某网站的 Authorization参数破解

2023 年 06 月 09 日

256 次浏览

3007字数

网站：aHR0cHM6Ly93d3cuc2hhbmdoYWlyYW5raW5nLmNuLw==

破解的参数：

```
Authorization:
Mzo5Mjk5MzA3Zjk5NWQzZTVkMGIyMDg2OTcyNzE3YTY2ZDEzMjMzMjAyZTFhOTExYjI2ZWQ2NjIyZDg3NmMwYzUzOjE2ODYzMDIxNjg2NDQ=
```

首先看加密后的参数像是base64：Mzo5Mjk5MzA3Zjk5NWQzZTVkMGIyMDg2OTcyNzE3YTY2ZDEzMjMzMjAyZTFhOTExYjI2ZWQ2NjIyZDg3NmMwYzUzOjE2ODYzMDIxNjg2NDQ=

于是我去解密了一下，解密后的值为拼接的：

3:9299307f995d3e5d0b2086972717a66d13233202e1a911b26ed6622d876c0c53:1686302168644

试了几个加密参数，中间部分很重要：

9299307f995d3e5d0b2086972717a66d13233202e1a911b26ed6622d876c0c53

那就继续找

![image.png](http://type.zimopy.com/usr/uploads/2023/06/3053402652.png)

步骤全局搜索Authorization，找到三个可疑点都打上断点，刷新页面，会定位到可疑点，那个位置是then运行的，所以需要单步走，走进来就到这儿了

![image.png](http://type.zimopy.com/usr/uploads/2023/06/1496166953.png)

继续跟，就到这儿了

```js
              , f = o + (new Date).getTime()
              , m = "3#" + r + "#" + v + "#" + f
              , x = "3:" + c.a.SHA256(m) + ":" + f;
            return x = c.a.enc.Utf8.parse(x),
            c.a.enc.Base64.stringify(x)
```

c.a.SHA256(m)应该就是加密出9299307f995d3e5d0b2086972717a66d13233202e1a911b26ed6622d876c0c53的地方

所以就找m是什么就可以了

```sh
3#67611e7d-9144-4893-a737-0ca577012646#GET /v2010/inst cat=&givemeall=y&inbound=&lev=&limit=&name=&prov=#1686302673534'
```

完整的python代码

```python
import hashlib
import base64
now_tme=str(int(time.time()*1000))
# 要加密的字符串
str_to_hash = f'3#67611e7d-9144-4893-a737-0ca577012646#GET /v2010/inst cat=&givemeall=y&inbound=&lev=&limit=&name=&prov=#{now_tme}'
# 创建 SHA-256 加密对象
sha256_hash = hashlib.sha256()
# 更新加密对象的内容
sha256_hash.update(str_to_hash.encode('utf-8'))
# 计算 SHA-256 值
hashed_str = sha256_hash.hexdigest()
print(hashed_str)
# 要编码的字符串
str_to_encode = "3:" + hashed_str + ":" + now_tme
# 编码为 Base64
encoded_str = base64.b64encode(str_to_encode.encode('utf-8')).decode('utf-8')
print(encoded_str)
import requests

cookie = "Hm_lvt_af1fda4748dacbd3ee2e3a69c3496570=1685955072,1686233371; _clck=1754my6|2|fca|0|1251; TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2ODYyNTE5ODgsImp0aSI6IjY3NjgxOSBOVUxMIiwiaXNzIjoiMTU3KioqKjg3NjEifQ.tbbaj8pLu1Kn-xiEnlKPDQz46OwEMG9bhNZ74fRmGgU; _clsk=ftmyd6|1686236094327|13|1|t.clarity.ms/collect; Hm_lpvt_af1fda4748dacbd3ee2e3a69c3496570=1686236297"
headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
    "Cookie": "Hm_lvt_af1fda4748dacbd3ee2e3a69c3496570=1686295065; _clck=s0ucny|2|fcb|0|1255; _clsk=jv0ljy|1686297789178|17|1|t.clarity.ms/collect; Hm_lpvt_af1fda4748dacbd3ee2e3a69c3496570=1686297855",
    "Authorization": encoded_str,
    "Accept": "application/json, text/plain", "referer": "https://www.shanghairanking.cn/institution?name&c=0&r=0&l=0",
    "Authority": "www.shanghairanking.cn",
}
url = "https://www.shanghairanking.cn/api/v2010/inst?name=&prov=&cat=&lev=&givemeall=y&inbound=&limit="
res = requests.get(url=url, headers=headers).text
print(res)
```

over，没太详细，因为太简单了

最后修改：2023 年 06 月 09 日