百度登陆POST参数分析,password及其他字段的js处理
首先F12填个登陆信息,抓个包看看有些什么收获;在发出post之前后台Ajax加了了两个数据,如下
1.返回as、ts、tk三个字段
jsonpCallbackb770({code: 0, data: {tk: "8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=", as: "6e8eb328",…}})
code:0
data:{tk: "8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=", as: "6e8eb328",…}
as:"6e8eb328"
ds:"JcXUIDsjOM2GBUMUbkaht+BXxcoiU2xXWpyUkjTvVI+fDmy6BUpiKtfN7q/Uq6spgnEn+Fd1zi8hou5pdCKGk8egB6+Yj2lIYBXkN6clSmAmGdq6O9zhbmmJWOOxG+IBx5x6QoOYc1pnjLoCj7r9AtocQnLCZXVhgMLvJH7hGhCK6IbDjHPXLoRAKq5/EPUW62yelMz/cR4D7C4qU8eG3pIuUfaMPe1arjVYbljSgLB7/rF8ENlXLszMrD1TYFwQo6PjYW0fPJQ7mwcCVc+MRd2uriUv6Va7/MxcuAH3nosGW5I52GmnLCxEp7AA5lx1cPpq6Asvo1iq+oqQPpSqxAhtGIU3ilnjM/JfAzpxUGR3lvBKbsN0GHDBUzFgk3aSLtpTObD0Rtip21qYL6auGMd9VE4wWNa9ND1uolHIA/mvT90g/nMLTLV3TjaIe51Y7LrdONmVp2j+1ZW78fUPYFDv+bn4gYN7/YIoMpFQOnA4KJ5BY944uU+CEFQHWG1Oz5/Jgf0XRWVp6p54hSfr6Qdu60k3eFvRMaaZ+6ODmImX0tSY8zu5AmPxNtspOmvdsfUDUetaQ/8eOKIoiLLZMiLuFPGqpyKjs+DVJDHSfteJBmYuz2xqgBOWyGw8ldkO0Hb+M30zkg9ELVv1eH6HMdDBlAm8WFcPdrHcIGWnTCcQJJnCqIy7OF1chuweDhPmZgfD98YtIykgekTjA8mPIvm1TDXOT4ExMAGGamSm9eijlMrlT8M3YSJsjHmbzj+HonQfFvdCQQ6oIdmG1jQmpnAaeznXcQy//rM/ngQZFIJavel866B6UdnjAydX2GdEOssPQndGJH8gRcCJIDtyoES874rdoArPj/CFge3qwxZ6A+/Uss6Jm8QuP6D0FUFYv9JgAi6/fkeblNoL73VI2TryHA8QYe2CQX4jhlKm7a4TzCkPF1vVKXEL66UDSrjRVvFN+gvSRpSiMQACXmQOaLjAMUkjjwL8jfck3ce/u7xqLX7Edib6P9wNpY9UYiYOee/YCel6txobviQuL2sLtWUaKfG/U1WfKcd+sLgg061aitdnrYhVe3fJbIq/vovTiEPqaGokkI9iPFmtnQJ7OsNY32FpUGmb4IzRf97sag38bTa7eWrOa2j+q6mdJGc1/0q2jGFf8q+q1lfkW4vuFoABeFk53R1oElccevowZkgnKZYAkxw6jxWm/D5U/5SY6kiqSL2SVDrGVXEC8c7myK6uW4bLY6CZ0e2XO0wd670qwbOIt1XSfcMdLCjzSYV31YIF8gWMKch9NNXGfP7vcfb9gE3g6lubE9VMi8PcGKkgM7qMKbPyDxrH7Ki7XrOhRs58PNzgjkHyoOY+iZi7ZDt8Q+npR4RqsDEEb0T+Ms+u80HjdcdN9KA647RozqgKQ+Gl/q4m3/9Kr8KTnhQfgQ=="
tk:"8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58="
发出这个get请求需要携带的参数如下:
ak:1e3f2dd1c81f2075171a547893391274
as:6e8eb328
fs:fpypRBX8u9Np5BnKjpqxf8CDddYtri+t5vKBcCCtAuzEnvE+/o7x5ophYGMSNDLgsErrSHaRFaok3Ye4AhC8h9dvmgTCFfk2WulgJZopGLPPFpPUh6HJs4YOMVnVXhjjbhh2KC+0VWSkp/PEDmao8HlDc41hB5JSxjDwNkeaKXaOajhrBtlqMJ57Ytl4uQQhA1RezD68R1adokZdMtbcsSIG7LjgzmIHiZeQo6sALoXGLi19qvfqzc6SgDR7Rm28232iKBdva523ot7jcfVZjn4yzqrZvnvr+qexQ9JDKFdh1dkQHz4PsJim27H5xju88ErsfCU73u6Tg2M5E3hPHglsMju53egtzTH1n4oJj7i5Um5S1qbQfrpC9cHpIuCppbj6/bH3i70yiENWjEfMMRhIS74RnGRJFnXyITcErq43gT4yWh0NpOu5bhbxDDzQoAG7iYGa6qOW6f0imjz/3g3vN1n31cc6ETXBwP2X5FdHC7kvDomFDBEgLfeM+7Ie43Pcn9u/embMXhSmB8sjmMrcqhKUn/vSZf4l27Y3QwQCaYt3DwKJCz+H1O3yA+Jzheb1lkGjtXU/T2NyTb+uARntkCxe/FUI3/RDe5PocbWYKKO9MCdTGjyRpUA/BiRuwfDA7dt4LoY0Zf4c3MbMkZh0OEKuMYza7Ul9qKwIjoQLmKRByFHuoco0EUlzT1pJNtTofZ+oW18ZgZw9hrH36lmTsjJ0ZZ+l++XWcKgWKrVLt8l8H96w/hB1HiFzPpngL2TR00W6somXXtOrFJy99m3JOS78yDnNhyOKlXwwwSHeTm2fwGRx2nzurUUaZV18ecXVzvtJTkzmHoMLyUUtJvxEcAfKJiQxkkhs0XjvIRPjLj3ze/tXDCyeuWbm1Tfx7Wbjovp0NvZ+SiZ+ys8GhnvxYnB18JeTh4QCporODhXTLlXQxElQVRvZSaVcryoYnRXuMoqMKKaWo7R6fS2Elv+4M6BuFz7CPj6ENxTWl9C9N4y9+pbHOCIWepy5n2SQSieEzhLdCfzC0IUY6YHmwuEi48HI50RjQNsJcPtaDXlOURR7z5ybEPphYiKCTlPi53bCupmfx+XZXHu/JdEpQqtomznwo857DYjorpkL5wKNuw9GBzOCqUUe2cvmDKhdplav//YBZCtWkH2v/AIAVzrqzLH8RGFIB2Wie7xj9bN+HfIASPfwrH+I/nxih9xMFd340Q7z/WwUDBkUDvhOFSaJm6Bv8scS2Y1hNPJEv1tJ0FIEZS75J0fS9AF7fx/sKEv+e/itlfDuHfXNxYmMbcHziPOR90fo1S6spyXuqGsi0QkVnUSc5tKLaCxWYTGJDiJBk10UIhdgtjxOC7RhRebFiTsiAESL7f8to2zy42oEga5dJBbAVFLNUSKK+uMfM9Wu4DD+JJXHcY+86l03+w==
callback:jsonpCallbackb770
v:6633
也就是说我们需要分析出ak、as、fs、v、callback这几个字段的来源
2.返回key、pubkey
errno:"0"
key:"oqeFiMtTJkyE7rhXq04bEE0xjX3sR09A"
msg:""
pubkey:"-----BEGIN PUBLIC KEY-----↵MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNnGNrfFkygOeBatSz8A2bDyIG↵i0DonH36pzjQF10gnI/1flW+Q521/Y+KRUeNZhSS66sscyQkIFwcAgo0dWADX4oS↵B3EfP+l6xoOyu6Xvfq3S7c5xq75Y9g4sDXBDm55We30ca7hHRXvKaZKU9smj/RSd↵BR7UIfFoBFYnIRCEvQIDAQAB↵-----END PUBLIC KEY-----↵"
traceid:""
要得到这两个参数看请求携带了什么东西
token:cfde53efbe26bdef8ad3b2147eb10417
tpl:mn
apiver:v3
tt:1546826783617
gid:EE2ED1E-E4A5-4ABC-9E13-9972E89AE472
loginversion:v4
traceid:
callback:bd__cbs__8sabl9
需要的字段还挺多看样子有点棘手.
再看post请求所需的参数
staticpage:https://www.baidu.com/cache/user/html/v3Jump.html
charset:UTF-8
token:cfde53efbe26bdef8ad3b2147eb10417
tpl:mn
subpro:
apiver:v3
tt:1546826812217
codestring:
safeflg:0
u:https://www.baidu.com/s?ie=utf8&oe=utf8&wd=%E7%99%BE%E5%AE%B6%E5%8F%B7&tn=98012088_6_dg&ch=9
isPhone:false
detect:1
gid:EE2ED1E-E4A5-4ABC-9E13-9972E89AE472
quick_user:0
logintype:dialogLogin
logLoginType:pc_loginDialog
idc:
loginmerge:true
splogin:rate
username:18328496803
password:fQ99xuV0uzmnEciyYZYOUYHWIJhh6ttVYy3IkwWfhdgnCaQNCMUVgbr42SKSqOF7evv27tHdHK0SLHQfoodNDVg4g7skCR8qKMX1LYCwXcxxwhqwnabbxT5kie4T/uyygdF26qoizpNZKzTsFM3Uq3z2lsUlwp4vKvBOFoeK3tQ=
mem_pass:on
rsakey:oqeFiMtTJkyE7rhXq04bEE0xjX3sR09A
crypttype:12
ppui_logintime:40718
countrycode:
fp_uid:
fp_info:
loginversion:v4
ds:wfHjARADdpfQhbI+jByC0wNU1p6S2oHEJEmVtSteNLIkXjTbCf6QEAcrj/g+J5WBB1P9WF+yrXZ0BeNi95/F50mSj7s6GvbQd9FPVT10CpVr/aaDtTxJI6rKhv0FgeWIzvedO0D14y6g5mZROSJU8f1kDyQywaFzmbgQWq9KUMk4sumxxnjtx+qmYDsVfv4tmuwVkjWzp8nds1OYyAcnbZ8HIV2qqhqVGRsuTdLJIWMPAq2AwUQMfbhh+s4isjP1Itt/jtOr2HmHp5xA7j5U1pzehy/cUBsoHfNpPuNPVBhOaSnEKalOGUO4tsOF4SWW/u2Xxh3NhT4o8rB7N8Nwf0Fo/zw79e6fWdIQW6c6HQUA4jxHuNRq+xrfFfR+JriP+K2B0LzayO5Ejca/r5JELarFUoCFPv5N+rcdtoOsD3Vi8CmlHHaclQtldXIx/LirlDZ/0nbcYQjcSTE6J8xHPaEJCY9DvLoQymMkzY7S5nnogaiKz+y9CIKph8ux8JaZLoQrjEJ9sKCvZRwFdT3oh/nz6uoxSOl8C1cLnJa+cTTKCen6qicaBjXyajIues99nxZs1hDk2e3TbPrD/oZwlmTq7MA7ZLXVgU4xije9TsyZR6gDEp/lZXAP40gCE/eJUDZe8IcDFU9tSSV27k1PhGFtyfq6ckIezNA6xseQH4rboWX4r1w58HMvOSJDFkU22DIr1Q1CAQ791PyMgf8YnvELL4cMmw/AiVJgcMJtBmmevJTbjTjbsJJi6s1LPcQor01O8L9rs0Eb7pQ7s2PrI0LydgWGiCV21G5otjfjAm98SDEVmyHrFxTM7cy0nHSUw1jfYWlQaZvgjNF/3uxqDfxtNrt5as5raP6rqZ0kZzX/SraMYV/yr6rWV+Rbi+4WgAF4WTndHWgSVxx6+jBmSMue96V5BmUQQ7JISSrD1yjqSKpIvZJUOsZVcQLxzubIrq5bhstjoJnR7Zc7TB3rvSrBs4i3VdJ9wx0sKPNJhXfVggXyBYwpyH001cZ8/u9x9v2ATeDqW5sT1UyLw9wYqSAzuowps/IPGsfsqLtes6FGznw83OCOQfKg5j6JmLtkO3xD6elHhGqwMQRvRP4yz67zQeN1x030oDrjtGjOqApD4aX+ribf/0qvwpOeFB+B
tk:8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=
dv:[email protected]4Gb0lGUwlCG6bSzwyFmlXsbBys2lXskpZsmXH4Hc2HBo6GUw4HUhJsAhJG~hTt~6~O~vB7k0jsAHjJk0lsNll7o8hABS54HUJGUhAHodXsowJtrobt~SetY4ZsA4zsA8dsAqy7kqZn0oD8UvhAnwJHo64Gb0lGUwlCG6bSzwyFmlX6kBUs2lXskpZsmXH4Hc2HBo6GUw4HUhJsAhJG~hTt~6~O~vB7k0Us1QzJq__tl0lesAqbsmlb6AQZ6kpjDmXdDA4y7ksUD5lU6bQb72l~DkqZsA0U7k0lDkqz7o8hABS54HUJGUhAHodXsowJFYwyOGlx61HZsbql7kscskCc72l_-hhIyhBA4VsthBlIs5lXsmlXsq__ClvSrZl714y6AqbDABl61HUDk4bs1BbsAHj61Qy61t~sABy6l__ilEImXUOY83FY3RFE4_ul0eh61HZsABysmlXDAqb7k0xsbHZsABysmlXskQl7k0cs1qZsABysmlc6bt_
traceid:44622A01
callback:parent.bd__pcbs__jf1wx1
上面标红的就是我们要重点关照的字段
然后搜索token的值,发现在一个js文件里面,然后提取js文件url出来分析
URL
https://passport.baidu.com/v2/api/?
getapi&tpl=mn&apiver=v3&
tt=1546834671350
&class=login&
gid=E7C72FB-C518-4030-BB7E-555DD8046BE6
&loginversion=v4
&logintype=dialogLogin&traceid=&
callback=bd__cbs__600yh6:formatted
```
多次测试结果情况就是这个get请求返回的结果之和gid相关,其他参数都可以使用固定值,即使不懈怠tt、callback参数也能返回正常的token并且,不懈怠callback参数请求返回的是标准json格式。
看一下git生成
搜索一下gid=的生成找到下面一段代码
```
o.on("hide", function() {
var o = document.location.protocol.toLowerCase()
, e = n.guideRandom ? n.guideRandom : "";
if ("http:" == o)
var t = "http://nsclick.baidu.com/v.gif?pid=111&url=&logintype=hide&merge=1&gid=" + e + "&tpl=" + i.apiOpt.tpl + "&tt=" + (new Date).getTime();
else if ("https:" == o)
var t = "https://passport.baidu.com/img/v.gif?pid=111&url=&logintype=hide&merge=1&gid=" + e + "&tpl=" + i.apiOpt.tpl + "&tt=" + (new Date).getTime();
```
gid = e= n.guideRandom ? n.guideRandom : "",顺藤摸瓜找到生成gid的js
```
this.guideRandom = function() {
return "xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(e) {
var t = 16 * Math.random() | 0
, n = "x" === e ? t : 3 & t | 8;
return n.toString(16)
}).toUpperCase()
}(),那就应该是这样的了
```
callback
这个参数和返回来的相应文件开头相同,猜想应该是可以自定义的,可以用固定值,不过还是看看他的来源;多请求几次发现固定部分是parent.bd__pcbs__,然后全局搜索相关找到两条js
```
var l = r.timeOut || 0
, d = !1
, u = c.getUniqueId("bd__pcbs__");
e.getUniqueId = function(e) {
return e + Math.floor(2147483648 * Math.random()).toString(36)
}
```
可见核心代码:e + Math.floor(2147483648 * Math.random()).toString(36)
接着看tt
tt参数是时间戳*1000取前13位
gid
请求token的gid和post请求的gid是同一个,可以生成,也可以使用一个固定值
password
重点的加密字段,查找对应来源js代码如下
```
o.password = baidu.url.escapeSymbol(e.RSA.encrypt(a)
```
很明显是RSA 加密,pubkey是在发送post请求之前的一个get请求而来,进一步简化这个get请求,只需要携带gid、token就可以返回pubkey
https://passport.baidu.com/v2/getpublickey?token=cfde53efbe26bdef8ad3b2147eb10417&gid=EE2ED1E-E4A5-4ABC-9E13-9972E89AE472
针对password可以直接使用Python实现RSA加密,然后使用Base64编码结果,对于完整的js实现留在第二篇分析
rsa
rsa是请求pubkey一同返回的key字段
tk、ds
文章开头的一个get请求返回的数据
dv
一长串字符看样子有点难度,尚不知道这个参数的作用,那么有三种解决方案,复制一个固定值、留空白值、**生成函数,不到最后是不愿意去找js的。下面看看这个参数生成的js出处
```
var a = document.getElementById("dv_Input")
, c = {
gid: n.guideRandom || "",
username: n._SBCtoDBC(i.value),
countrycode: s,
bdstoken: n.bdPsWtoken,
tpl: n.config.product ? n.config.product : "",
vcodestr: n.getElement("smsHiddenFields_smsVcodestr").value,
vcodesign: n.getElement("smsHiddenFields_smsVcodesign").value,
verifycode: n._SBCtoDBC(n.getElement("confirmVerifyCode").value),
flag_code: n.config.voice_sms_flag,
dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || ""
}
```
dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || ""
调试时在打开页面的同时就生成了这个值,那么可以考虑是一个固定值或者使用固定值,还不确定需要在看看js
function d(e) {
M && (x = e.token + "@" + S(e, e.token),
(1 & F.SendMethod) > 0 && c(x))
}
function c(n) {
var r = t.getElementById("dv_Input");
r && (r.value = n),
e.LG_DV_ARG.dvjsInput = n
}
在c函数上面找到d函数,看样子应该八九不离十了,在调试一下看什么情况,继续查找S函数
```
function S(e, t) {
var r = new n(t)
, o = {
flashInfo: 0,
mouseDown: 1,
keyDown: 2,
mouseMove: 3,
version: 4,
loadTime: 5,
browserInfo: 6,
token: 7,
location: 8,
screenInfo: 9
}
, a = [r.iary([2])];
for (var i in e) {
var d = e[i];
if (void 0 !== d && void 0 !== o[i]) {
var c;
"number" == typeof d ? (c = d >= 0 ? 1 : 2,
d = r.int(d)) : "boolean" == typeof d ? (c = 3,
d = r.int(d ? 1 : 0)) : "object" == typeof d && d instanceof Array ? (c = 4,
d = r.bary(d)) : (c = 0,
d = r.str(d + "")),
d && a.push(r.iary([o[i], c, d.length]) + d)
}
}
return a.join("")
}
```
未完待续······
------------------------------
ID:Python之战
|作|者|公(zhong)号:python之战
专注Python,专注于网络爬虫、RPA的学习-践行-总结
喜欢研究和分享技术瓶颈,欢迎关注
独学而无友,则孤陋而寡闻!
---------------------------