首先F12填個登陸信息，抓個包看看有些什么收獲；在發(fā)出post之前后臺Ajax加了了兩個數(shù)據(jù)，如下

1.返回as、ts、tk三個字段

image

jsonpCallbackb770({code: 0, data: {tk: "8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=", as: "6e8eb328",…}})code:0data:{tk: "8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=", as: "6e8eb328",…}as:"6e8eb328"ds:"JcXUIDsjOM2GBUMUbkaht+BXxcoiU2xXWpyUkjTvVI+fDmy6BUpiKtfN7q/Uq6spgnEn+Fd1zi8hou5pdCKGk8egB6+Yj2lIYBXkN6clSmAmGdq6O9zhbmmJWOOxG+IBx5x6QoOYc1pnjLoCj7r9AtocQnLCZXVhgMLvJH7hGhCK6IbDjHPXLoRAKq5/EPUW62yelMz/cR4D7C4qU8eG3pIuUfaMPe1arjVYbljSgLB7/rF8ENlXLszMrD1TYFwQo6PjYW0fPJQ7mwcCVc+MRd2uriUv6Va7/MxcuAH3nosGW5I52GmnLCxEp7AA5lx1cPpq6Asvo1iq+oqQPpSqxAhtGIU3ilnjM/JfAzpxUGR3lvBKbsN0GHDBUzFgk3aSLtpTObD0Rtip21qYL6auGMd9VE4wWNa9ND1uolHIA/mvT90g/nMLTLV3TjaIe51Y7LrdONmVp2j+1ZW78fUPYFDv+bn4gYN7/YIoMpFQOnA4KJ5BY944uU+CEFQHWG1Oz5/Jgf0XRWVp6p54hSfr6Qdu60k3eFvRMaaZ+6ODmImX0tSY8zu5AmPxNtspOmvdsfUDUetaQ/8eOKIoiLLZMiLuFPGqpyKjs+DVJDHSfteJBmYuz2xqgBOWyGw8ldkO0Hb+M30zkg9ELVv1eH6HMdDBlAm8WFcPdrHcIGWnTCcQJJnCqIy7OF1chuweDhPmZgfD98YtIykgekTjA8mPIvm1TDXOT4ExMAGGamSm9eijlMrlT8M3YSJsjHmbzj+HonQfFvdCQQ6oIdmG1jQmpnAaeznXcQy//rM/ngQZFIJavel866B6UdnjAydX2GdEOssPQndGJH8gRcCJIDtyoES874rdoArPj/CFge3qwxZ6A+/Uss6Jm8QuP6D0FUFYv9JgAi6/fkeblNoL73VI2TryHA8QYe2CQX4jhlKm7a4TzCkPF1vVKXEL66UDSrjRVvFN+gvSRpSiMQACXmQOaLjAMUkjjwL8jfck3ce/u7xqLX7Edib6P9wNpY9UYiYOee/YCel6txobviQuL2sLtWUaKfG/U1WfKcd+sLgg061aitdnrYhVe3fJbIq/vovTiEPqaGokkI9iPFmtnQJ7OsNY32FpUGmb4IzRf97sag38bTa7eWrOa2j+q6mdJGc1/0q2jGFf8q+q1lfkW4vuFoABeFk53R1oElccevowZkgnKZYAkxw6jxWm/D5U/5SY6kiqSL2SVDrGVXEC8c7myK6uW4bLY6CZ0e2XO0wd670qwbOIt1XSfcMdLCjzSYV31YIF8gWMKch9NNXGfP7vcfb9gE3g6lubE9VMi8PcGKkgM7qMKbPyDxrH7Ki7XrOhRs58PNzgjkHyoOY+iZi7ZDt8Q+npR4RqsDEEb0T+Ms+u80HjdcdN9KA647RozqgKQ+Gl/q4m3/9Kr8KTnhQfgQ=="tk:"8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58="

發(fā)出這個get請求需要攜帶的參數(shù)如下：

ak:1e3f2dd1c81f2075171a547893391274as:6e8eb328fs:fpypRBX8u9Np5BnKjpqxf8CDddYtri+t5vKBcCCtAuzEnvE+/o7x5ophYGMSNDLgsErrSHaRFaok3Ye4AhC8h9dvmgTCFfk2WulgJZopGLPPFpPUh6HJs4YOMVnVXhjjbhh2KC+0VWSkp/PEDmao8HlDc41hB5JSxjDwNkeaKXaOajhrBtlqMJ57Ytl4uQQhA1RezD68R1adokZdMtbcsSIG7LjgzmIHiZeQo6sALoXGLi19qvfqzc6SgDR7Rm28232iKBdva523ot7jcfVZjn4yzqrZvnvr+qexQ9JDKFdh1dkQHz4PsJim27H5xju88ErsfCU73u6Tg2M5E3hPHglsMju53egtzTH1n4oJj7i5Um5S1qbQfrpC9cHpIuCppbj6/bH3i70yiENWjEfMMRhIS74RnGRJFnXyITcErq43gT4yWh0NpOu5bhbxDDzQoAG7iYGa6qOW6f0imjz/3g3vN1n31cc6ETXBwP2X5FdHC7kvDomFDBEgLfeM+7Ie43Pcn9u/embMXhSmB8sjmMrcqhKUn/vSZf4l27Y3QwQCaYt3DwKJCz+H1O3yA+Jzheb1lkGjtXU/T2NyTb+uARntkCxe/FUI3/RDe5PocbWYKKO9MCdTGjyRpUA/BiRuwfDA7dt4LoY0Zf4c3MbMkZh0OEKuMYza7Ul9qKwIjoQLmKRByFHuoco0EUlzT1pJNtTofZ+oW18ZgZw9hrH36lmTsjJ0ZZ+l++XWcKgWKrVLt8l8H96w/hB1HiFzPpngL2TR00W6somXXtOrFJy99m3JOS78yDnNhyOKlXwwwSHeTm2fwGRx2nzurUUaZV18ecXVzvtJTkzmHoMLyUUtJvxEcAfKJiQxkkhs0XjvIRPjLj3ze/tXDCyeuWbm1Tfx7Wbjovp0NvZ+SiZ+ys8GhnvxYnB18JeTh4QCporODhXTLlXQxElQVRvZSaVcryoYnRXuMoqMKKaWo7R6fS2Elv+4M6BuFz7CPj6ENxTWl9C9N4y9+pbHOCIWepy5n2SQSieEzhLdCfzC0IUY6YHmwuEi48HI50RjQNsJcPtaDXlOURR7z5ybEPphYiKCTlPi53bCupmfx+XZXHu/JdEpQqtomznwo857DYjorpkL5wKNuw9GBzOCqUUe2cvmDKhdplav//YBZCtWkH2v/AIAVzrqzLH8RGFIB2Wie7xj9bN+HfIASPfwrH+I/nxih9xMFd340Q7z/WwUDBkUDvhOFSaJm6Bv8scS2Y1hNPJEv1tJ0FIEZS75J0fS9AF7fx/sKEv+e/itlfDuHfXNxYmMbcHziPOR90fo1S6spyXuqGsi0QkVnUSc5tKLaCxWYTGJDiJBk10UIhdgtjxOC7RhRebFiTsiAESL7f8to2zy42oEga5dJBbAVFLNUSKK+uMfM9Wu4DD+JJXHcY+86l03+w==callback:jsonpCallbackb770v:6633

也就是說我們需要分析出ak、as、fs、v、callback這幾個字段的來源

2.返回key、pubkey

image

errno:"0"key:"oqeFiMtTJkyE7rhXq04bEE0xjX3sR09A"msg:""pubkey:"-----BEGIN PUBLIC KEY-----?MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNnGNrfFkygOeBatSz8A2bDyIG?i0DonH36pzjQF10gnI/1flW+Q521/Y+KRUeNZhSS66sscyQkIFwcAgo0dWADX4oS?B3EfP+l6xoOyu6Xvfq3S7c5xq75Y9g4sDXBDm55We30ca7hHRXvKaZKU9smj/RSd?BR7UIfFoBFYnIRCEvQIDAQAB?-----END PUBLIC KEY-----?"traceid:""

要得到這兩個參數(shù)看請求攜帶了什么東西

token:cfde53efbe26bdef8ad3b2147eb10417tpl:mnapiver:v3tt:1546826783617gid:EE2ED1E-E4A5-4ABC-9E13-9972E89AE472loginversion:v4traceid:callback:bd__cbs__8sabl9

需要的字段還挺多看樣子有點棘手.

再看post請求所需的參數(shù)

staticpage:https://www.baidu.com/cache/user/html/v3Jump.htmlcharset:UTF-8token:cfde53efbe26bdef8ad3b2147eb10417tpl:mnsubpro:apiver:v3tt:1546826812217codestring:safeflg:0u:https://www.baidu.com/s?ie=utf8&oe=utf8&wd=%E7%99%BE%E5%AE%B6%E5%8F%B7&tn=98012088_6_dg&ch=9isPhone:falsedetect:1gid:EE2ED1E-E4A5-4ABC-9E13-9972E89AE472quick_user:0logintype:dialogLoginlogLoginType:pc_loginDialogidc:loginmerge:truesplogin:rateusername:18328496803password:fQ99xuV0uzmnEciyYZYOUYHWIJhh6ttVYy3IkwWfhdgnCaQNCMUVgbr42SKSqOF7evv27tHdHK0SLHQfoodNDVg4g7skCR8qKMX1LYCwXcxxwhqwnabbxT5kie4T/uyygdF26qoizpNZKzTsFM3Uq3z2lsUlwp4vKvBOFoeK3tQ=mem_pass:onrsakey:oqeFiMtTJkyE7rhXq04bEE0xjX3sR09Acrypttype:12ppui_logintime:40718countrycode:fp_uid:fp_info:loginversion:v4ds:wfHjARADdpfQhbI+jByC0wNU1p6S2oHEJEmVtSteNLIkXjTbCf6QEAcrj/g+J5WBB1P9WF+yrXZ0BeNi95/F50mSj7s6GvbQd9FPVT10CpVr/aaDtTxJI6rKhv0FgeWIzvedO0D14y6g5mZROSJU8f1kDyQywaFzmbgQWq9KUMk4sumxxnjtx+qmYDsVfv4tmuwVkjWzp8nds1OYyAcnbZ8HIV2qqhqVGRsuTdLJIWMPAq2AwUQMfbhh+s4isjP1Itt/jtOr2HmHp5xA7j5U1pzehy/cUBsoHfNpPuNPVBhOaSnEKalOGUO4tsOF4SWW/u2Xxh3NhT4o8rB7N8Nwf0Fo/zw79e6fWdIQW6c6HQUA4jxHuNRq+xrfFfR+JriP+K2B0LzayO5Ejca/r5JELarFUoCFPv5N+rcdtoOsD3Vi8CmlHHaclQtldXIx/LirlDZ/0nbcYQjcSTE6J8xHPaEJCY9DvLoQymMkzY7S5nnogaiKz+y9CIKph8ux8JaZLoQrjEJ9sKCvZRwFdT3oh/nz6uoxSOl8C1cLnJa+cTTKCen6qicaBjXyajIues99nxZs1hDk2e3TbPrD/oZwlmTq7MA7ZLXVgU4xije9TsyZR6gDEp/lZXAP40gCE/eJUDZe8IcDFU9tSSV27k1PhGFtyfq6ckIezNA6xseQH4rboWX4r1w58HMvOSJDFkU22DIr1Q1CAQ791PyMgf8YnvELL4cMmw/AiVJgcMJtBmmevJTbjTjbsJJi6s1LPcQor01O8L9rs0Eb7pQ7s2PrI0LydgWGiCV21G5otjfjAm98SDEVmyHrFxTM7cy0nHSUw1jfYWlQaZvgjNF/3uxqDfxtNrt5as5raP6rqZ0kZzX/SraMYV/yr6rWV+Rbi+4WgAF4WTndHWgSVxx6+jBmSMue96V5BmUQQ7JISSrD1yjqSKpIvZJUOsZVcQLxzubIrq5bhstjoJnR7Zc7TB3rvSrBs4i3VdJ9wx0sKPNJhXfVggXyBYwpyH001cZ8/u9x9v2ATeDqW5sT1UyLw9wYqSAzuowps/IPGsfsqLtes6FGznw83OCOQfKg5j6JmLtkO3xD6elHhGqwMQRvRP4yz67zQeN1x030oDrjtGjOqApD4aX+ribf/0qvwpOeFB+Btk:8016Kzycp+GQ3kI/uAoVvVOz/kiwN3UrRnrmtz/22RuUQ58=dv:tk0.425039906558432931546826771927@eel0j-sAqy7kqZn0oD8UvhAnwJHo64Gb0lGUwlCG6bSzwyFmlXsbBys2lXskpZsmXH4Hc2HBo6GUw4HUhJsAhJG~hTt~6~O~vB7k0jsAHjJk0lsNll7o8hABS54HUJGUhAHodXsowJtrobt~SetY4ZsA4zsA8dsAqy7kqZn0oD8UvhAnwJHo64Gb0lGUwlCG6bSzwyFmlX6kBUs2lXskpZsmXH4Hc2HBo6GUw4HUhJsAhJG~hTt~6~O~vB7k0Us1QzJq__tl0lesAqbsmlb6AQZ6kpjDmXdDA4y7ksUD5lU6bQb72l~DkqZsA0U7k0lDkqz7o8hABS54HUJGUhAHodXsowJFYwyOGlx61HZsbql7kscskCc72l_-hhIyhBA4VsthBlIs5lXsmlXsq__ClvSrZl714y6AqbDABl61HUDk4bs1BbsAHj61Qy61t~sABy6l__ilEImXUOY83FY3RFE4_ul0eh61HZsABysmlXDAqb7k0xsbHZsABysmlXskQl7k0cs1qZsABysmlc6bt_traceid:44622A01callback:parent.bd__pcbs__jf1wx1

上面標(biāo)紅的就是我們要重點關(guān)照的字段

然后搜索token的值，發(fā)現(xiàn)在一個js文件里面，然后提取js文件url出來分析

image

URL

https://passport.baidu.com/v2/api/?getapi&tpl=mn&apiver=v3&tt=1546834671350&class=login&gid=E7C72FB-C518-4030-BB7E-555DD8046BE6&loginversion=v4&logintype=dialogLogin&traceid=&callback=bd__cbs__600yh6:formatted

多次測試結(jié)果情況就是這個get請求返回的結(jié)果之和gid相關(guān)，其他參數(shù)都可以使用固定值,即使不懈怠tt、callback參數(shù)也能返回正常的token并且，不懈怠callback參數(shù)請求返回的是標(biāo)準json格式。

看一下git生成

搜索一下gid=的生成找到下面一段代碼

  o.on("hide", function() {                var o = document.location.protocol.toLowerCase()                  , e = n.guideRandom ? n.guideRandom : "";                if ("http:" == o)                    var t = "http://nsclick.baidu.com/v.gif?pid=111&url=&logintype=hide&merge=1&gid=" + e + "&tpl=" + i.apiOpt.tpl + "&tt=" + (new Date).getTime();                else if ("https:" == o)                    var t = "https://passport.baidu.com/img/v.gif?pid=111&url=&logintype=hide&merge=1&gid=" + e + "&tpl=" + i.apiOpt.tpl + "&tt=" + (new Date).getTime();

gid = e= n.guideRandom ? n.guideRandom : "",順藤摸瓜找到生成gid的js

<pre style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; word-wrap: break-word !important; font-size: inherit; color: inherit; line-height: inherit;">

        this.guideRandom = function() {            return "xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(e) {                var t = 16 * Math.random() | 0                  , n = "x" === e ? t : 3 & t | 8;                return n.toString(16)            }).toUpperCase()        }(),那就應(yīng)該是這樣的了

</pre>

image

callback

這個參數(shù)和返回來的相應(yīng)文件開頭相同，猜想應(yīng)該是可以自定義的，可以用固定值，不過還是看看他的來源；多請求幾次發(fā)現(xiàn)固定部分是parent.bd__pcbs__，然后全局搜索相關(guān)找到兩條js

 var l = r.timeOut || 0                  , d = !1                  , u = c.getUniqueId("bd__pcbs__");

 e.getUniqueId = function(e) {                return e + Math.floor(2147483648 * Math.random()).toString(36)            }

可見核心代碼：e + Math.floor(2147483648 * Math.random()).toString(36)

image

接著看tt

tt參數(shù)是時間戳*1000取前13位

gid

請求token的gid和post請求的gid是同一個，可以生成，也可以使用一個固定值

password

重點的加密字段，查找對應(yīng)來源js代碼如下

o.password = baidu.url.escapeSymbol(e.RSA.encrypt(a)

很明顯是RSA 加密，pubkey是在發(fā)送post請求之前的一個get請求而來，進一步簡化這個get請求，只需要攜帶gid、token就可以返回pubkey

https://passport.baidu.com/v2/getpublickey?token=cfde53efbe26bdef8ad3b2147eb10417&gid=EE2ED1E-E4A5-4ABC-9E13-9972E89AE472

image

針對password可以直接使用Python實現(xiàn)RSA加密，然后使用Base64編碼結(jié)果，對于完整的js實現(xiàn)留在第二篇分析

rsa

rsa是請求pubkey一同返回的key字段

tk、ds

文章開頭的一個get請求返回的數(shù)據(jù)

dv

一長串字符看樣子有點難度，尚不知道這個參數(shù)的作用，那么有三種解決方案，復(fù)制一個固定值、留空白值、破解生成函數(shù)，不到最后是不愿意去找js的。下面看看這個參數(shù)生成的js出處

var a = document.getElementById("dv_Input")                                          , c = {                                            gid: n.guideRandom || "",                                            username: n._SBCtoDBC(i.value),                                            countrycode: s,                                            bdstoken: n.bdPsWtoken,                                            tpl: n.config.product ? n.config.product : "",                                            vcodestr: n.getElement("smsHiddenFields_smsVcodestr").value,                                            vcodesign: n.getElement("smsHiddenFields_smsVcodesign").value,                                            verifycode: n._SBCtoDBC(n.getElement("confirmVerifyCode").value),                                            flag_code: n.config.voice_sms_flag,                                            dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || ""                                        }

dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || ""

調(diào)試時在打開頁面的同時就生成了這個值，那么可以考慮是一個固定值或者使用固定值，還不確定需要在看看js

    function d(e) {            M && (x = e.token + "@" + S(e, e.token),            (1 & F.SendMethod) > 0 && c(x))        }        function c(n) {            var r = t.getElementById("dv_Input");            r && (r.value = n),            e.LG_DV_ARG.dvjsInput = n        }

在c函數(shù)上面找到d函數(shù)，看樣子應(yīng)該八九不離十了，在調(diào)試一下看什么情況，繼續(xù)查找S函數(shù)

function S(e, t) {            var r = new n(t)              , o = {                flashInfo: 0,                mouseDown: 1,                keyDown: 2,                mouseMove: 3,                version: 4,                loadTime: 5,                browserInfo: 6,                token: 7,                location: 8,                screenInfo: 9            }              , a = [r.iary([2])];            for (var i in e) {                var d = e[i];                if (void 0 !== d && void 0 !== o[i]) {                    var c;                    "number" == typeof d ? (c = d >= 0 ? 1 : 2,                    d = r.int(d)) : "boolean" == typeof d ? (c = 3,                    d = r.int(d ? 1 : 0)) : "object" == typeof d && d instanceof Array ? (c = 4,                    d = r.bary(d)) : (c = 0,                    d = r.str(d + "")),                    d && a.push(r.iary([o[i], c, d.length]) + d)                }            }            return a.join("")        }

未完待續(xù)······

ID：Python之戰(zhàn)

|作|者|公(zhong)號:python之戰(zhàn)

專注Python，專注于網(wǎng)絡(luò)爬蟲、RPA的學(xué)習(xí)-踐行-總結(jié)

喜歡研究和分享技術(shù)瓶頸，歡迎關(guān)注

獨學(xué)而無友,則孤陋而寡聞！