江西省技能培训平台(逆向破解登录国密SM2)
江西省技能培训平台(逆向破解登录)
登录破解(国密sm2加密方式)
请求接口
https://api.cloud.wozhipei.com/auth/user/v1/login
使用身份证和密码登录发现有password加密,好开始逆向js
全局搜索发现使用国密SM2进行加密
模拟算法
js
使用js进行模拟算法
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<script src="./sm2.js"></script>
<script src="./base64.js"></script>
<script>
async function fetchPublicKeyAndEncrypt() {
try {
// 发送fetch请求并等待响应数据解析为JSON格式
let response = await fetch('https://api.cloud.wozhipei.com/auth/user/v1/public_key', {
method: 'GET',
headers: {
'Content-Type': 'application/json',
"User-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36",
}
});
let result = await response.json();
console.log('提交成功,服务器返回:', result["data"]);
console.log('sm2Encrypt', sm2);
// 获取公钥
let publicKey = result["data"];
// 待加密的密码
let pwd = "你的密码";
let cipherMode = 1; // 1 - C1C3C2,0 - C1C2C3,默认为1
console.log("编码后的pwd: ",btoa(pwd))
// 等待加密操作完成并获取加密后的数据
let encryptData = await sm2.doEncrypt(btoa(pwd), publicKey, cipherMode);
return {publicKey, encryptData};
}
catch
(error)
{
console.error('请求出错:', error);
}
}
async function login(data) {
try {
// 发送fetch请求并等待响应数据解析为JSON格式
let response = await fetch('https://api.cloud.wozhipei.com/auth/user/v1/login', {
method: 'POST',
body: data,
headers: {
'Content-Type': 'application/json',
"User-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36",
}
});
console.log('响应:', response);
let result = await response.json();
return result
} catch (error) {
console.error('请求出错:', error);
}
}
// 调用异步函数并处理返回值
fetchPublicKeyAndEncrypt().then(({publicKey, encryptData}) => {
if (publicKey && encryptData) {
var data = {
"account": "你的身份证",
"appKey": "WEB",
"sid": 1018,
"type": 1,
"authOpenId": "",
"authType": "",
"publicKey": publicKey,
"password": encryptData
}
console.log('获取到的公钥:', publicKey);
console.log('加密后的数据:', encryptData);
console.log('请求体:', JSON.stringify(data));
login(JSON.stringify(data)).then(res => {
console.log('loingrespionse:', res);
})
}
});
</script>
<body>
</body>
</html>
成功登录:
python
python使用gmssl,注意这里有个坑,
直接pip install gmssl 下载的版本是3.2.1的是旧版的sm2加密方式开始用旧标准的一直没校验不通过这个坑我走了好久,这要感谢我的学弟发现这个坑
有两个标准,这个网站是新标准的,如果使用旧标准的话后端无法解密导致校验不通过。
旧版3.2.1
新版3.2.2
代码:
login.py
# coding=gb2312
from gmssl import sm2
import requests
from base64 import b64encode
def getToken(idCar, pwd):
public_keyUrl = "https://api.cloud.wozhipei.com/auth/user/v1/public_key"
headers = {
"User-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36",
"Content-Type": "application/json"
}
response = requests.get(public_keyUrl, headers=headers)
public_key = response.json()["data"]
def encrypt(data):
# sm2 加密
sm2_crypt = sm2.CryptSM2(public_key=public_key, private_key="", mode=1)
return sm2_crypt.encrypt(data).hex()
data_str = pwd
data_bytes = data_str.encode('utf-8')
encoded_data = b64encode(data_bytes)
encryptData = encrypt(encoded_data)
data = {
"account": idCar,
"appKey": "WEB",
"sid": 1018,
"type": 1,
"authOpenId": "",
"authType": "",
"publicKey": public_key,
"password": encryptData
}
response = requests.post("https://api.cloud.wozhipei.com/auth/user/v1/login", headers=headers, json=data)
return response.content.decode("utf-8")
token = getToken("身份证", "密码")
print(token)
