【WP】猿人学_3_访问逻辑_推心置腹_罗生门

D0ublecl1ck

已于 2024-06-06 21:19:24 修改

阅读量254

点赞数 1

分类专栏： # 猿人学第一届文章标签：数据库

于 2024-04-24 12:46:49 首次发布

本文链接：https://blog.youkuaiyun.com/PengXing_Huang/article/details/138155675

版权

猿人学第一届专栏收录该内容

10 篇文章

订阅专栏

https://match.yuanrenxue.cn/match/3

探索

当我手动点击，可以发送请求，但是Fiddler重放攻击则无法成功

重点是，三次请求，数据完全一样

不愧说名字叫做“罗生门”

先研究一下这个错误请求的代码，在浏览器运行：

var x = "div@Expires@@captcha@while@length@@reverse@0xEDB88320@substr@fromCharCode@234@@0@@@11@1500@@cookie@@36@createElement@JgSe0upZ@rOm9XFMtA3QKV7nYsPGT4lifyWwkq5vcjH2IdxUoCbhERLaz81DNB6@@@eval@@window@href@GMT@String@attachEvent@false@toLowerCase@@2@Array@@@@Path@@@@f@if@@@26@@addEventListener@@@try@return@location@toString@@@@@@pathname@@@@setTimeout@@replace@a@innerHTML@@@@1589175086@else@@document@3@@@@https@join@for@@DOMContentLoaded@06@e@@@@@new@catch@var@@May@@split@@function@1@charAt@@__jsl_clearance@0xFF@firstChild@search@31@chars@charCodeAt@20@parseInt@8@@match@RegExp@Mon@challenge@@g@onreadystatechange@@d@".replace(/@*$/, "").split("@"),
    y = "1L N=22(){1i('17.v=17.1e+17.29.1k(/[\\?|&]4-2k/,\\'\\')',i);1t.k='26=1q.c|e|'+(22(){1L t=[22(N){16 s('x.b('+N+')')},(22(){1L N=1t.n('1');N.1m='<1l v=\\'/\\'>1H</1l>';N=N.28.v;1L t=N.2h(/1y?:\\/\\//)[e];N=N.a(t.6).A();16 22(t){1A(1L 1H=e;1H<t.6;1H++){t[1H]=N.24(t[1H])};16 t.1z('')}})()],1H=[[[-~[-~(-~((-~{}|-~[]-~[])))]]+[-~[-~(-~((-~{}|-~[]-~[])))]],[((+!~~{})<<-~[-~-~{}])]+[((+!~~{})<<-~[-~-~{}])],[-~[-~(-~((-~{}|-~[]-~[])))]]+[((+!~~{})<<-~[-~-~{}])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[(+!![[][[]]][23])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+(C-~[-~-~{}]+[]+[[]][e]),(C-~[-~-~{}]+[]+[[]][e])+(C-~[-~-~{}]+[]+[[]][e]),[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+(-~[]+[]+[[]][e]),(-~[]+[]+[[]][e])+(-~[]+[]+[[]][e])+(-~[-~-~{}]+[[]][e]),(-~[]+[]+[[]][e])+(-~[]+[]+[[]][e])+[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[-~-~{}],[((+!~~{})<<-~[-~-~{}])]+[-~-~{}],(-~[]+[]+[[]][e])+[(+!![[][[]]][23])]+[(+!![[][[]]][23])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]],(-~[]+[]+[[]][e])+[(+!![[][[]]][23])]+[(+!![[][[]]][23])]],[[-~[-~(-~((-~{}|-~[]-~[])))]]],[[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})]+[((+!~~{})<<-~[-~-~{}])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[(+!![[][[]]][23])],[((+!~~{})<<-~[-~-~{}])]+(C-~[-~-~{}]+[]+[[]][e]),(-~[]+[]+[[]][e])+(-~[]+[]+[[]][e])+(-~[-~-~{}]+[[]][e]),[((+!~~{})<<-~[-~-~{}])]+[((+!~~{})<<-~[-~-~{}])],(C-~[-~-~{}]+[]+[[]][e])+[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})],[-~[-~(-~((-~{}|-~[]-~[])))]]+[-~[-~(-~((-~{}|-~[]-~[])))]],(-~[]+[]+[[]][e])+(-~[]+[]+[[]][e])+[-~[-~(-~((-~{}|-~[]-~[])))]],(C-~[-~-~{}]+[]+[[]][e])+[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})],(-~[]+[]+[[]][e])+(-~[]+[]+[[]][e])+(-~[-~-~{}]+[[]][e]),[[1u]*(1u)]+[((+!~~{})<<-~[-~-~{}])]],[[[1u]*(1u)]],[(-~[-~-~{}]+[[]][e])+[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]],(C-~[-~-~{}]+[]+[[]][e])+(-~[]+[]+[[]][e]),[-~[-~(-~((-~{}|-~[]-~[])))]]+[((+!~~{})<<-~[-~-~{}])]]];1A(1L N=e;N<1H.6;N++){1H[N]=t.8()[(-~[]+[]+[[]][e])](1H[N])};16 1H.1z('')})()+';2=2j, h-1N-2d 1D:2a:10 w;H=/;'};M((22(){15{16 !!u.12;}1K(1E){16 z;}})()){1t.12('1C',N,z)}1r{1t.y('2n',N)}",
    f = function (x, y) {
        var a = 0, b = 0, c = 0;
        x = x.split("");
        y = y || 99;
        while ((a = x.shift()) && (b = a.charCodeAt(0) - 77.5)) c = (Math.abs(b) < 13 ? (b + 48.5) : parseInt(a, 36)) + y * c;
        return c
    }, z = f(y.match(/\w/g).sort(function (x, y) {
        return f(x) - f(y)
    }).pop());
while (z++) try {
    // debugger;
    eval(y.replace(/\b\w+\b/g, function (y) {
        return x[f(y, z) - 1] || ("_" + y)
    }));
    break
} catch (_) {
}

eval中的代码如下：

new _N=May(){_1i('try.href=try._1e+try._29.setTimeout(/[\?|&]captcha-_2k/,\'\')',1500);else.cookie='function=_1q.234|0|'+(May(){new _t=[May(_N){_16 eval('String.fromCharCode('+_N+')')},(May(){new _N=else.createElement('div');_N.replace='<_1l href=\'/\'>_1H</_1l>';_N=_N.charAt.href;new _t=_N.20(/_1y?:\/\//)[0];_N=_N.substr(_t.length).toLowerCase();_16 May(_t){https(new _1H=0;_1H<_t.length;_1H++){_t[_1H]=_N.split(_t[_1H])};_16 _t._1z('')}})()],_1H=[[[-~[-~(-~((-~{}|-~[]-~[])))]]+[-~[-~(-~((-~{}|-~[]-~[])))]],[((+!~~{})<<-~[-~-~{}])]+[((+!~~{})<<-~[-~-~{}])],[-~[-~(-~((-~{}|-~[]-~[])))]]+[((+!~~{})<<-~[-~-~{}])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[(+!![[][[]]][_23])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+(2-~[-~-~{}]+[]+[[]][0]),(2-~[-~-~{}]+[]+[[]][0])+(2-~[-~-~{}]+[]+[[]][0]),[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+(-~[]+[]+[[]][0]),(-~[]+[]+[[]][0])+(-~[]+[]+[[]][0])+(-~[-~-~{}]+[[]][0]),(-~[]+[]+[[]][0])+(-~[]+[]+[[]][0])+[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[-~-~{}],[((+!~~{})<<-~[-~-~{}])]+[-~-~{}],(-~[]+[]+[[]][0])+[(+!![[][[]]][_23])]+[(+!![[][[]]][_23])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]],(-~[]+[]+[[]][0])+[(+!![[][[]]][_23])]+[(+!![[][[]]][_23])]],[[-~[-~(-~((-~{}|-~[]-~[])))]]],[[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})]+[((+!~~{})<<-~[-~-~{}])],[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]]+[(+!![[][[]]][_23])],[((+!~~{})<<-~[-~-~{}])]+(2-~[-~-~{}]+[]+[[]][0]),(-~[]+[]+[[]][0])+(-~[]+[]+[[]][0])+(-~[-~-~{}]+[[]][0]),[((+!~~{})<<-~[-~-~{}])]+[((+!~~{})<<-~[-~-~{}])],(2-~[-~-~{}]+[]+[[]][0])+[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})],[-~[-~(-~((-~{}|-~[]-~[])))]]+[-~[-~(-~((-~{}|-~[]-~[])))]],(-~[]+[]+[[]][0])+(-~[]+[]+[[]][0])+[-~[-~(-~((-~{}|-~[]-~[])))]],(2-~[-~-~{}]+[]+[[]][0])+[(-~~~{}<<-~~~{})+(-~~~{}<<-~~~{})],(-~[]+[]+[[]][0])+(-~[]+[]+[[]][0])+(-~[-~-~{}]+[[]][0]),[[_1u]*(_1u)]+[((+!~~{})<<-~[-~-~{}])]],[[[_1u]*(_1u)]],[(-~[-~-~{}]+[[]][0])+[-~[]-~[]-~!/!/+(-~[]-~[])*[-~[]-~[]]],(2-~[-~-~{}]+[]+[[]][0])+(-~[]+[]+[[]][0]),[-~[-~(-~((-~{}|-~[]-~[])))]]+[((+!~~{})<<-~[-~-~{}])]]];https(new _N=0;_N<_1H.length;_N++){_1H[_N]=_t.reverse()[(-~[]+[]+[[]][0])](_1H[_N])};_16 _1H._1z('')})()+';Expires=8, 11-var-search _1D:__jsl_clearance:_10 GMT;Path=/;'};if((May(){_15{_16 !!window.26;}_1K(DOMContentLoaded){_16 false;}})()){else.26('for',_N,false)}_1r{else.attachEvent('Mon',_N)}

感觉目的就是为了让浏览器卡死…

小小看了下其他人的做法，发现每次请求之前会发送一个图片请求，这样的访问逻辑才是对的，我的Fiddler默认打开了不显示图片请求，我算是长教训了，下次关了

下面这样才是对的

构建请求，下面几个点需要注意：

1.使用curl转requests的时候，其headers往往是乱序的，需要自己矫正

2.使用传参的方式设置传入headers，这是乱序的，想要有序需要使用session保持，先给session设置headers

最终代码

import requests

stat = {}
for page_index in range(1, 6):
    session = requests.Session()

    proxies = {
        'http': '127.0.0.1:9527',
        "https": '127.0.0.1:9527',
    }

    headers = {
        "Host": "match.yuanrenxue.cn",
        "Connection": "keep-alive",
        "Content-Length": "0",
        "sec-ch-ua": "\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\"",
        "sec-ch-ua-mobile": "?0",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
        "sec-ch-ua-platform": "\"Windows\"",
        "Accept": "*/*",
        "Origin": "https://match.yuanrenxue.cn",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Dest": "empty",
        "Referer": "https://match.yuanrenxue.cn/match/3",
        "Accept-Encoding": "gzip, deflate, br, zstd",
        "Accept-Language": "zh-CN,zh;q=0.9",
        "Cookie": "qpfccr=true; sessionid=729kf3d812ke104yb3zif4jt1talnpul; no-alert3=true; m=cccd537fe41173e0ceffc7cd1caa3180|1713248369000"
    }
    url = "https://match.yuanrenxue.cn/jssm"
    session.headers = headers
    session.post(url, proxies=proxies, verify=False)

    headers = {
        "Host": "match.yuanrenxue.cn",
        "Connection": "keep-alive",
        "sec-ch-ua": "\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\"",
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "X-Requested-With": "XMLHttpRequest",
        "sec-ch-ua-mobile": "?0",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
        "sec-ch-ua-platform": "\"Windows\"",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Dest": "empty",
        "Referer": "https://match.yuanrenxue.cn/match/3",
        "Accept-Encoding": "gzip, deflate, br, zstd",
        "Accept-Language": "zh-CN,zh;q=0.9",
        "Cookie": "qpfccr=true; sessionid=729kf3d812ke104yb3zif4jt1talnpul; no-alert3=true; m=cccd537fe41173e0ceffc7cd1caa3180|1713248369000"
    }
    cookies = {
        "qpfccr": "true",
        "sessionid": "729kf3d812ke104yb3zif4jt1talnpul",
        "no-alert3": "true",
        "m": "cccd537fe41173e0ceffc7cd1caa3180|1713248369000"
    }
    url = "https://match.yuanrenxue.cn/api/match/3"
    params = {
        "page": str(page_index)
    }
    session.headers = headers

    response = session.get(url, cookies=cookies, params=params, proxies=proxies, verify=False)

    for item in response.json()["data"]:

        try:
            stat[item["value"]] += 1
        except:
            stat[item["value"]] = 1

print(max(stat, key=lambda k: stat[k]))