一.需求描述
在采集蘑菇街的时候,去水印的接口中有mw-sign参数,经过测试发现此参数无法伪造,可以重放。为了脱离浏览器进行采集,需要将这个值解出来。
在通过浏览器搜索中,找到这个地址,我们发现这个参数
这个是找到的z方法,也是要执行的主要方法 buildQuery
varz = V(function(t) {varv, g, _, w, b; v = U, g = J.utf8, _ = F, w = J.bin, (b = function(t, e) { t.constructor == String ?t= e &&"binary"=== e.encoding ? w.stringToBytes(t):g.stringToBytes(t):_(t) ?t= Array.prototype.slice.call(t,0):Array.isArray(t) || (t= t.toString()); for (varn= v.bytesToWords(t), o =8* t.length, r =1732584193, i = -271733879, s = -1732584194, a =271733878, u =0; u < n.length; u++)n[u] =16711935& (n[u] <<8|n[u] >>>24) |4278255360& (n[u] <<24|n[u] >>>8);n[o >>>5] |=128<< o %32,n[14+ (o +64>>>9<<4)] = o;varc = b._ff , p = b._gg , l = b._hh , h = b._ii; for (u =0; u < n.length; u +=16) {varf = r , d = i , y = s , m = a; i = h(i = h(i = h(i = h(i = l(i = l(i = l(i = l(i = p(i = p(i = p(i = p(i = c(i = c(i = c(i = c(i, s = c(s, a = c(a, r = c(r, i, s, a,n[u +0],7, -680876936), i, s,n[u +1],12, -389564586), r, i,n[u +2],17,606105819), a, r,n[u +3],22, -1044525330), s = c(s, a = c(a, r = c(r, i, s, a,n[u +4],7, -176418897), i, s,n[u +5],12,1200080426), r, i,n[u +6],17, -1473231341), a, r,n[u +7],22, -45705983), s = c(s, a = c(a, r = c(r, i, s, a,n[u +8],7,1770035416), i, s,n[u +9],12, -1958414417), r, i,n[u +10],17, -42063), a, r,n[u +11],22, -1990404162), s = c(s, a = c(a, r = c(r, i, s, a,n[u +12],7,1804603682), i, s,n[u +13],12, -40341101), r, i,n[u +14],17, -1502002290), a, r,n[u +15],22,1236535329), s = p(s, a = p(a, r = p(r, i, s, a,n[u +1],5, -165796510), i, s,n[u +6],9, -1069501632), r, i,n[u +11],14,643717713), a, r,n[u +0],20, -373897302), s = p(s, a = p(a, r = p(r, i, s, a,n[u +5],5, -701558691), i, s,n[u +10],9,38016083), r, i,n[u +15],14, -660478335), a, r,n[u +4],20, -405537848), s = p(s, a = p(a, r = p(r, i, s, a,n[u +9],5,568446438), i, s,n[u +14],9, -1019803690), r, i,n[u +3],14, -187363961), a, r,n[u +8],20,1163531501), s = p(s, a = p(a, r = p(r, i, s, a,n[u +13],5, -1444681467), i, s,n[u +2],9, -51403784), r, i,n[u +7],14,1735328473), a, r,n[u +12],20, -1926607734), s = l(s, a = l(a, r = l(r, i, s, a,n[u +5],4, -378558), i, s,n[u +8],11, -2022574463), r, i,n[u +11],16,1839030562), a, r,n[u +14],23, -35309556), s = l(s, a = l(a, r = l(r, i, s, a,n[u +1],4, -1530992060), i, s,n[u +4],11,1272893353), r, i,n[u +7],16, -155497632), a, r,n[u +10],23, -1094730640), s = l(s, a = l(a, r = l(r, i, s, a,n[u +13],4,681279174), i, s,n[u +0],11, -358537222), r, i,n[u +3],16, -722521979), a, r,n[u +6],23,76029189), s = l(s, a = l(a, r = l(r, i, s, a,n[u +9],4, -640364487), i, s,n[u +12],11, -421815835), r, i,n[u +15],16,530742520), a, r,n[u +2],23, -995338651), s = h(s, a = h(a, r = h(r, i, s, a,n[u +0],6, -198630844), i, s,n[u +7],10,1126891415), r, i,n[u +14],15, -1416354905), a, r,n[u +5],21, -57434055), s = h(s, a = h(a, r = h(r, i, s, a,n[u +12],6,1700485571), i, s,n[u +3],10, -1894986606), r, i,n[u +10],15, -1051523), a, r,n[u +1],21, -2054922799), s = h(s, a = h(a, r = h(r, i, s, a,n[u +8],6,1873313359), i, s,n[u +15],10, -30611744), r, i,n[u +6],15, -1560198380), a, r,n[u +13],21,1309151649), s = h(s, a = h(a, r = h(r, i, s, a,n[u +4],6, -145523070), i, s,n[u +11],10, -1120210379), r, i,n[u +2],15,718787259), a, r,n[u +9],21, -343485551), r = r + f >>>0, i = i + d >>>0, s = s + y >>>0, a = a + m >>>0} return v.endian([r, i, s, a]) } )._ff = function(t, e,n, o, r, i, s) {vara =t+ (e &n| ~e & o) + (r >>>0) + s; return (a << i | a >>>32- i) + e } , b._gg = function(t, e,n, o, r, i, s) {vara =t+ (e & o |n& ~o) + (r >>>0) + s; return (a << i | a >>>32- i) + e } , b._hh = function(t, e,n, o, r, i, s) {vara =t+ (e ^n^ o) + (r >>>0) + s; return (a << i | a >>>32- i) + e } , b._ii = function(t, e,n, o, r, i, s) {vara =t+ (n^ (e | ~o)) + (r >>>0) + s; return (a << i | a >>>32- i) + e } , b._blocksize =16, b._digestsize =16, t.exports = function(t, e) {if(null ==t) throw new Error("Illegal argument "+t);varn= v.wordsToBytes(b(t, e)); return e && e.asBytes ?n:e && e.asString ? w.bytesToString(n):v.bytesToHex(n) } })
拿这个时候,我们也知道java也提供有执行js的方法,,经过测试,完成可以用的
ScriptEngine engine = manager.getEngineByName("javascript");engine.eval(MoGujieJsUtils.jssign); if (engineinstanceof Invocable) { Invocable invocable = (Invocable) engine; JavaScriptInterface executeMethod = invocable.getInterface(JavaScriptInterface.class); String token = executeMethod.z(tokenDataString); }
这里提供的 MoGujieJsUtils.jssign 就是上面提供的那个js中的z方法
结合请求参数,对这一串字符的组成部分进行简单猜测:
大致就是"mw-appkey","mw-ckey","mw-h5-os","mw-t","mw-ttid","mw-uuid",以及部分请求地址("mwp.pagani.search/19/")使用"&"拼接而成,
"b9cab4ab7f543491e2c4f6c556711345"是第一步调用z方法的计算结果,
"39a9ae72d3faec64f157166036f84edd_1564026637963"来自cookie中的"_mwp_h5_token"
不过这种情况在执行一段时间后,就会失效的,这是因为这三个参数进行了控制
那我们可以请求这个来进行执行获取到这些参数,或者你自己可以定时获取
需要交流学习可以回复留言一起进步,关注微信公众号 java微技术 或者头条号 java微技术