阿里系鉴权
发表于:2024-12-10
字数统计:2465 字
预计阅读9分钟
由加密模式知道acw_sc__v2和是鉴权加载的cookie,cookie是存储在我们本地浏览器的,所以能够去猜测逆向,然后通过外部脚本获得访问网站的权限,这样就可以畅通无阻这个网站。
js
var arg1 = '28DDC52B595EDD511EF0165F2217D1140B54CC38';
function setCookie(name, value) {
var expiredate = new Date();
expiredate.setTime(expiredate.getTime() + (3600 * 1000));
document.cookie = name + "=" + value + ";expires=" + expiredate.toGMTString() + ";max-age=3600;path=/";
}
function reload(x) {
setCookie("acw_sc__v2", x);
document.location.reload();
}看到acw_sc__v2,值是x,去找x,在reload函数被传入,去找在哪里调用了reload函数
js
reload(arg2)reload调用的是arg2,去arg2到底是啥
再往下,这一次鉴权请求就结束了。记录了cookie,然后重新进行访问
第二次
js
var arg1 = '83693F892211825E38F29CEF2A0BDFEA0B5547F8';
function setCookie(name, value) {
var expiredate = new Date();
expiredate.setTime(expiredate.getTime() + (3600 * 1000));
document.cookie = name + "=" + value + ";expires=" + expiredate.toGMTString() + ";max-age=3600;path=/";
}
function reload(x) {
setCookie("acw_sc__v2", x);
document.location.reload();
}打开了查找工具,搜索arg2,有这些结果:
js
var _0x23a392 = arg1[_0x55f3('0x19', '\x50\x67\x35\x34')]();
arg2 = _0x23a392[_0x55f3('0x1b', '\x7a\x35\x4f\x26')](_0x5e8b26);
setTimeout('\x72\x65\x6c\x6f\x61\x64\x28\x61\x72\x67\x32\x29', 0x2);};_0x23a392是什么,_0x55f3('0x1b', '\x7a\x35\x4f\x26')是什么,_0x5e8b26是什么,
然后突然发现,我拷贝多了一个};也就是说拷贝的代码片段不全
js
var l = function() {
while (window[_0x55f3('0x1', '\x58\x4d\x57\x5e')] || window['\x5f\x5f\x70\x68\x61\x6e\x74\x6f\x6d\x61\x73']) {}
;var _0x5e8b26 = _0x55f3('0x3', '\x6a\x53\x31\x59');
String[_0x55f3('0x5', '\x6e\x5d\x66\x52')][_0x55f3('0x6', '\x50\x67\x35\x34')] = function(_0x4e08d8) {
var _0x5a5d3b = '';
for (var _0xe89588 = 0x0; _0xe89588 < this[_0x55f3('0x8', '\x29\x68\x52\x63')] && _0xe89588 < _0x4e08d8[_0x55f3('0xa', '\x6a\x45\x26\x5e')]; _0xe89588 += 0x2) {
var _0x401af1 = parseInt(this[_0x55f3('0xb', '\x56\x32\x4b\x45')](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x105f59 = parseInt(_0x4e08d8[_0x55f3('0xd', '\x58\x4d\x57\x5e')](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x189e2c = (_0x401af1 ^ _0x105f59)[_0x55f3('0xf', '\x57\x31\x46\x45')](0x10);
if (_0x189e2c[_0x55f3('0x11', '\x4d\x47\x72\x76')] == 0x1) {
_0x189e2c = '\x30' + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
}
;
String['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65'][_0x55f3('0x14', '\x5a\x2a\x44\x4d')] = function() {
var _0x4b082b = [0xf, 0x23, 0x1d, 0x18, 0x21, 0x10, 0x1, 0x26, 0xa, 0x9, 0x13, 0x1f, 0x28, 0x1b, 0x16, 0x17, 0x19, 0xd, 0x6, 0xb, 0x27, 0x12, 0x14, 0x8, 0xe, 0x15, 0x20, 0x1a, 0x2, 0x1e, 0x7, 0x4, 0x11, 0x5, 0x3, 0x1c, 0x22, 0x25, 0xc, 0x24];
var _0x4da0dc = [];
var _0x12605e = '';
for (var _0x20a7bf = 0x0; _0x20a7bf < this['\x6c\x65\x6e\x67\x74\x68']; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0x0; _0x217721 < _0x4b082b[_0x55f3('0x16', '\x61\x48\x2a\x4e')]; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 0x1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc['\x6a\x6f\x69\x6e']('');
return _0x12605e;
}
;
var _0x23a392 = arg1[_0x55f3('0x19', '\x50\x67\x35\x34')]();
arg2 = _0x23a392[_0x55f3('0x1b', '\x7a\x35\x4f\x26')](_0x5e8b26);
setTimeout('\x72\x65\x6c\x6f\x61\x64\x28\x61\x72\x67\x32\x29', 0x2);
};
很奇怪,之前我去翻译的时候没搞出来,结果在这个页面就翻译出来了
_0x55f3显然是一个翻译函数,传入两个值,一个值是翻译位,一个值是翻译之前的字符,翻译出来的正常结果是hexXor
chatGPT
hexXor可能指的是十六进制数的异或运算。异或运算是一种逻辑运算,当两个比特位相同时返回0,否则返回1。在JavaScript中,可以使用按位异或运算符
^来执行异或操作。这个操作符可以用于数值之间的异或运算,也可以用于十六进制数。例如:
javascriptlet a = 0xA; // 十六进制数 10 let b = 0x5; // 十六进制数 5 let result = a ^ b; // 异或运算 console.log(result.toString(16)); // 输出 "f",即十六进制数 15在这个例子中,
a和b分别是十六进制数 10 和 5,它们的异或运算结果是十六进制数 15。因此,
hexXor可能是执行十六进制数异或运算的函数或方法的名称。
继续理顺逻辑,
javascript
var _0x23a392 = arg1[_0x55f3('0x19', '\x50\x67\x35\x34')]();
arg2 = _0x23a392[_0x55f3('0x1b', '\x7a\x35\x4f\x26')](_0x5e8b26);_0x23a392是什么,_0x55f3('0x1b', '\x7a\x35\x4f\x26')是什么,_0x5e8b26是什么,
js
var _0x23a392 = arg1[_0x55f3('0x19', '\x50\x67\x35\x34')]();
arg2 = _0x23a392['hexXor'](_0x5e8b26);同理,翻译_0x55f3('0x19', '\x50\x67\x35\x34') —> unsbox
js
var _0x23a392 = arg1['unsbox']();
arg2 = _0x23a392['hexXor'](_0x5e8b26);这段代码的意义是:arg2通过_0x23a392对象的hexXor函数(传参 _0x5e8b26)生成,简单解释就是调用了一个对象内的函数
chatGPT
这行代码的逻辑是:
arg1是一个对象。- 在这个对象中,有一个属性名为
'unsbox'。- 通过
arg1['unsbox']这种形式,访问了对象arg1中名为'unsbox'的属性。- 假设这个属性对应的值是一个函数,代码
arg1['unsbox']()就是调用这个函数。- 调用后,函数的返回值被赋值给变量
_0x23a392。换句话说,这行代码执行了一个对象属性方法的调用,并将结果保存在变量
_0x23a392中。具体的行为取决于'unsbox'属性对应的函数在被调用时所执行的操作。
那么, _0x23a392是什么就不重要了,现在就是去找unsbox函数,和探究 _0x5e8b26是什么,
搜索_0x5e8b26,发现他是
js
var _0x5e8b26 = _0x55f3('0x3', '\x6a\x53\x31\x59');浏览器帮我们计算了结果:
实际上,作为一个变量,直接打印就好了
由于它使用混淆代码函数_0x55f3生成,值又好像是写死的,猜想他是固定值。(用多次重复访问网站检验)
js
var _0x23a392 = arg1['unsbox']();
arg2 = _0x23a392['hexXor']("3000176000856006061501533003690027800375");代码逻辑已然捋顺
chatGPT
是的,你可以将这两行代码合并为一行。合并后的代码如下:
javascriptvar arg2 = arg1['unsbox']()['hexXor']("3000176000856006061501533003690027800375");这样可以直接链式调用
arg1['unsbox']()的结果,然后再调用该结果的'hexXor'方法。这种链式调用在 JavaScript 中是很常见的,可以使代码更简洁。
那我们直接简单调方法就好了。
js
arg1['unsbox']()
'55DF0E8722FE80CE28F1F82929AA3F89336BB415'但这样有一个问题,我们想要不在浏览器控制台就能生成arg2,所以要把这个方法拿下来在本地调试。
访问arg1['unsbox']之后得到这个函数
js
String['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65'][_0x55f3('0x14', '\x5a\x2a\x44\x4d')] = function() {
var _0x4b082b = [0xf, 0x23, 0x1d, 0x18, 0x21, 0x10, 0x1, 0x26, 0xa, 0x9, 0x13, 0x1f, 0x28, 0x1b, 0x16, 0x17, 0x19, 0xd, 0x6, 0xb, 0x27, 0x12, 0x14, 0x8, 0xe, 0x15, 0x20, 0x1a, 0x2, 0x1e, 0x7, 0x4, 0x11, 0x5, 0x3, 0x1c, 0x22, 0x25, 0xc, 0x24];
var _0x4da0dc = [];
var _0x12605e = '';
for (var _0x20a7bf = 0x0; _0x20a7bf < this['\x6c\x65\x6e\x67\x74\x68']; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0x0; _0x217721 < _0x4b082b[_0x55f3('0x16', '\x61\x48\x2a\x4e')]; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 0x1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc['\x6a\x6f\x69\x6e']('');
return _0x12605e;
}
;翻译一下:
js
String['prototype']["unsbox"] = function() {
var _0x4b082b = [0xf, 0x23, 0x1d, 0x18, 0x21, 0x10, 0x1, 0x26, 0xa, 0x9, 0x13, 0x1f, 0x28, 0x1b, 0x16, 0x17, 0x19, 0xd, 0x6, 0xb, 0x27, 0x12, 0x14, 0x8, 0xe, 0x15, 0x20, 0x1a, 0x2, 0x1e, 0x7, 0x4, 0x11, 0x5, 0x3, 0x1c, 0x22, 0x25, 0xc, 0x24];
var _0x4da0dc = [];
var _0x12605e = '';
for (var _0x20a7bf = 0x0; _0x20a7bf < this['length']; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0x0; _0x217721 < _0x4b082b['length']; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 0x1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc['join']('');
return _0x12605e;
}
;这个函数的返回值是_0x12605e,其实不重要,我们不需要知道他是谁,我们也不用翻译,只需要在本地跑,获得返回值解决我们的问题就行。
得到:
55DF0E8722FE80CE28F1F82929AA3F89336BB415
然后去找hexXOr代码,同理:
js
String[_0x55f3('0x5', '\x6e\x5d\x66\x52')][_0x55f3('0x6', '\x50\x67\x35\x34')] = function(_0x4e08d8) {
var _0x5a5d3b = '';
for (var _0xe89588 = 0x0; _0xe89588 < this[_0x55f3('0x8', '\x29\x68\x52\x63')] && _0xe89588 < _0x4e08d8[_0x55f3('0xa', '\x6a\x45\x26\x5e')]; _0xe89588 += 0x2) {
var _0x401af1 = parseInt(this[_0x55f3('0xb', '\x56\x32\x4b\x45')](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x105f59 = parseInt(_0x4e08d8[_0x55f3('0xd', '\x58\x4d\x57\x5e')](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x189e2c = (_0x401af1 ^ _0x105f59)[_0x55f3('0xf', '\x57\x31\x46\x45')](0x10);
if (_0x189e2c[_0x55f3('0x11', '\x4d\x47\x72\x76')] == 0x1) {
_0x189e2c = '\x30' + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
}
;懒得翻译,copy到本地运行
。。还是要翻译一下,_005xf3不在我这。。
js
String['prototype']['hexXor'] = function(_0x4e08d8) {
var _0x5a5d3b = '';
for (var _0xe89588 = 0x0; _0xe89588 < this['length'] && _0xe89588 < _0x4e08d8['length']; _0xe89588 += 0x2) {
var _0x401af1 = parseInt(this['slice'](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x105f59 = parseInt(_0x4e08d8['slice'](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x189e2c = (_0x401af1 ^ _0x105f59)['toString'](0x10);
if (_0x189e2c['length'] == 0x1) {
_0x189e2c = 0 + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
}
;得到answer:65df19e7227be0c82ee4f97a19a9568914ebb760
验证一下:
65df2c0b6031fd6b01b107f36d9ea73e91c90047
有可能是操作太慢了,重来一次
第三次
var arg1 = '35EA7D3E1E222C5AB96E31BFF013DB073B56D3D6';
得到结果65df2d53e1e5011df4c7d8bdf373323a9063be53
65df2d53e1e5011df4c7d8bdf373323a9063be53
完全一致
自此,手写代码部分完成获得。之后可以使用爬虫工具爬取数据
附录:使用的js代码片段
js
var arg1 = '35EA7D3E1E222C5AB96E31BFF013DB073B56D3D6';
String['prototype']["unsbox"] = function() {
var _0x4b082b = [0xf, 0x23, 0x1d, 0x18, 0x21, 0x10, 0x1, 0x26, 0xa, 0x9, 0x13, 0x1f, 0x28, 0x1b, 0x16, 0x17, 0x19, 0xd, 0x6, 0xb, 0x27, 0x12, 0x14, 0x8, 0xe, 0x15, 0x20, 0x1a, 0x2, 0x1e, 0x7, 0x4, 0x11, 0x5, 0x3, 0x1c, 0x22, 0x25, 0xc, 0x24];
var _0x4da0dc = [];
var _0x12605e = '';
for (var _0x20a7bf = 0x0; _0x20a7bf < this['length']; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0x0; _0x217721 < _0x4b082b['length']; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 0x1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc['join']('');
return _0x12605e;
}
;
String['prototype']['hexXor'] = function(_0x4e08d8) {
var _0x5a5d3b = '';
for (var _0xe89588 = 0x0; _0xe89588 < this['length'] && _0xe89588 < _0x4e08d8['length']; _0xe89588 += 0x2) {
var _0x401af1 = parseInt(this['slice'](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x105f59 = parseInt(_0x4e08d8['slice'](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x189e2c = (_0x401af1 ^ _0x105f59)['toString'](0x10);
if (_0x189e2c['length'] == 0x1) {
_0x189e2c = 0 + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
}
;
console.log(arg1['unsbox']()['hexXor']("3000176000856006061501533003690027800375"))