r, n), e(u, c)), o), t) } function o(n, r, t, e, o, c, f) { return u(r & t | ~r & e, n, r, o, c, f) } function c(n, r, t, e, o, c, f) { return u(r & e | t & ~e, n, r, o, c, f) } function f(n, r, t, e, o, c, f) { return u(r ^ t ^ e, n, r, o, c, f) } function i(n, r, t, e, o, c, f) { return u(t ^ (r | ~e), n, r, o, c, f) } function a(n, r) { n[r >> 5] |= 128 << r % 32, n[14 + (r + 64 >>> 9 << 4)] = r var t, u, a, h, d, g = 1732584193, l = -271733879, v = -1732584194, s = 271733878 for (t = 0; t < n.length; t += 16) u = g, a = l, h = v, d = s, l = i(l = i(l = i(l = i(l = f(l = f(l = f(l = f(l = c(l = c(l = c(l = c(l = o(l = o(l = o(l = o(l, v = o(v, s = o(s, g = o(g, l, v, s, n[t], 7, -680876936), l, v, n[t + 1], 12, -389564586), g, l, n[t + 2], 17, 606105819), s, g, n[t + 3], 22, -1044525330), v = o(v, s = o(s, g = o(g, l, v, s, n[t + 4], 7, -176418897), l, v, n[t + 5], 12, 1200080426), g, l, n[t + 6], 17, -1473231341), s, g, n[t + 7], 22, -45705983), v = o(v, s = o(s, g = o(g, l, v, s, n[t + 8], 7, 1770035416), l, v, n[t + 9], 12, -1958414417), g, l, n[t + 10], 17, -42063), s, g, n[t + 11], 22, -1990404162), v = o(v, s = o(s, g = o(g, l, v, s, n[t + 12], 7, 1804603682), l, v, n[t + 13], 12, -40341101), g, l, n[t + 14], 17, -1502002290), s, g, n[t + 15], 22, 1236535329), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 1], 5, -165796510), l, v, n[t + 6], 9, -1069501632), g, l, n[t + 11], 14, 643717713), s, g, n[t], 20, -373897302), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 5], 5, -701558691), l, v, n[t + 10], 9, 38016083), g, l, n[t + 15], 14, -660478335), s, g, n[t + 4], 20, -405537848), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 9], 5, 568446438), l, v, n[t + 14], 9, -1019803690), g, l, n[t + 3], 14, -187363961), s, g, n[t + 8], 20, 1163531501), v = c(v, s = c(s, g = c(g, l, v, s, n[t + 13], 5, -1444681467), l, v, n[t + 2], 9, -51403784), g, l, n[t + 7], 14, 1735328473), s, g, n[t + 12], 20, -1926607734), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 5], 4, -378558), l, v, n[t + 8], 11, -2022574463), g, l, n[t + 11], 16, 1839030562), s, g, n[t + 14], 23, -35309556), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 1], 4, -1530992060), l, v, n[t + 4], 11, 1272893353), g, l, n[t + 7], 16, -155497632), s, g, n[t + 10], 23, -1094730640), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 13], 4, 681279174), l, v, n[t], 11, -358537222), g, l, n[t + 3], 16, -722521979), s, g, n[t + 6], 23, 76029189), v = f(v, s = f(s, g = f(g, l, v, s, n[t + 9], 4, -640364487), l, v, n[t + 12], 11, -421815835), g, l, n[t + 15], 16, 530742520), s, g, n[t + 2], 23, -995338651), v = i(v, s = i(s, g = i(g, l, v, s, n[t], 6, -198630844), l, v, n[t + 7], 10, 1126891415), g, l, n[t + 14], 15, -1416354905), s, g, n[t + 5], 21, -57434055), v = i(v, s = i(s, g = i(g, l, v, s, n[t + 12], 6, 1700485571), l, v, n[t + 3], 10, -1894986606), g, l, n[t + 10], 15, -1051523), s, g, n[t + 1], 21, -2054922799), v = i(v, s = i(s, g = i(g, l, v, s, n[t + 8], 6, 1873313359), l, v, n[t + 15], 10, -30611744), g, l, n[t + 6], 15, -1560198380), s, g, n[t + 13], 21, 1309151649), v = i(v, s = i(s, g = i(g, l, v, s, n[t + 4], 6, -145523070), l, v, n[t + 11], 10, -1120210379), g, l, n[t + 2], 15, 718787259), s, g, n[t + 9], 21, -343485551), g = e(g, u), l = e(l, a), v = e(v, h), s = e(s, d) return [g, l, v, s] } function h(n) { var r, t = "" for (r = 0; r < 32 * n.length; r += 8) t += String.fromCharCode(n[r >> 5] >>> r % 32 & 255) return t } function d(n) { var r, t = [] for (t[(n.length >> 2) - 1] = void 0, r = 0; r < t.length; r += 1) t[r] = 0 for (r = 0; r < 8 * n.length; r += 8) t[r >> 5] |= (255 & n.charCodeAt(r / 8)) << r % 32 return t } function g(n) { var r, t, e = "" for (t = 0; t < n.length; t += 1) r = n.charCodeAt(t), e += "0123456789abcdef".charAt(r >>> 4 & 15) + "0123456789abcdef".charAt(15 & r) return e } function l(n) { return unescape(encodeURIComponent(n)) } function v(n) { return function(n) { return h(a(d(n), 8 * n.length)) }(l(n)) } function s(n, r) { return function(n, r) { var t, e, u = d(n), o = [], c = [] for (o[15] = c[15] = void 0, u.length > 16 && (u = a(u, 8 * n.length)), t = 0; t < 16; t += 1) o[t] = 909522486 ^ u[t], c[t] = 1549556828 ^ u[t] return e = a(o.concat(d(r)), 512 + 8 * r.length), h(a(c.concat(e), 640)) }(l(n), l(r)) } t.exports = function(n, r, t) { return r ? t ? s(r, n) : function(n, r) { return g(s(n, r)) }(r, n) : t ? v(n) : function(n) { return g(v(n)) }(n) }})
注释了一个use strict,意思是严格使用,再看define("3rd/md5/md5.js"那就是严格使用md5加密
然后打开一个在线md5工具,输入之前输入的密码测试一下:
image
image
发现是一致的,那就是使用了简单的md5加密,这个案列再次证明:越大的网站他的密码加密越规范,他们的安全验证在于其他身份验证(二维码、短信、邮件),而网站传输请求加密的目的还是在于防止数据被拦截之后泄密。
用Python实现
import hashlibdef USE_MD5(test): if not isinstance(test, bytes): test = bytes(test, 'utf-8') m = hashlib.md5() m.update(test) return m.hexdigest()USE_MD5('666666')Out[9]: 'f379eaf3c831b04de153469d1bec345e'
ID:Python之战
|作|者|公(zhong)号:python之战
专注Python,专注于网络爬虫、RPA的学习-践行-总结
喜欢研究和分享技术瓶颈,欢迎关注
独学而无友,则孤陋而寡闻!
