[JS reverse hundred examples] a public resource trading network, reverse analysis of announcement URL parameters

Statement

All contents in this article are for learning and communication only , The content of the package 、 Sensitive website 、 All data interfaces have been desensitized , It is strictly prohibited to use for commercial and illegal purposes , Otherwise, all the consequences have nothing to do with the author , If there is infringement , Please contact me to delete ！

Reverse target

• The goal is ： A public resource trading network
• Home page ：aHR0cDovL2dnenkuamNzLmdvdi5jbi93ZWJzaXRlL3RyYW5zYWN0aW9uL2luZGV4
• Interface ：aHR0cDovL2dnenkuamNzLmdvdi5jbi9wcm8tYXBpLWNvbnN0cnVjdGlvbi9jb25zdHJ1Y3Rpb24vYmlkZGVyL2JpZFNlY3Rpb24vbGlzdA==
• Inverse parameter ：URL In the link projectId、projectInfo Parameters

Reverse process

Caught analysis

Link to the website , You will find that the transfer circle first enters the website , There may be a process of rendering loading , Open the developer tool , Refresh web page , Slide down and you will see that the packet capture has reached the data return interface ：aHR0cDovL2dnenkuamNzLmdvdi5jbi9wcm8tYXBpLWNvbnN0cnVjdGlvbi9jb25zdHJ1Y3Rpb24vYmlkZGVyL2JpZFNlY3Rpb24vbGlzdA==,GET request , from preview In the response preview, you can see the information of all announcements on the current page ：

Query String Parameters Some parameter information in , The meaning of each type will be explained in detail later ：

• pageNum: What is the current page
• pageSize: Page size
• informationType: Type of announcement
• projectType: Project type
• informationName: Information types

Next, click on any announcement , Jump to a new page , You will find that the web link has changed into this format ：XXX/index?projectId=XXX&projectInfo=XXX, Generated projectId and projectInfo Two encryption parameters , And tested , The values of these two encryption parameters on the same announcement page are fixed , Next, we need to try to find the encryption location of these two parameters .

Debugging analysis positioning

From the home page location CTRL + SHIFT + F Global search projectId Parameters , We can find ,projectId and projectInfo The two encryption parameters are chunk-63628500.eb5f8d30.js In the definition of , Here's a trinomial operation , If the project type is the same, execute the following method , If different, execute later ：

In the above code line judgment ZFCG、GTGC What does that mean ,CTRL + SHIFT + F Global search ZBGG Parameters , stay chunk-043c03b8.34f6abab.js We can find the corresponding definition in the document , The following are their respective meanings ：

In the 267 That's ok ,return t.stop() Set a breakpoint for debugging and analysis , Click on any announcement , You will find that the breakpoint is broken , That is, successful positioning , Mouse over projectId and projectInfo On the corresponding value , You can know the following information ：

• projectId ： Item number
• projectInfo ： Information types

Know the specific meaning of the two encryption parameters , Next, we need to find the encryption location ,projectId and projectInfo Parameters from a.parameterTool.encryptJumpPage Method execution ,encryptJumpPage Jump page encryption ？ This is not simply express ：

We hover over a.parameterTool.encryptJumpPage On , Follow up to the method generated js file app.3275fd87.js Go and have a look ：

From the above, we can clearly know the specific meaning of the following two parameters ：

• query： Encrypt data （ projectId and projectInfo）
• nextPath： Route jump location

In the 2389 Line break points for debugging analysis , As can be seen from the figure below ,projectId and projectInfo Parameter in a Is encrypted in ：

Follow up on a The location of , Slide up and you can see No 2335 Row to 2356 OK, it's obvious DES encryption ：

But which function part is right query Medium projectId and projectInfo It is unknown that the parameters are encrypted , Let's continue to interrupt the debugging analysis , stay 2341 I found ,projectId The corresponding value of the parameter 424,projectInfo The corresponding value of the parameter ZBGG, All in function c(t) Processed in , Prove that this is the key encryption location ：

function c(t) {
    
    return i.a.DES.encrypt(t, o.keyHex, {
    
        iv: o.ivHex,
        mode: i.a.mode.CBC,
        padding: i.a.pad.Pkcs7
    }).ciphertext.toString()
}

Analyze this key encryption code ：

• iv：ivHex Hexadecimal initial vector
• mode： use CBC Encryption mode , It is a circular mode , Encrypt the ciphertext of the previous group and the plaintext of the current group after XOR operation
• padding： use Pkcs7 fill style , When filling, first obtain the byte length to be filled = Block length - （ Data length % Block length ）, In the filled byte sequence, all bytes are filled with the byte length value to be filled
• ciphertext.toString()： The encrypted ciphertext , Returns... As a hexadecimal string

Simulation execution

This is a direct reference to JS, Use nodejs The encryption module inside crypto-js To carry out DES encryption , Prompt which function is undefined during debugging , Just add the definition part , Rewritten integrity JS The code is as follows ：

var CryptoJS = require('crypto-js');

o = {
    
    keyHex: CryptoJS.enc.Utf8.parse(Object({
    
        NODE_ENV: "production",
        VUE_APP_BASE_API: "/pro-api",
        VUE_APP_CONSTRUCTION_API: "/pro-api-construction",
        VUE_APP_DEV_FILE_PREVIEW: "/lyjcdFileView/onlinePreview",
        VUE_APP_FILE_ALL_PATH: "http://www.lyjcd.cn:8089",
        VUE_APP_FILE_PREFIX: "/mygroup",
        VUE_APP_LAND_API: "/pro-api-land",
        VUE_APP_PREVIEW_PREFIX: "/lyjcdFileView",
        VUE_APP_PROCUREMENT_API: "/pro-api-procurement",
        VUE_APP_WINDOW_TITLE: "XXXXXX",
        BASE_URL: "/"
    }).VUE_APP_CUSTOM_KEY || "54367819"),
    ivHex: CryptoJS.enc.Utf8.parse(Object({
    
        NODE_ENV: "production",
        VUE_APP_BASE_API: "/pro-api",
        VUE_APP_CONSTRUCTION_API: "/pro-api-construction",
        VUE_APP_DEV_FILE_PREVIEW: "/lyjcdFileView/onlinePreview",
        VUE_APP_FILE_ALL_PATH: "http://www.lyjcd.cn:8089",
        VUE_APP_FILE_PREFIX: "/mygroup",
        VUE_APP_LAND_API: "/pro-api-land",
        VUE_APP_PREVIEW_PREFIX: "/lyjcdFileView",
        VUE_APP_PROCUREMENT_API: "/pro-api-procurement",
        VUE_APP_WINDOW_TITLE: "XXXXXX",
        BASE_URL: "/"
    }).VUE_APP_CUSTOM_IV || "54367819")
};

function c(t) {
    
    return CryptoJS.DES.encrypt(t, o.keyHex, {
    
        iv: o.ivHex,
        mode: CryptoJS.mode.CBC,
        padding: CryptoJS.pad.Pkcs7
    }).ciphertext.toString()
}

//  test 
// console.log(c('ZBGG'))
// ff15d186c4d5fa7a

VUE_APP_WINDOW_TITLE The content of the corresponding value is desensitized , After testing , It does not affect the result output

Complete code

GitHub Focus on K Brother reptile , Continue to share crawler related code ！ welcome star ！https://github.com/kgepachong/

The following shows only part of the key code , Can't run directly ！ Full code warehouse address ：https://github.com/kgepachong/crawler/

This case code ：https://github.com/kgepachong/crawler/tree/main/ggzy_jcs_gov_cn

# =======================
# --*-- coding: utf-8 --*--
# @Author :  WeChat official account ：K Brother reptile 
# @FileName: ggzy.py
# @Software: PyCharm
# =======================


import urllib.parse
import execjs
import requests


url = ' Desensitization treatment , Full code focus  https://github.com/kgepachong/crawler/'


def encrypted_project_id(id_enc):
    with open('ggzy_js.js', 'r', encoding='utf-8') as f:
        public_js = f.read()
        project_id = execjs.compile(public_js).call('Public', id_enc)
    return project_id


def encrypted_project_info(info_enc):
    with open('ggzy_js.js', 'r', encoding='utf-8') as f:
        public_js = f.read()
        project_info = execjs.compile(public_js).call('Public', info_enc)
    return project_info


def get_project_info(info_name, info_type):
    index_url = ' Desensitization treatment , Full code focus  https://github.com/kgepachong/crawler/'
    urlparse = urllib.parse.urlparse(index_url)
    project_info = urllib.parse.parse_qs(urlparse.query)['informationName'][0]
    return project_info


def get_content(page, info_name, info_type):
    headers = {
    
        "Connection": "keep-alive",
        "Pragma": "no-cache",
        "Cache-Control": "no-cache",
        "Accept": "application/json, text/plain, */*",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36",
        "Referer": " Desensitization treatment , Full code focus  https://github.com/kgepachong/crawler/",
        "Accept-Language": "zh-CN,zh;q=0.9"
    }
    url_param = " Desensitization treatment , Full code focus  https://github.com/kgepachong/crawler/"
    params = {
    
        "pageNum": page,
        "pageSize": "20",
        "releaseTime": "",
        "search": "",
        "informationType": info_type,
        "departmentId": "",
        "projectType": "SZFJ",
        "informationName": info_name,
        "onlyCanBidSectionFlag": "NO"
    }
    response = requests.get(url=url_param, headers=headers, params=params)

    return response


def main():
    print(" Desensitization treatment , Full code focus  https://github.com/kgepachong/crawler/")
    info_name = input(" Please enter the information type :")
    info_type = input(" Please enter the announcement type :")
    page = input(" The number of pages you want to get data :")
    get_content(page, info_name, info_type)
    response = get_content(page, info_name.upper(), info_type.upper())
    num = int(page) * 20
    print(" A total of  %d  A project " % num)
    for i in range(20):
        title = response.json()['rows'][i]['content']
        query_id = response.json()['rows'][i]['projectId']
        query_info = get_project_info(info_name.upper(), info_type.upper())
        project_id_enc = encrypted_project_id(str(query_id))
        project_info_enc = encrypted_project_info(query_info)
        project_url = '%s?projectId=%s&projectInfo=%s' % (url, project_id_enc, project_info_enc)
        print(" The first  %d  A project :" % (i+1) + "\n" + " Project name ：%s  Item number ：%d " % (title, query_id) + "\n" + " Project links ：%s" % project_url)


if __name__ == '__main__':
    main()

Code implementation effect ：