当前位置:网站首页>ALIPAY WEB log in rsa encryption analysis record

ALIPAY WEB log in rsa encryption analysis record

2022-08-08 22:32:00 ios and android

测试地址

https://auth.alipay.com/login/h5Login.htm?goto=https%3A%2F%2Fauthweb.alipay.com%2Fmobile%2Fauth%3Fv%3Dh5%26auth_type%3DAUTHACCOUNT%26biz_type%3Dopenservice%26sign%3DAIuHm3Q7BaDWv39Hu7udymjfpncLygKpen%252FNcZVABL8%253D%26pid%3D2088821693967553%26target_id%3Dcom.huawei.health%26app_name%3Dmc%26apiname%3Dcom.alipay.account.auth%26msp_type%3Dsdk-and-lite%26product_id%3DAPP_FAST_LOGIN%26scope%3Dkuaijie%26app_id%3D2017111309907804%26timestamp%3D1617153466948&loginScene=mobile_oauth&titlebar=true

The package after entering the account password

发现passwordFields are encrypted andurl编码了

我们先url解码看看 password

TGmwBXTQ9sE2P3v0TvTp9Ohd7MFVu49oGmaTuVsPSKjHkO09 FhGDs4pfvsz4EyPJK1MEiZHsissmVC1ok1NpXgBjR/l4R4eJ5QE B3H/VBJ80J19DcsZUDAve5lspik9Ob1g2FewafIoAENIL8wJpZAnHEA3haU4SiEaqupKRKDLxuJpEyAsufHcqNLwq/XhBAkBgvC 3kkRYbXv pCkZVMYqxCT8QiK492LEKp4XjnxdlT0xr0QGZAf/o1JSY1J91L4wwh64hLWdCbj2dShkgiT/Wpcnbtopfdjs4smw2iLtWxDigc0 1pQw79jDHnTBGAkfXKwDXsa4oYlC8Hqw==
goto: https://authweb.alipay.com/mobile/auth?v=h5&auth_type=AUTHACCOUNT&biz_type=openservice&sign=AIuHm3Q7BaDWv39Hu7udymjfpncLygKpen%2FNcZVABL8%3D&pid=2088821693967553&target_id=com.huawei.health&app_name=mc&apiname=com.alipay.account.auth&msp_type=sdk-and-lite&product_id=APP_FAST_LOGIN&scope=kuaijie&app_id=2017111309907804&timestamp=1617153466948

Discovery is the encryption of the password 和 The splicing of the login address,Then look at how the encryption of the password comes from~~~~

 

经过调试,discover encryptionjs文件路径

https://a.alipayobjects.com/g/authcenter-assets/h5login/1.2.6/login-accpwd.js

 

_initComponents 处下断点,刷新网页,得到 rsaPublicKey 加密公钥

 

Let's verify that's right

得到输入的账号和密码,再进行rsa加密的密码

来看看 getRsaPassword 的具体实现

发现 rsaSalt 是空的,It may not be empty in the future 

getRsaPassword 调用了 this._components.rsa.encrypt(e + t)

 

继续看 rsa.encrypt 加密实现

 

Just remove the front of the password245位,然后调用 this.key.encrypt(t.substr(0, 245)) 加密,得到十六进制数

5cc2c85be0c34e189a2bab02c4f23269fba074f1e4fb76a29108d941746087b2e6006a463809eddf66f6b364ad6a735d6cbcb19fcb8121dd66af03c51f7ded4adcd5a409405f51cf135c31af34d7480d772d6af42c6d71dff7fe00c51bfb3c2d41126aeb596ec9fb195ca45a1841168ebf82c14dc902765ca04e8b3841a2992766b450119b4b91779e5b02db1ed9b4ead0ed03c6979b8e5bb08c9586e15819bb3e48d781a3afcebcbbdf172f42fe88fa31537eaa6d3efea5726b7a310abd92eb7e8eb22689a63d30306bf282f52c13779c355e04d65be887988edb84b18d602c218ed05e6c0b57a3f59e9a261c6bd4466701bb2793589bcbc1b53c210bc0208c

加密完 调用了r() Call   其实就是 hexToBase64 编码一下 得到最终密码

"fhRKPmXU+rHGvFrtreEXMGwTa0+D5WHka+6ZzLiK6Q0qLwl4JpxlnMMDL0k5+2ZGokxsXWZLpnsHklfICBWa+7Cw9iuKvxyxveKlKdZnkTsPqFkxOGvMHZcarBP79Wk/1HjTvd9zY+xa8WugbsQ/3OcOuVYjtc/U+jzOsb6MHTWMXk1ouxXc7TUUQdgdIR3cb5OPlNhlmZslLSqRKSFJ+f4icBcSZcJvyNXbXfyQqDnOC0ulii0TIdy6d+zGzTHjNvU9R7Crfd6E8gn6equ7Et0HSmTQnolJAfJB70cz1QwbMoWNqbNuvrFuSJNPdu8iNRJ9p95TJv4YTnO1rS820A=="

getFormData Password plus result,Discovery and analysis are the same

 

然后发送POSt

 

    1. account:"1111111"
    2. password:"aaaaaaaaaaa"
    3. rsaPassword:"fhRKPmXU+rHGvFrtreEXMGwTa0+D5WHka+6ZzLiK6Q0qLwl4JpxlnMMDL0k5+2ZGokxsXWZLpnsHklfICBWa+7Cw9iuKvxyxveKlKdZnkTsPqFkxOGvMHZcarBP79Wk/1HjTvd9zY+xa8WugbsQ/3OcOuVYjtc/U+jzOsb6MHTWMXk1ouxXc7TUUQdgdIR3cb5OPlNhlmZslLSqRKSFJ+f4icBcSZcJvyNXbXfyQqDnOC0ulii0TIdy6d+zGzTHjNvU9R7Crfd6E8gn6equ7Et0HSmTQnolJAfJB70cz1QwbMoWNqbNuvrFuSJNPdu8iNRJ9p95TJv4YTnO1rS820A=="

Invoke the login process,t传入 checkAndPost(t),后调用 postLogin(r)

checkAndPost()This is just added goto和loginScene 字段

  1. goto:"https%3A%2F%2Fauthweb.alipay.com%2Fmobile%2Fauth%3Fv%3Dh5%26auth_type%3DAUTHACCOUNT%26biz_type%3Dopenservice%26sign%3DAIuHm3Q7BaDWv39Hu7udymjfpncLygKpen%252FNcZVABL8%253D%26pid%3D2088821693967553%26target_id%3Dcom.huawei.health%26app_name%3Dmc%26apiname%3Dcom.alipay.account.auth%26msp_type%3Dsdk-and-lite%26product_id%3DAPP_FAST_LOGIN%26scope%3Dkuaijie%26app_id%3D2017111309907804%26timestamp%3D1617153466948"
  2. loginScene:"mobile_oauth"
  3. logonId:"1111111"
  4. password:"fhRKPmXU+rHGvFrtreEXMGwTa0+D5WHka+6ZzLiK6Q0qLwl4JpxlnMMDL0k5+2ZGokxsXWZLpnsHklfICBWa+7Cw9iuKvxyxveKlKdZnkTsPqFkxOGvMHZcarBP79Wk/1HjTvd9zY+xa8WugbsQ/3OcOuVYjtc/U+jzOsb6MHTWMXk1ouxXc7TUUQdgdIR3cb5OPlNhlmZslLSqRKSFJ+f4icBcSZcJvyNXbXfyQqDnOC0ulii0TIdy6d+zGzTHjNvU9R7Crfd6E8gn6equ7Et0HSmTQnolJAfJB70cz1QwbMoWNqbNuvrFuSJNPdu8iNRJ9p95TJv4YTnO1rS820A=="

 

This is web page packet data,Same as the encrypted password for analysis

_json_token was last returned

 

 接下来就是json_ua 的解密了

 

继续分析 post

 e="/login/h5Login.json"

n={logonId: "1111111", password: "XMLIW+DDThiaK6sCxPIyafugdPHk+3aikQjZQXRgh7LmAGpGOA…NYCwhjtBebAtXo/WemiYca9RGZwG7J5NYm8vBtTwhC8AgjA==", goto: "https%3A%2F%2Fauthweb.alipay.com%2Fmobile%2Fauth%3…id%3D2017111309907804%26timestamp%3D1617153466948", loginScene: "mobile_oauth"}

 

运行完 _buildOpts 得到 i  就是请求数据

It is or not json_ua 数据

json_ua 数据赋值  是json_ua对象得来的,再进行C 来url编码   var C = encodeURIComponent;

赋值json_ua对象

https://a.alipayobjects.com/g/authcenter-assets/h5login/1.2.6/common.js:formatted

直接在控制台 输入 window.json_ua.toString() 就得出结果 每次都不一样 

直接在控制台 输入  context You can see the public key information

 Now that you know how to call it,那就看看window.json_ua 是怎么初始化的

Landing page to view the source code 搜索 json_ua got to define him,但是没有初始化,That must be somewherejs文件里面了

 

接下来就是 json_ua 加密js文件

https://gw.alipayobjects.com/os/fraudmng/WLQVVfrxlPitWeTjafuB.js

 

 

未完待续........ing

 

 

原网站

版权声明
本文为[ios and android]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/220/202208082229072385.html

边栏推荐

猜你喜欢

随机推荐