其他分享
首页 > 其他分享> > 百度爱企查旋转验证逆向

百度爱企查旋转验证逆向

作者:互联网

地址百度旋转验证

查看重定向的url,获取as, ds, tk 三个值


获取旋转的原图 和 backstr 的值

旋转验证参数提交,dbug 调试参数跟进, 跟进来后发现重点在 r.rzData


控制台打印 r.raData

在r.rzData中ac_c是检测的关键,ac_c=round((o / 212),2),而o是滑动的距离,o=angle*212/360 (angle)是识别的角度。然后backstr是前面返回的,其他的所有参数都可固定,包括轨迹fs是对r.rzData进行aes加密的结果(key是ac+'appsapi0')

重写js文件
var CryptoJS = require('crypto-js');

function encrypt_(angle, as, backstr) {
    var tt = {
        "cl": [
            {
                "x": 862,
                "y": 287,
                "t": 1657760616916
            }
        ],
        "mv": [
            {
                "fx": 987,
                "fy": 149,
                "t": 1657760613905,
                "bf": 2
            },
            {
                "fx": 979,
                "fy": 370,
                "t": 1657760615529,
                "bf": 2
            },
            {
                "fx": 948,
                "fy": 339,
                "t": 1657760615688,
                "bf": 2
            },
            {
                "fx": 911,
                "fy": 321,
                "t": 1657760615848,
                "bf": 2
            },
            {
                "fx": 892,
                "fy": 309,
                "t": 1657760616008,
                "bf": 2
            },
            {
                "fx": 880,
                "fy": 299,
                "t": 1657760616176,
                "bf": 2
            },
            {
                "fx": 869,
                "fy": 290,
                "t": 1657760616440,
                "bf": 2
            },
            {
                "fx": 864,
                "fy": 288,
                "t": 1657760616641,
                "bf": 2
            },
            {
                "fx": 862,
                "fy": 287,
                "t": 1657760616866,
                "bf": 2
            },
            {
                "fx": 864,
                "fy": 288,
                "t": 1657760617026,
                "bf": 1
            },
            {
                "fx": 877,
                "fy": 293,
                "t": 1657760617186,
                "bf": 1
            },
            {
                "fx": 882,
                "fy": 295,
                "t": 1657760617360,
                "bf": 1
            },
            {
                "fx": 891,
                "fy": 298,
                "t": 1657760617537,
                "bf": 1
            },
            {
                "fx": 900,
                "fy": 300,
                "t": 1657760617688,
                "bf": 1
            },
            {
                "fx": 908,
                "fy": 301,
                "t": 1657760617864,
                "bf": 1
            },
            {
                "fx": 910,
                "fy": 301,
                "t": 1657760618585,
                "bf": 1
            }
        ],
        "sc": [],
        "kb": [
            {
                "key": "a",
                "t": 1657760606047
            }
        ],
        "sb": [],
        "sd": [],
        "sm": [],
        "cr": {
            "screenTop": 0,
            "screenLeft": 0,
            "clientWidth": 1920,
            "clientHeight": 979,
            "screenWidth": 1920,
            "screenHeight": 1080,
            "availWidth": 1920,
            "availHeight": 1050,
            "outerWidth": 1920,
            "outerHeight": 1050,
            "scrollWidth": 1920,
            "scrollHeight": 1920
        },
        "simu": 0,
        "ac_c": (angle * 212 / 360 / 212).toFixed(2),
        "backstr": backstr
    };
    var t = as + 'appsapi0'
        , n = CryptoJS.enc.Utf8.parse(t)
        , i = CryptoJS.enc.Utf8.parse(JSON.stringify(tt))
        , r = CryptoJS.AES.encrypt(i, n, {
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    return [r.toString(), tt['ac_c']];
}


// console.log(encrypt_('175','77af72b4','3665-Px4DcLoit3uVe824uBkHUhYlQRP9J1snLUo3oUo4NCni3QAeNyHrm3CQYE1d0+bG4z2Vv/PQXdv1Qp9j+bImhNo+yvQeYZjOGBVq/fJYQARPO+z357jr0N2VdtJR6PLV/ZF/4vWSekHq0V0F9PvNX4E9FL+bBVTtveoWXlDB3zxsr30wdtMey7lw/HDDDKm05KTU72MoN+B2g6pXkXJLfwXeK557yhbIgeqaUUxYRgI46RjrwoF1Em3LISq+4Ke5TIyH89awQ6ups+DSlxyJZbU/WxmL6wSrpxmVpQ0rYrwgtgO8yAPCE2myWZ7uQnMkWTnNNBThHZHALC3YA4xWkA=='))

调用旋转模型,整体代码
from urllib.parse import unquote
import requests
import execjs
import time
import json
import re
import urllib3
from baidu_aiqicha_rotate.rotate_captcha import fun_get_angle_
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


class BaiduAiqichaRotate:

    def __init__(self):
        self.session = requests.session()
        self.headers = {
            'Accept': 'text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, '
                      '*/*; q=0.01',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'Connection': 'keep-alive',
            'Sec-Fetch-Dest': 'empty',
            'Sec-Fetch-Mode': 'cors',
            'Sec-Fetch-Site': 'same-origin',
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) '
                          'Chrome/103.0.0.0 Safari/537.36',
            'X-Requested-With': 'XMLHttpRequest',
            'Referer': 'https://wappass.baidu.com/static/captcha/tuxing.html?ak=33c48884b7df83d4230e07cbcd0d07fd&backurl=http%3A%2F%2Fwww.aiqicha.com%2Fs%3Fq%3D%E5%8D%8E%E4%B8%BA%E6%8A%80%E6%9C%AF%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%26t%3D0%26p_type%3D2&timestamp=1658303050&signature=0a25abf3ad473d83e846a510b7b5d1ed',
            'sec-ch-ua': '".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"',
            'sec-ch-ua-mobile': '?0',
            'sec-ch-ua-platform': '"Windows"',
        }

    def get_image_request_data(self):
        """
        :return: 获取需要获取图片的参数
        """
        url = "https://wappass.baidu.com/viewlog"
        params = {
            "callback": "jQuery110205449684422426735_" + str(int(time.time() * 1000)),
            "ak": "33c48884b7df83d4230e07cbcd0d07fd",
            "_": str(int(time.time() * 1000))
        }
        response = self.session.get(url, headers=self.headers, params=params)
        res_data = re.findall(r'.*?(\{.*?})\)', response.text)[0]
        res_data = json.loads(res_data)
        item = {
            "tk": res_data['data']['tk'],
            "as": res_data['data']['as'],
            "ds": res_data['data']['ds']
        }
        return item

    def get_img(self, item):
        url = "https://wappass.baidu.com/viewlog/getstyle"
        params = {
            "callback": "jQuery110205449684422426735_" + str(time.time() * 1000),
            "ak": '33c48884b7df83d4230e07cbcd0d07fd',
            "tk": item["tk"],
            "isios": "0",
            "type": "spin",
            "_": str(time.time() * 1000)
        }
        response = self.session.get(url, headers=self.headers, params=params)
        ret_data = re.findall(r'.*?(\{.*?})\)', response.text)[0]
        ret_data = json.loads(ret_data)
        item_img = {
            "img_url": unquote(ret_data['data']['ext']['img']),
            "backstr": ret_data['data']['backstr'],
            "tk": item["tk"],
            "as": item["as"]
        }
        response = self.session.get(item_img['img_url'], verify=False)
        with open('img.png', 'wb')as f:
            f.write(response.content)
        return item_img

    def verify_data(self, item):
        url = "https://wappass.baidu.com/viewlog"
        print("angle:", item['angle'])
        print("as:", item['as'])
        with open('get_encrypt.js', 'r', encoding='utf-8') as f:
            js_text = f.read()
        fs = execjs.compile(js_text).call('encrypt_', str(item['angle']), str(item['as']), str(item['backstr']))
        print("fs:", fs)
        params = {
            "callback": "jQuery110204100787474351779_" + str(time.time() * 1000),
            "ak": "33c48884b7df83d4230e07cbcd0d07fd",
            "as": item['as'],
            "fs": fs[0],
            "tk": item['tk'],
            "cv": "submit",
            "_": str(time.time() * 1000)
        }
        response = self.session.get(url, headers=self.headers, params=params)
        ret_data = re.findall(r'.*?(\{.*?})\)', response.text)[0]
        ret_data = json.loads(ret_data)
        print("验证结果:", ret_data)
        return ret_data


if __name__ == '__main__':
    item = BaiduAiqichaRotate().get_image_request_data()
    item_img = BaiduAiqichaRotate().get_img(item)
    angle = fun_get_angle_('img.png')
    item_img['angle'] = angle
    print(item_img)
    ret_data = BaiduAiqichaRotate().verify_data(item_img)
    if 1 == ret_data['data']['op']:
        print("验证通过")
        # break

参考链接

标签:逆向,bf,img,fx,fy,爱企查,item,data,百度
来源: https://www.cnblogs.com/wyh0923/p/16499379.html