网址:aHR0cHM6Ly93d3cuaXFpeWkuY29tLw==
一、整体流程分析
爱qiyi整个登录滑块流程主要分五步:
1、访问dfp_pcw/sign拿到dfp参数
2、访问login.action拿到token参数
3、访问sbox_init_key拿到sig,sid,sr参数
4、访问verifycenter/initpage拿到滑块相关数据(包括图片的地址以及还原图片的数组)
5、访问verifycenter/verify,然后"msg":"成功"即通过滑块
二、根据每个包需要的参数逐个跟栈
1、dfp_pcw/sign链接,加密参数为dim和sig,主要加密方式分别为RSA和HmacSHA1,这里面会涉及到一些环境值,其他的都固定即可,有两个值是从cookie拿的,都随机一下就行,主要代码如下:
function get_data(){
guid1 = guid() //随机 找到相应方法名扣下来就行
generateQC0051 = generateQC005() //随机 找到相应方法名扣下来就行
var t = '{"jn":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36","cm":"zh-CN","gu":24,"uf":1.25,"jr":[1536,864],"di":[1536,824],"zp":-480,"uh":1,"sh":1,"he":1,"zo":1,"rv":"unknown","nx":"Win32","iw":"unknown","qm":["PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chrome PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chromium PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Microsoft Edge PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","WebKit built-in PDF::Portable Document Format::application/pdf~pdf,text/pdf~pdf"],"fk":false,"rg":false,"xy":false,"jm":false,"ba":false,"tm":[0,false,false],"hl":false,"ht":"","au":true,"mi":"'+guid1+'","cl":"PCWEB","sv":"1.0","jg":"'+generateQC0051+'","ifm":[false,null,null,null],"ex":"","dv":"off"}';
var dim = n(o(t)); //base64
word = "" + dim + "PCWEB" + "1.0";
sig = HmacSHA1_Encrypt(word, 'eade56028e252b77f7a0b8792e58b9cc').toUpperCase()
return [dim,sig]
}
2、携带dfp访问login.action链接,加密参数为pwd,加密方式为RSA,网上也有很多博客是讲这个站的pwd的,所以略过
3、sbox_init_key链接,加密参数为secure,加密方式为RSA+SHA256,这个RSA我扣的办法是导出关键函数,加密位置如下
注意,这里会有两个随机字符串(f 和 s),这个我当时找了半天才找到,下面是他们的生成方式(这俩两个字符串是后面生成aeskey和hmackey的关键)
function getRandom(e) {
var x = ["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9"];
var t = (x = x || [0, 1, 2, 3, 4, 5, 6, 7, 8, 9])["length"];
r = (new Date).getTime() + Math["ceil"](10 * Math["random"]() * x["length"]);
for (var _ = "", i = 0; i < e; i++) {
var n = Math["ceil"]((r = (9301 * r + 49297) % 233280) / 233280 * t) - 1;
_ += x[n = t < (n = n < 0 ? 0 : n) ? t : n]
}
return _
}
f = getRandom(32);
c = getRandom(64);
4、访问initpage链接,这里的加密参数是 cryptSrcData和cryptVersion ,这里的加密会涉及到上面提到的aeskey和hmackey,加密位置如下:
cryptSrcData生成方式如下:
extend = {
"dfp":dfp,
"ptid":"01010021010000000000",
"agentType":"1",
"deviceId":"....",
"cellphoneNumber":phone,
"areaCode":"86"
}
var ee = {
"t": time_,
"token": token,
"width": 290,
"height": 170,
"clientVersion": 1,
"riskData": JSON.stringify(data), //这里是一些鼠标轨迹,稍微仿造一下即可
"dfp": dfp,
"extend": JSON.stringify(extend)
};
var e = AES_Encrypt(JSON.stringify(ee),aeskey,"qwertyuiopasdfgh");
var cryptSrcData = e + "|" + HmacSHA256_Encrypt(e, hmackey);
cryptVersion生成方式如下:
cryptVersion = 'web|20180418xkdewxe3dkxu9|' + sid
5、拿到滑块数据后,发现是乱序的还得根据所放回的数组进行还原,还原主要思路如下:
至于这个pic_list是怎么来的,打个canvas断点去看下网站是怎么做的就知道了
三、请求验证
注:verifycenter/verify链接所需要的参数和initpage链接的基本一样的,只是轨迹那里需要变化,就不多说啦,这个站轨迹检测还是比较严格的,收工,拜拜!