Let’s start with today’s victims:
aHR0cDovL3d3dy5taWd1dmlkZW8uY29tL21ncy93ZWJzaXRlL3ByZC9pbmRleC5odG1s
One, analysis password encryption
This analysis is the three parameters of his landing, first analysis of landing logic, catch a bag to see.
It can be seen that the pop-up window is used for login [Figure 1-1]. In order to avoid interference of other elements of the home page for packet capture, we can open the login box to analyze the packet capture [Figure 1-2] by right-clicking and viewing the framework source code.
Open the source code page address bar in the view-source: delete can open the following page [Figure 1-3] :
You can see the following package [Figure 1-4], but you can guess that the encryption parameters here may be related to RSA from the above Publickey. Let’s find the location of the password encryption first:
As usual, search enpassword, expected to find no useful results [Figure 1-5], but the positioning element can be located by name can also be located by class, so also try J_RsaPsd, as expected, found a decent file [Figure 1-6].
When we retrieve J_RsaPsd in the open file, we can see that there are three related results (those familiar with encryption can already see that this is RSA encryption). We can determine which J_RsaPsd is the encryption logic by breaking all the related results [Figure 1-6] and re-issuing the login request.
By renewing the request, the break is broken at line 333 [Figure 1-8].
Let’s copy the entire code first:
c.setPublic(a.result.modulus, a.result.publicExponent);
var d = c.encrypt(b.val());
b.siblings(".J_RsaPsd").val(d)
Copy the codeLet’s look at the console to see what these parameters are [Figure 1-9].
Through the preceding packet capture and the code of JS page, we judge that the encryption of the password is RSA encryption, so we need to find out several elements of RSA encryption, such as his public key, because RSA asymmetric encryption local use public key encryption, server use private key decryption. Look at the parameters on [Figure 1-8]. I don’t know if you remember the packet I mentioned at the beginning of [Figure 1-4]. Let’s switch to the console -Network to see [Figure 1-10].
{"status":2000."message":""."header": {},"result": {"publicExponent":"010001"."modulus":"00833c4af965ff7a8409f8b5d5a83d87f2f19d7c1eb40dc59a98d2346cbb145046b2c6facc25b5cc363443f0f7ebd9524b7c1e1917bf7d849212339 f6c1d3711b115ecb20f0c89fc2182a985ea28cbb4adf6a321ff7e715ba9b8d7261d1c140485df3b705247a70c28c9068caabbedbf9510dada6d13d99 e57642b853a73406817"}}
Copy the codeIs it exactly the same as what we printed out in [Figure 1-9]
B. val() is the wrong password.
Here we find all the parameters needed for encryption, actually I don’t think it is necessary to button JS, but I know.
Don’t I think. You want you to think
So lazy with the previous button code test:
----------- omitted500Line -- -- -- -- -- -- -- -- -- -- -function bodyRSA()
{
//setMaxDigits(130);
var key = RSAUtils.getKeyPair("010001".""."00833c4af965ff7a8409f8b5d5a83d87f2f19d7c1eb40dc59a98d2346cbb145046b2c6facc25b5cc363443f0f7ebd9524b7c1e1917bf7d849212339 f6c1d3711b115ecb20f0c89fc2182a985ea28cbb4adf6a321ff7e715ba9b8d7261d1c140485df3b705247a70c28c9068caabbedbf9510dada6d13d99 e57642b853a73406817");
return key
}
function get_encrypt(password) {
key = bodyRSA();
var a = RSAUtils.encryptedString(key,password)
//var b = RSAUtils.encryptedString(key,username)
console.log(a)
console.log('-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --')
//console.log(b)
return a
}
get_encrypt('11111111111')
Copy the codeAnalyze FingerPrintDetail and fingerPrint
According to [Figure 1-5] and [Figure 1-6] in the first part, the location of encryption can be quickly located, and [Figure 2-1] will not be mentioned here.
RsaFingerprint uses the same RSA encryption as password encryption [Figure 2-2], but some parameters are different.
$.fingerprint. Result and $.fingerprint.
Locate the location of $.fingerprint by searching the results [Figure 2-3]
Keep looking up until you finally find here, a string of hashes generated based on information such as the browser request [Figure 2-4].
If the request header is not changed, the value is fixed. If the request header is changed, the hash needs to be regenerated, which is the browser fingerprint for this.
Because we are just learning here, so we don’t mess around, but this whole piece of code is relatively simple, nothing can be clicked.
Tip: If you want to analyze the fingerprint algorithm, remember to refresh the page before entering the breakpoint.
Third, summary
In combination with previous suggestions, the pictures of the article are marked with serial numbers, hoping to play a role in sorting out ideas.
This website encryption overall or only use RSA encryption algorithm can be done, the overall encryption algorithm is relatively simple experienced brother directly through the encryption library can be achieved, if you want to practice can also cut out try, as long as the hair is much, liver is done.
