The statement

All content in this article is only for learning and communication, packet capture content, sensitive website, data interface have been desensitized processing, strictly prohibited for commercial use and illegal use, otherwise all the consequences are unrelated to the author, if there is infringement, please contact me immediately delete!

Reverse the target

  • Target: a government service network – > government – citizen interaction – > I want to consult
  • Homepage: aHR0cDovL3p3Zncuc2FuLWhlLmdvdi5jbi9pY2l0eS9pY2l0eS9ndWVzdGJvb2svaW50ZXJhY3Q =
  • Interface: aHR0cDovL3p3Zncuc2FuLWhlLmdvdi5jbi9pY2l0eS9hcGktdjIvYXBwLmljaXR5Lmd1ZXN0Ym9vay5Xcml0ZUNtZC9nZXRMaXN0
  • Reverse parameter:
    • The Request Headers.Cookie: ICITYSession=fe7c34e21abd46f58555124c64713513
    • The Query String Parameters:s=eb84531626075111111&t=4071_e18666_1626075203000
    • The Request content:{"start":0,"limit":7,"TYPE@=":"2","OPEN@=":"1"}

The reverse process

Bypass the infinite debugger

We try to capture the package, open the developer tool, refresh the page, and find that the page is blocked to the debugger location, click next, it will be blocked to another debugger location, in this case the infinite Debugger, The existence of the infinite Debugger is to prevent some people from debugging, but in fact, the method of bypassing the infinite Debugger is very simple, the method is also very many, the following describes several commonly used bypass methods.

1.Never pause here

In the debugger position, click on the line number, right click on Never Pause here, Never break:

2. Add conditional breakpoint

Also, right-click Add Conditional BreakPoint and type False to skip the infinite Debugger. The principle is to Add conditional breakpoints. Whatever the logic of the preceding code, it must be true when the debugger is run. Just change it to false and it will not execute:

3. Middleman interception replaces infinite debug functions

The so-called middleman interception and replacement, is the panther in prince, will contain the original infinite debugger function to replace, this method is applicable to know the infinite debugger function in the specific JS file, rewrite JS files, so that it does not contain infinite debugger function, Replace the original JS file with a rewritten one using third-party tools such as ReRes, a browser plug-in that maps requests to other urls or native files or directories by specifying rules. The Auto responder function of the packet capture software Fidder can also be replaced.

4. Empty the method

It is also possible to override the infinite Debugger function directly on the Console and empty it. The drawback is that the infinite Debugger fails after refreshing and is rarely used.

Caught analysis

After bypassing the infinite Debugger, click the next page for packet capture analysis. The data interface is similar to: http://zwfw.xxxxxx.gov.cn/icity/api-v2/app.icity.guestbook.WriteCmd/getList?s=d455731630315957615&t=2491_d51515_16303159 79000, we need to solve the Parameters of Cookie, Query String Parameters and Request Payload.

Parameters of the reverse

It can be found that in the request of the home page, the value of Cookie is Set in set-cookie. Then use the get method to request the home page and directly fetch Cookie in response:

Note The Payload of the Request Payload is +7 for each page of start. Other parameters remain unchanged

The two Parameters s and t of Query String Parameters are obtained after JS encryption.

CurUrl += “? CurUrl += “? s=” + sig; curUrl += “&t=” + t; Sig is the parameter of s. If the breakpoint is buried, you can see that it is the parameter we are looking for:

LEx. IsNotNull is not defined. If LEx is not defined, you can copy the original function from LEx.

The __signature parameter is not defined. Global search finds this value in the HTML of the home page, which can be extracted from the regular expression.

The complete code

GitHub pay attention to K brother crawler, continue to share crawler related code! Welcome to star! github.com/kgepachong/

** The following is only part of the key code, can not run directly! ** Full repository address: github.com/kgepachong/…

JS encryption code

isNotNull = function (obj) {
    if (obj === undefined || obj === null || obj == "null" || obj === "" || obj == "undefined")
        return false;
    return true;
};

function getDecryptedParameters(__signature) {
    var sig = "";
    var chars = "0123456789abcdef";
    if(! isNotNull(__signature)) {var curTime = parseInt(Math.random() * (9999 - 1000 + 1) + 1000) + "" + Date.parse(new Date());
        sig = chars.charAt(parseInt(Math.random() * (15 - 15 + 1) + 10)) + chars.charAt(curTime.length) + "" + curTime;
    } else {
        sig = __signature;
    }

    var key = "";
    var keyIndex = -1;
    for (var i = 0; i < 6; i++) {
        var c = sig.charAt(keyIndex + 1);
        key += c;
        keyIndex = chars.indexOf(c);
        if (keyIndex < 0|| keyIndex >= sig.length) { keyIndex = i; }}var timestamp = parseInt(Math.random() * (9999 - 1000 + 1) + 1000) + "_" + key + "_" + Date.parse(new Date());
    var t = timestamp;
    //LEx.azdg.encrypt(timestamp,key);
    t = t.replace(/\+/g."_");
    return {"s": sig, "t": t};
}

// Test example
// console.log(getDecryptedParameters("c988121626057020055"))
Copy the code

Python code

#! /usr/bin/env python3
# -*- coding: utf-8 -*-


import re

import execjs
import requests


index_url = 'attention GitHub:https://github.com/kgepachong/crawler desensitization treatment, complete code'
data_url = 'attention GitHub:https://github.com/kgepachong/crawler desensitization treatment, complete code'
headers = {'User-Agent': 'the Mozilla / 5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'}
session = requests.session()


def get_encrypted_parameters(signature) :
    with open('encrypt.js'.'r', encoding='utf-8') as f:
        js = f.read()
    encrypted_parameters = execjs.compile(js).call('getDecryptedParameters', signature)
    return encrypted_parameters


def get_signature_and_cookies() :
    response = session.get(url=index_url, headers=headers)
    cookies = response.cookies.get_dict()
    cookie = cookies['ICITYSession']
    signature = re.findall(r'signature = "(.*)"', response.text)[0]
    return cookie, signature


def get_data(cookie, parameters, page) :
    payload_data = {'start': page*7.'limit': 7.'TYPE@=': '2'.'OPEN@=': '1'}
    params = {'s': parameters['s'].'t': parameters['t']}
    cookies = {'ICITYSession': cookie}
    response = session.post(url=data_url, headers=headers, json=payload_data, params=params, cookies=cookies).json()
    print(payload_data, response)


def main() :
    ck, sig = get_signature_and_cookies()
    for page in range(10) :# Collect 10 pages of data
        param = get_encrypted_parameters(sig)
        get_data(ck, param, page)


if __name__ == '__main__':
    main()
Copy the code