京东post登陆参数js分析，密码加密的RSA加密实现

老规矩先用错误信息登陆一下抓一下包，看看有那些post字段：

uuid: cf0d4f92-c83b-451a-bc31-be4bf9c546a5eid: 5535JQZQ4ZUMHJEPDFQ7EIQIP4PRSWDLEXGJCVNFQRGNKOKGFFSFHLYDURV5EQVE4JDMIAR3NVD4QEBFQDBSP33GOQfp: 2fe86fc6a5b0410641970234f8438902_t: _tloginType: cloginname: 18328491111nloginpwd: HYnD8Fa/t/8MYKyv3/W7CBix2ILU9WXxgTHyfAVHHWUqbSCd0lVogVWMG4Xmb3fnAM/ILQeiiEeEfP0zWvO0udtgsWANcwEMm55hpFzUnN7xqZIFvpA7F+pRJBaeVfJASCQkzK2jn3vyegTj63UrSv/UQn13mOoX5Xta/XY1Zl4=authcode: d6f9605df4d24876bf0cff329def7eeapubKey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC7kw8r6tq43pwApYvkJ5laljaN9BZb21TAIfT/vexbobzH7Q8SUdP5uDPXEBKzOjx2L28y7Xs1d9v3tdPfKI2LR7PAzWBmDMn8riHrDDNpUpJnlAGUqJG9ooPn8j7YNpcxCa1iybOlc2kEhmJn5uwoanQq+CA6agNkqly2H4j6wIDAQABsa_token: B68C442BE645754F33277E701208059080DD726A94A73F76DEC3053A838549C06EB7D3797CE1C5BBE7C2B2EF9CA7D467C4B841002F8A2DEA0DD3ACC5BA959244A539E8B9D2CB176B62FE436B89B8310978A5D9B99A4545B16012582BCDF61F8FC7A8AE9D3A8CC2F220C2541A6395F39025E34AF37F7AC4996E097D59805880B3433423EAC0F6B09DF302DF2D79502CDAA1528E521CF020D4343C933BA246CA2B2824E2577586610927E2018CCCA818EAC6184A835CB655204F760815434F73028152A1D4D141189661606E03FEC5BF7C4B63EFE990F4D2A5FABD155127ECD0DAD87083218C461051CC16BBFADBDDBF9212BC64BA81312BD0D8C0824AACEB0048489A5E5E6352A8BCE3D1A9EEB9030DA9219B6CBDD6E7013BBB221FEEF4C4CDD4F5C8E878F1BC817248E69ECD43E940B45306C151EB74FE74F48CD4F972B22787917C0746B4ADA5B9A412264B12B8E12EC493B0A29C202099940E5CAB365AF68C04130EB930CDFA7E27D503E05FE442E8B6AF6B91882A1C84E9E99F82AA03A8DB4837C97C0F36949B288E7ABF68DAC81B0C4988D0A84A9D6AA1A1FBD13AAFC98AF1AD4CC6B8D6A286620DE2EF28C9C82908780E850CE7F726436541285F93925861F3B6F8F06041C0A74B83CD64DD588DseqSid: 512437118155683888useSlideAuthCode: 1

大概我们就知道我们要分析的字段有nloginpwd其余字段还不清楚，就在上下在看看其他数据包，根据pubkey我们猜测加密方式大概是RSA，继续查看其他数据包，找到一个有价值的get包

信息是：

api_server: "//iv.jd.com/"bg: "iVBORw0KGgoAAAANSUhEUgAAAWgAAACMCAYAAABRRzP1AABHtU"challenge: "7eaf1e6f6c1f4cd2a8dae900e3c95837"message: "success"o: "loginname"patch: "iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAYAAAAeP4ixAAAHlklEQVR42s2ZXWwUVRTH8UFf1ISEaCIYHkQIRhLTRD4CFOknLdBSbWn5au223YIL21LabretZUubSqCEignQFJUHHvwIgvomGFEDKiZGHkxMBH1RUVOw8SMp0NDr/C/7nz0z3mln2ZKW5J+5c/femfO759xzz5Rp01L4F41GM0+dfEv17t+n2tvbtdBGX1tbW9a0qf6vpaWldKD/sLJAxtM5jJ2qEPto6LGBo+qrLz5Rg7//qEaGB7XQRh9+4zjMmVIQra2te2nc+c/PqtEbg2r01p8Jue7Pf/aRDYO5U8UTFTTq0jcXnABjCGOFZyomm+O+ZDwxlmfwrEmjsAzIhhGvH+v37Qm3MDcOkz2ZYTUAIy5+eS4pT8h7zI2H18BkbvIrMOLaHz+ZDfaha79d5qa/MpmhdRNGIL0aDR3PM5YwNx5aN++Jke+fesfPwaY1/Nevd71HBIgvWZ47kuxq+3rw6ffeNnvCSwbv4BnJwNwViGfcm/rZd3tIjY4OW7rt1O1/1OjIkL+9ZBiTGojfMIGBFAzWIBImfk+Y8RbFoIkHcYeKNjyx8iP//qyuXvlaXTgzoHpONGqhPXz9WwE37HzWeN65MTiBIHigXnFX6ADE+u3W0GX1w6Wz6sMPjmnjCzvS1YzKNK3iPbnqzRP71HcXT+pxDni0vbLcyJDtzYkBscPGFTrWy7D6MPD4G43a4LSmxeqR7Uu0prdk2MI9fsc4AMNziZAToUkghmlcqYHYMZ8IHazo37+c0eGCVW7q36Ze6F2r5netdRhOzWnNsUEggBLI9pAMOYDwnVYb0FBqIPFYxsuGrn7vCJ3g0WJ79Wk0YEwCjASaXvaUmrttqWrcW6JOv9ujn6uBdCgl9ho9DaUEIuP+YH+5HTo0Sq66F4QJRkp6CO+CFwABj8f6ilT5K8u1UgJB2JQMBFTunjyjEeMZ7wXDtgw5tOEheoAQRXtXaqUE0twSUaFIvSqMVqmno0UO491ecN8DHnKPMe0jaHZDhiptzFe7IjlahHjx0BotUaZcF9dPLTV0dnY+5FXZHjGVB9WtO1RWbPOYxqFva0ehinUW6BWGkAwIZQJAaGEcwhd7j8ZLhbuCY5Yu1qfAbiOMRfkAZA160lKtNfBjTiruqHF4gPuEBkH0CKDYhzbOF+wLKK9plWroylZ9+4ttCIQywDftz7cF7+Ba1bNeBfoKNRiuwd5SFe6ucRSVTU1Nj/r5BqnjpMDLd/YOjIeBUsvaMx2JAPcEw/icnSvUptBy7TVCEAQKv5alRQgZYhAB0cb40KtbVEP39uQqZGtwmZ0MYhu0IZRXUpBhhzEAAwz2Ar0FYYNLwVvMWoT0Cr3AwXWqfs9WwnT7/Tq0PQMAvJQQcqNL0StYSbSxNyB6DGGGzS5DESCUG1D20XvB3vV2mFnbYrovmOa2l/SEjt0b7HCCMQw17gkquCtHi233YUoomfXcz5SCN20gK0QBBG/t7NlGmB1+vRLEhFB9UKWH0vVqllTl6dhHm0IflLdhpS2m2LHCUALKLAk4LALeCSFE8R7ChPrKGV5n/HmkuXkOJuxorFcLNi1VaYEsfZ1dkjmmZixbYsNgpQFDb7hlqgjcBykFzyHMDxyupEeu+gKJp2YVsQ5NQEDjQczMW6FBcIWXECI0jAYvqF/9PyCAylJIVtSyMkA4xjoLk/uDhglEil6C5pYs0sajT4YY9oqdqmtytcGPB5/Thslk4PYYPYV+FJ8EhTLaVyXnEWvgE5gQtkILhsJIaTzvIUBAMFxnOSue0UZ4wSvwwsOb023pFY6DSSAJBRi0CU3PPlOXT5Czfjd7OSZsCVdpEAlD0RMMJR5+PPB0+rSgAINNi827LLRag0EwcGaoUAtgpo819hFmbTSQXNaqDN8pDTKq1tggEgZt7AdubmYVHnCE0UDWb0ylspxBNsImhgCGMOIeojckzKLWouTOEavuCnPCvJLFRpDHMtNsCB6aLDdQb8kSXcI5Tvc4oIQjoISEF+c15Kqy5hr/J7ssUbID6xwAbDM7SU/ASGk0gbJiixxygzk8ZzjZsUi7Y2WqNlLrv9aSpcnzWzeqWQXPahEEbVM4oXzI7s2wPcFiEPcmEQSCwYBAPVXdtVrVHVql73HdeaBItXfVele/80oXqtra2vutzgetH+fjFA/UJyYU1CQgCIJzgiASAiuMlYaBDCWCSGMhlh3Masxs+tumuyr575GN4YDnhBXlBTr+CUABBFdmJ4gr6S4ApWAojUZ5gyviHxlsVuVivcEx5q6+EG3KaEQ1RurU9khQVTaXqvXV+Y4DzV1H8Zzg5pYlOjcrDYaQcqGF1Uu0mJWYofgHPkCl9M3urjhlFSsrWawgrlxlZhSZXXhOwGCsNEVj8SciXJlOeWqjjf6UQPAQ1j/8PEVJQeEeL3ML82Akyg2uLI2TEPIcYBh5PS8lEBjgPnhkHcTVdEuONfVBJoMZUialBOL1Eqw0VxviCvsxyEsm73K/4NkpgXi5m6vM390gUjKU3JDuOWM9I2UQrj43ptsTEsgE4AVqujfBTkhoSRAC4CXMRshAzDZeRnl5xw15T0GmopICqWiomJIQyf739H9a36wPen78EQAAAABJRU5ErkJgghhR"static_servers: "//iv.jd.com/"success: "1"y: 47

没有发现明确的关键字，但是可以猜想bg、challenge、patch应该和我们的加密参数相关，但是不确定，只有继续分析加密的js片段：

  $.ajax({            type: "POST",            dataType: "text",            url: "../uc/loginService?nr=1&uuid=" + uuid + "&" + location.search.substring(1) + "&r=" + Math.random() + "&version=2015",            contentType: "application/x-www-form-urlencoded; charset=utf-8",            data: {                uuid:$('#uuid').val(),                eid:$('#eid').val(),                fp:$('#sessionId').val(),                _t:$('#token').val(),                loginType:$('#loginType').val(),                loginname:$('#loginname').val(),                nloginpwd:getEntryptPwd($('#nloginpwd').val()),                authcode:authcode,                pubKey:$('#pubKey').val(),                sa_token:$('#sa_token').val(),                seqSid:window._jdtdmap_sessionId,                useSlideAuthCode:$("#useSlideAuthCode").val()            },

其中好几个字段都是$("#??")格式，这种表示是来自页面的，那在看看网页源码

果然发现了很多有价值的东西在post表单中的，其中只有两个参数是需要单独获取的，其余都是从html源码里面解析出来的

authcode来源  var authcode;        if(useSlideAuthCode){            // authcode = $("#s-authcode").attr('data-code');            authcode = $("#loginsubmit").attr('data-code');        }else{            authcode = $('#authcode').val();        }

是获取的源码中的一个值，再看源码 ![在这里插入图片描述](https://mmbiz.qpic.cn/mmbiz_png/ibn1F3EPLriax7jlNZ5iaMkjlcsZEquY5aC4LOy3ra2hSnB6SuO9RAFkKPgqPuYswDBnoPxTrQeNIxpMpWkJIwFFQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1)

看样子是在验证码操作的时候触发的一个请求，返回的authcode的值，查看authcode请求的数据包

d: 0hE005mmwo5~7410o0110000101000001e10h000000y107101000g109101000h107101000h104000000g102000000h104000000h105102000g106000000g104000000h106000000h104000000i103101000g102000000g1020000017104000000f10a103000f10e102000i105000000f102000000g104000000h101000000h102102000g104000000h102000000i102101000g000000005jc: 9c1dc65956154419917df6319a6dd8cdw: 278appId: 1604ebb2287scene: loginproduct: click-bind-suspende: 5535JQZQ4ZUMHJEPDFQ7EIQIP4PRSWDLEXGJCVNFQRGNKOKGFFSFHLYDURV5EQVE4JDMIAR3NVD4QEBFQDBSP33GOQs: 5773112901220889029o: 18328491111callback: jsonp_04645774203955564

这个请求看起来不是那么友好，有好几个疑似加密字段，这个参数暂时放放，继续分析我们的passWord的加密。

继续深入getEntryptPwd($(’#nloginpwd’).val())，查看源码

function getEntryptPwd(pwd){        var pubKey = $('#pubKey').val();        if(!pwd || !pubKey || !SysConfig.encryptInfo){            return pwd;        }        var encrypt = new JSEncrypt();        encrypt.setPublicKey(pubKey);        return encrypt.encrypt(pwd);    }

核心的就两行
encrypt.setPublicKey(pubKey); return encrypt.encrypt(pwd);这必定是RSA加密无疑了，继续查看源码，单独的一个源码文件，一共3300多行，删减版如下

/*! JSEncrypt v2.3.1 | https://npmcdn.com/jsencrypt@2.3.1/LICENSE.txt */(function(a, b) {    if (typeof define === "function" && define.amd) {        define(["exports"], b)    } else {        if (typeof exports === "object" && typeof exports.nodeName !== "string") {            b(module.exports)        } else {            b(a)        }    }})(this, function(ap) {    var bE;    var n = 244837814094590;    var aV = ((n & 16777215) == 15715070);    function bf(z, t, L) {        if (z != ) {            if ("number" == typeof z) {                this.fromNumber(z, t, L)            } else {                if (t ==  && "string" != typeof z) {                    this.fromString(z, 256)                } else {                    this.fromString(z, t)                }            }        }    }    function bm() {        return new bf()    }    function a7(bX, t, z, bW, bZ, bY) {        while (--bY >= 0) {            var L = t * this[bX++] + z[bW] + bZ;            bZ = Math.floor(L / 67108864);            z[bW++] = L & 67108863        }        return bZ    }

······删减了3000行左右

    a3.prototype.decrypt = function(t) {        try {            return this.getKey().decrypt(aW(t))        } catch (z) {            return false        }    }    ;    a3.prototype.encrypt = function(t) {        try {            return ae(this.getKey().encrypt(t))        } catch (z) {            return false        }    }    ;    a3.prototype.getKey = function(t) {        if (!this.key) {            this.key = new bx();            if (t && {}.toString.call(t) === "[object Function]") {                this.key.generateAsync(this.default_key_size, this.default_public_exponent, t);                return            }            this.key.generate(this.default_key_size, this.default_public_exponent)        }        return this.key    }    ;    a3.prototype.getPrivateKey = function() {        return this.getKey().getPrivateKey()    }    ;    a3.prototype.getPrivateKeyB64 = function() {        return this.getKey().getPrivateBaseKeyB64()    }    ;    a3.prototype.getPublicKey = function() {        return this.getKey().getPublicKey()    }    ;    a3.prototype.getPublicKeyB64 = function() {        return this.getKey().getPublicBaseKeyB64()    }    ;    a3.version = "2.3.1";    ap.JSEncrypt = a3});

JSEncrypt是前端使用的实现RSA加密的库，看样子应该比较标准，那就试试能不能改写了，复制全部源码到node.js，会提示navigator、window未定义，这个问题很简单，在文件头定义 var navigator = this; var window = this

然后在文件尾部写个调用程序试试

function test(pwd) {var pubKey = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC7kw8r6tq43pwApYvkJ5laljaN9BZb21TAIfT/vexbobzH7Q8SUdP5uDPXEBKzOjx2L28y7Xs1d9v3tdPfKI2LR7PAzWBmDMn8riHrDDNpUpJnlAGUqJG9ooPn8j7YNpcxCa1iybOlc2kEhmJn5uwoanQq+CA6agNkqly2H4j6wIDAQAB";var encrypt = new JSEncrypt();encrypt.setPublicKey(pubKey);return encrypt.encrypt(pwd);}

是可以成功返回RSA加密结果的 ![在这里插入图片描述](https://mmbiz.qpic.cn/mmbiz_png/ibn1F3EPLriax7jlNZ5iaMkjlcsZEquY5aC5gdDCRW74jDPfuVNlpr7SYayxX6N55GjiaOibTTUoCRXETKjGJnSqPLg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1&retryload=1) 京东的post请求不是太难，参数也能在源码中找到，但是他的难度在发出post请求之前的一个get请求，这个get请求和验证有关，和用户名相关，简单看了一下感觉有点复杂，留在第二篇讲获取authcode参数的其他参数是怎么来的。

ID：Python之战
|作|者|公(zhong)号:python之战
专注Python，专注于网络爬虫、RPA的学习-践行-总结
喜欢研究和分享技术瓶颈，欢迎关注
独学而无友,则孤陋而寡闻！