百度post引數分析(二)完結,dv、traceid的js來源
阿新 • • 發佈:2019-01-14
上一篇已經找到了post引數中的dv來源,今天繼續往下看,回顧一上一篇中dv的相關js
var a = document.getElementById("dv_Input") , c = { gid: n.guideRandom || "", username: n._SBCtoDBC(i.value), countrycode: s, bdstoken: n.bdPsWtoken, tpl: n.config.product ? n.config.product : "", vcodestr: n.getElement("smsHiddenFields_smsVcodestr").value, vcodesign: n.getElement("smsHiddenFields_smsVcodesign").value, verifycode: n._SBCtoDBC(n.getElement("confirmVerifyCode").value), flag_code: n.config.voice_sms_flag, dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || "" }
dv來源window.LG_DV_ARG.dvjsInput,然後繼續往下找LG_DV_ARG
function d(e) { M && (x = e.token + "@" + S(e, e.token), (1 & F.SendMethod) > 0 && c(x)) } function c(n) { var r = t.getElementById("dv_Input"); r && (r.value = n), e.LG_DV_ARG.dvjsInput = n }
其中重要只有x = e.token + “@” + S(e, e.token)
繼續找到e.token的生成函式和S函式的原始碼
b.Token = "tk" + Math.random() + (new Date).getTime(),
function S(e, t) { var r = new n(t) , o = { flashInfo: 0, mouseDown: 1, keyDown: 2, mouseMove: 3, version: 4, loadTime: 5, browserInfo: 6, token: 7, location: 8, screenInfo: 9 } , a = [r.iary([2])]; for (var i in e) { var d = e[i]; if (void 0 !== d && void 0 !== o[i]) { var c; "number" == typeof d ? (c = d >= 0 ? 1 : 2, d = r.int(d)) : "boolean" == typeof d ? (c = 3, d = r.int(d ? 1 : 0)) : "object" == typeof d && d instanceof Array ? (c = 4, d = r.bary(d)) : (c = 0, d = r.str(d + "")), d && a.push(r.iary([o[i], c, d.length]) + d) } } return a.join("") }
e.token生成很簡單,就是隨機數加上時間戳;s函式的作用就是拼接e物件裡面的幾個屬性值,我們可以用一個固定值代替s函式的執行結果。
traceid
繼續全域性查詢traceid只有下面js函式可疑,先看看
e.traceID = {
headID: e.traceID && e.traceID.headID || "",
flowID: e.traceID && e.traceID.flowID || "",
cases: e.traceID && e.traceID.cases || "",
initTraceID: function(e) {
var t = this;
e && e.length > 0 ? (t.headID = e.slice(0, 6),
t.flowID = e.slice(6, 8)) : t.destory()
},
createTraceID: function() {
var e = this;
return e.headID + e.flowID + e.cases
},
startFlow: function(e) {
var t = this
, n = t.getFlowID(e);
0 === t.flowID.length || t.flowID === n ? (t.createHeadID(),
t.flowID = n) : t.finishFlow(n)
},
finishFlow: function() {
var e = this;
e.destory()
},
getRandom: function() {
return parseInt(90 * Math.random() + 10, 10)
},
createHeadID: function() {
var e = this
, t = (new Date).getTime() + e.getRandom().toString()
, n = Number(t).toString(16)
, i = n.length
, s = n.slice(i - 6, i).toUpperCase();
e.headID = s
},
getTraceID: function(e) {
var t = this
, n = e && e.traceid || "";
t.initTraceID(n)
},
getFlowID: function(e) {
var t = {
login: "01",
reg: "02"
};
return t[e]
},
setData: function(e) {
var t = this;
return e.data ? e.data.traceid = t.createTraceID() : e.url = e.url + (e.url.indexOf("?") > -1 ? "&" : "?") + "traceid=" + t.createTraceID(),
e
},
destory: function() {
var e = this;
e.headID = "",
e.flowID = ""
}
};
createTraceID:return e.headID + e.flowID + e.cases其中e.case是固定的01,e.headID+e.flowID需要按下面js執行
e.traceID.initTraceID()
undefined
e.traceID.createHeadID()
undefined
e.traceID.createTraceID()
"C23F67"
但是注意e物件定義的時候應該給他賦值,不然返回是空,完整如下
var e = {a: 1, b: 1, c: 1}
e.traceID = {
headID: e.traceID && e.traceID.headID || "",
flowID: e.traceID && e.traceID.flowID || "",
cases: e.traceID && e.traceID.cases || "",
initTraceID: function(e) {
var t = this;
e && e.length > 0 ? (t.headID = e.slice(0, 6),
t.flowID = e.slice(6, 8)) : t.destory()
},
省略········
getFlowID: function(e) {
var t = {
login: "01",
reg: "02"
};
return t[e]
},
setData: function(e) {
var t = this;
return e.data ? e.data.traceid = t.createTraceID() : e.url = e.url + (e.url.indexOf("?") > -1 ? "&" : "?") + "traceid=" + t.createTraceID(),
e
},
destory: function() {
var e = this;
e.headID = "",
e.flowID = ""
}
};
{headID: "", flowID: "", cases: "", initTraceID: ƒ, createTraceID: ƒ, …}
e
{a: 1, b: 1, c: 1, traceID: {…}}
e.traceID.initTraceID
ƒ (e) {
var t = this;
e && e.length > 0 ? (t.headID = e.slice(0, 6),
t.flowID = e.slice(6, 8)) : t.destory()
}
e.traceID.initTraceID()
undefined
e.traceID.createHeadID()
undefined
e.traceID.createTraceID()+"01"
"C23F6701"
至於密碼的RSA演算法的js分析就不理了,到此百度post的引數分析就完結了。文章是邊分析邊寫,可能有些地方有點混亂,在後面如果有時間的話會在完整是重塑一遍,並用Python完整實現登陸。
ID:Python之戰
|作|者|公(zhong)號:python之戰
專注Python,專注於網路爬蟲、RPA的學習-踐行-總結
喜歡研究技術瓶頸並分享,歡迎圍觀,共同學習。
獨學而無友,則孤陋而寡聞!