课后网登录+课程回放分析及代码实现
0x01 前言
上课没跟上,准备看回放,登录过程中就想能不能搞一搞,写完笔记后就抓包分析了一下。我们上网课使用的是课后网(无限宝),于是就有了这篇帖子。分析+帖子排版耗时大改4h,肝到12:20。
0x02 工具及开发环境
- Charles(我叫它’插花瓶’)
- Google Chrome
- Visual Studio Code
- Python 3.8.1
- JS调试工具
- nodejs
0x03 分析
Login
登录首页 https://center.kehou.com/login.htm?serverId=1&url=https%3A%2F%2Fhljskzkt.db.kehou.com%2Findex.htm&platform=db&aid=3
- 获取验证码 https://center.kehou.com/scriptInit.htm?callback=onCallBack&scriptId=()&serverId=5&signature=() 这里获取验证码的scriptid对应首页网页源码script_id,signature对应init_req_sign
response = requests.get(url,headers = headers1)
html_content = response.text.replace(' ','').replace('\t','').replace('\n','').replace('\\','')
#signature = re.findall('id="signature"value="(.*?)"',html_content,re.S)[0]
script_id = re.findall("script_id:\'(.*?)'",html_content,re.S)[0]
init_req_sign = re.findall("init_req_sign:\'(.*?)'",html_content,re.S)[0] # 获取验证码用的'signature'
login_init_sign = re.findall("login_init_sign:\'(.*?)'",html_content,re.S)[0] # 登录用的'signature'
login_encry_key = re.findall("login_encry_key:\'(.*?)'",html_content,re.S)[0] # 登录用的加密key
url = 'https://center.kehou.com/scriptInit.htm?callback=onCallBack&scriptId=' + script_id + '&serverId=5&signature=' + init_req_sign
response = requests.get(url,headers = headers2)
Token_id = re.findall('"Token_id":"(.*?)"',response.text,re.S)[0]
verify_url = 'https://center.kehou.com/verifyCode.htm?tokenId=' + Token_id
response = requests.get(verify_url)
with open('verify.png','wb') as f:
f.write(response.content)
- 构造登陆数据
登录网址 https://center.kehou.com/scriptLogin.htm
账号111111111密码2222222222的登陆数据(get)
loginType SCRIPT_LOGIN callbackon CallBack loginField 1111111111 password 2e3129c366b4455dfe50c587d94c122b platform db serverId 5 verifyCode 2305 ruleId DEFAULT url https://hljskzkt.db.kehou.com/index.htm signature 2167c852971b961e31c8a76e5d0cc26e aid 3 scriptId 91D3D5E14ECB42C98F2AA0F304C96CB6 tokenId B5DCE5867EB347A38ECC775A894494FE loginSign ALWAYS_ASK _ 1591072403658
经前后检查,发现登陆数据signature为登陆首页源码的login_init_sign,tokenId为获取验证码时的tokenId。
可以看到只有一个数据是加密的:password,这里浏览器调试工具搜索关键字
跟踪scriptLogin
经前后检查,发现加密loginParam.login_encry_key为登录首页获取的login_encry_key,pw_id_val为密码明文
这里已经很明显了,password的加密过程,把部分代码放到js调试工具,构造加密函数,获取加密返回值
- 提交登陆数据后
返回响应内容
onCallBack(‘{“Status”:true,”Multil”:false,”LoginType”:”SCRIPT_LOGIN”,”Users”:[{“realName”:””,”agencyDomain”:”hdb.kehou.com”,”agencyName”:”省空中课 堂(db)”,”url”:”https://login.db.kehou.com/centerFastLogin.htm?serverId=5&loginField=9327C569571DB040410CB3A61DDBE9A4B884BD1D0E781FDF7754F966385485AD041AB947B97D408F3C&loginSign=ALWAYS_ASK×tamp=159100430&signature=c5316eca4ba83e81936&url=%2F%2Fhljskzkt.db.kehou.com”,”username”:”18198”}],”Section”:”login”}’);
(部分内容已经清理,涉及个人信息)
抓包分析下一步访问的网址在相应内容的基础上增加了Token和script_id
url = re.findall('"url":"(.*?)"',response.text,re.S)[0] + '&tokenId=' + Token_id + '&scriptId=' + script_id
访问这个新构造的url,即可完成登录过程
headers3 = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36',
'accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'sec-fetch-site': 'same-site',
'sec-fetch-mode': 'navigate',
'sec-fetch-user': '?1',
'sec-fetch-dest': 'document',
'referer': 'https://center.kehou.com/login.htm?serverId=1&url=https%3A%2F%2Fhljskzkt.db.kehou.com%2Findex.htm&platform=db&aid=3'
}
response = requests.get(url,headers = headers3)
再次访问课程网页可以看到已经可以获取点播课程,说明登录获取的cookie生效
login细节说明及问题
1,上文可以看到我在js调试工具里已经获取到pwd的加密内容,但在python里却不能正常获取。
**解决办法:在运行目录执行npm install cryptojs,再在js里引用模块**
def get_password(login_encry_key,password):
with open('getpwd.js','r') as f:
js_code = f.read()
encrypt_password = execjs.compile(js_code).call('getpwd',login_encry_key,password)
return encrypt_password
function getpwd(login_encry_key, password) {
var CryptoJS = require('crypto-js');
var key = CryptoJS.enc.Hex.parse(login_encry_key);
var iv = CryptoJS.enc.Hex.parse("30313233343536373839414243444546");
var securityPwd = CryptoJS.AES.encrypt(password, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
}).ciphertext.toString();
return securityPwd;
}
**另外这里应该可以用python直接实现加密,奈何本人不会,直接用现成的js代码实现,如果有大神会的话希望可以分享下代码,谢谢!** 2,使用
requests = requests.session()
帮助处理cookie,避免** 3,这类登录实现一定要注意headers,尤其refence字段,如果错误,访问无法继续,耽误我最长时间的就是这个refence
完整的登录代码(python配合js)
import requests
import execjs
import re
import time
requests = requests.session()
headers2 = {
'referer': 'https://center.kehou.com/login.htm?serverId=1&url=https%3A%2F%2Fhljskzkt.db.kehou.com%2Findex.htm&platform=db&aid=3',
'sec-fetch-dest': 'script',
'sec-fetch-mode':'no-cors',
'sec-fetch-site': 'same-site',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36'
}
def login(user,password,verify,Token_id,login_init_sign,login_encry_key,script_id):
url = 'https://center.kehou.com/scriptLogin.htm'
encrypt_password = get_password(login_encry_key,password)
params = {'loginType': 'SCRIPT_LOGIN','callback': 'onCallBack','loginField': user,'password': encrypt_password,'platform': 'zj','serverId': '5','verifyCode': verify,'ruleId': 'DEFAULT','url': 'https://hljskzkt.db.kehou.com/index.htm','signature': login_init_sign,'aid': '-1','scriptId': script_id,'tokenId': Token_id,'loginSign': 'ALWAYS_ASK','_': str(int(round(time.time() * 1000)))}
response = requests.get(url,params = params,headers = headers2)
print(response.text)
url = re.findall('"url":"(.*?)"',response.text,re.S)[0] + '&tokenId=' + Token_id + '&scriptId=' + script_id
headers3 = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36',
'accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'sec-fetch-site': 'same-site',
'sec-fetch-mode': 'navigate',
'sec-fetch-user': '?1',
'sec-fetch-dest': 'document',
'referer': 'https://center.kehou.com/login.htm?serverId=1&url=https%3A%2F%2Fhljskzkt.db.kehou.com%2Findex.htm&platform=db&aid=3'
}
response = requests.get(url,headers = headers3)
headers4 = {
'sec-fetch-dest': 'document',
'sec-fetch-mode': 'navigate',
'sec-fetch-site': 'none',
'sec-fetch-user': '?1',
'upgrade-insecure-requests': '1',
'referer': 'https://vod.db.kehou.com/vod/myVideoCenter.htm',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36'
}
response = requests.get('https://vod.db.kehou.com/vod/myVideoCenter.htm',headers = headers4)
print(response.text)
def login_initialize():
headers1 = {
'sec-fetch-dest': 'document',
'sec-fetch-mode': 'navigate',
'sec-fetch-site': 'none',
'sec-fetch-user': '?1',
'upgrade-insecure-requests': '1',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36'
}
url = 'https://center.kehou.com/login.htm?serverId=1&url=https%3A%2F%2Fhljskzkt.db.kehou.com%2Findex.htm&platform=db&aid=3'
response = requests.get(url,headers = headers1)
html_content = response.text.replace(' ','').replace('\t','').replace('\n','').replace('\\','')
#signature = re.findall('id="signature"value="(.*?)"',html_content,re.S)[0]
script_id = re.findall("script_id:\'(.*?)'",html_content,re.S)[0]
init_req_sign = re.findall("init_req_sign:\'(.*?)'",html_content,re.S)[0] # 获取验证码用的'signature'
login_init_sign = re.findall("login_init_sign:\'(.*?)'",html_content,re.S)[0] # 登录用的'signature'
login_encry_key = re.findall("login_encry_key:\'(.*?)'",html_content,re.S)[0] # 登录用的加密key
url = 'https://center.kehou.com/scriptInit.htm?callback=onCallBack&scriptId=' + script_id + '&serverId=5&signature=' + init_req_sign
response = requests.get(url,headers = headers2)
Token_id = re.findall('"Token_id":"(.*?)"',response.text,re.S)[0]
verify_url = 'https://center.kehou.com/verifyCode.htm?tokenId=' + Token_id
response = requests.get(verify_url)
with open('verify.png','wb') as f:
f.write(response.content)
verify = input("请输入验证码:")
login('18','',verify,Token_id,login_init_sign,login_encry_key,script_id)
def get_password(login_encry_key,password):
with open('getpwd.js','r') as f:
js_code = f.read()
encrypt_password = execjs.compile(js_code).call('getpwd',login_encry_key,password)
return encrypt_password
if __name__ == "__main__":
login_initialize()
课程回放(没有python实现,只有分析过程)
在登录解决后,回放获取数据就比较容易了。
课程主页 https://vod.db.kehou.com/vod/myVideoCenter.htm
-
获取课程vodid(课程主页网页源码)
-
通过vodid获取课程详情
-
通过详情id获取视频播放权限状态及信息
获取othermsg以及repoterid
- 获取视频播放地址post(指定播放器)
这里的uid对应上面获取的othermsg
返回的数据去掉’:’后面的内容然后通过注册表注册协议打开播放器
0x04 其他
1,这个课程回放开始观看后视频1天后失效,无法观看。我刚开始觉得是像服务器提交观看时间,然后计算失效时间,可以突破视频时效。结果并不是这样。
2,Charles(插花瓶)真的好用,安装ssl证书非常简单(包括手机端),界面简洁。目前我使用别人的激活码,后续会支持正版的。
3,这个登录过程感觉用手机user-agent模拟后再分析可能会简单。
4,加密password调用js绝对不是最好的办法,完全可以用python库解决,如果有大神会的话希望可以分享下代码,再次感谢。
0x05 结尾
网课盼开学,开学想网课。我是东三省的学生,还要过一段时间开学,网课期间学习还是没有在学校认真的。希望大家可以珍惜每一次的学习机会,这次网课经历绝对可以载入史册的(滑稽)。 另外闲谈一句,感觉网课回放功能有依赖,哈哈哈上课不认真听了,建议切除。