记录一次微信公众号应用查询结果接入NR过程

Samuel · 2020 年9 月 29 日 00:57

朋友求助很早之前我给其搞的查询流最近无法查询到数据，返回服务器内部错误，经Chrome调试发现，该平台查询参数和返回数据均已从明文改成加密传输，需要重新处理数据。索性将此过程记录方便后期回顾，亦方便后来人。。。

因涉及到一些不便言明的问题，本文将重码相关微信公众号信息，下文直接上步骤和思路。

一、抓包

为了获得所需数据并调试，我们首先需要抓包，手机抓包就不赘述了，自己百度吧。。
抓到包后开始分析数据。我就直接在抓包结果里写注释了

  {
    "startTime": 1601264250454,
    "id": "1601264250452-103",
    //尝试登陆
    "url": "http://微信公众号的服务器地址/weixin/rs/weixin/getcode?state=标签参数",
    "req": {
      "method": "GET",
      "httpVersion": "1.1",
      "ip": "192.168.110.198",
      "port": 61390,
      "rawHeaderNames": {
        "host": "Host",
        "proxy-connection": "Proxy-Connection",
        "upgrade-insecure-requests": "Upgrade-Insecure-Requests",
        "accept": "Accept",
        "user-agent": "User-Agent",
        "accept-language": "Accept-Language",
        "accept-encoding": "Accept-Encoding",
        "connection": "Connection",
        "proxy-authorization": "Proxy-Authorization"
      },
      "headers": {
        "host": "微信公众号的服务器地址",
        "upgrade-insecure-requests": "1",
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f31) NetType/WIFI Language/zh_CN",
        "accept-language": "zh-cn",
        "accept-encoding": "gzip",
        "connection": "keep-alive"
      },
      "trailers": {},
      "size": 0,
      "body": false,
      "rawHeaders": {
        "Host": "微信公众号的服务器地址",
        "Upgrade-Insecure-Requests": "1",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f31) NetType/WIFI Language/zh_CN",
        "Accept-Language": "zh-cn",
        "Accept-Encoding": "gzip",
        "Connection": "keep-alive"
      }
    },
    "res": {
      "ip": "IP地址",
      "port": 80,
      "rawHeaderNames": {
        "x-frame-options": "X-Frame-Options",
        "x-content-type-options": "X-Content-Type-Options",
        "x-xss-protection": "X-XSS-Protection",
        "location": "Location",
        "content-length": "Content-Length",
        "date": "Date",
        "server": "Server"
      },
      "statusCode": 302,
      "statusMessage": "Found",
      "headers": {
        "x-frame-options": "DENY",
        "x-content-type-options": "nosniff",
        "x-xss-protection": "1; mode=block",
         //公众号返回302跳转微信登陆地址，利用微信oauth2认证
        "location": "https://open.weixin.qq.com/connect/oauth2/authorize?appid=公众号APPID&redirect_uri=http%3A%2F%2F微信公众号的服务器地址%2Fweixin%2Frs%2Fweixin%2FgetOpenid&response_type=code&scope=snsapi_base&state=标签参数",
        "content-length": "0",
        "date": "Mon, 28 Sep 2020 03:37:25 GMT",
        "server": ""
      },
      "trailers": {},
      "size": 0,
      "body": false,
      "rawHeaders": {
        "X-Frame-Options": "DENY",
        "X-Content-Type-Options": "nosniff",
        "X-XSS-Protection": "1; mode=block",
        "Location": "https://open.weixin.qq.com/connect/oauth2/authorize?appid=公众号APPID&redirect_uri=http%3A%2F%2F微信公众号的服务器地址%2Fweixin%2Frs%2Fweixin%2FgetOpenid&response_type=code&scope=snsapi_base&state=标签参数",
        "Content-Length": "0",
        "Date": "Mon, 28 Sep 2020 03:37:25 GMT",
        "Server": ""
      }
    },
    "rules": {},
    "pipe": null,
    "rulesHeaders": {},
    "dnsTime": 1601264250479,
    "useH2": false,
    "requestTime": 1601264250530,
    "responseTime": 1601264250597,
    "endTime": 1601264250597,
    "method": "GET",
    "hostIp": "IP地址",
    "clientIp": "192.168.110.198",
    "date": "2020/9/28 上午11:37:30",
    "clientPort": 61390,
    "serverPort": 80,
    "body": 0,
    "result": 302,
    "type": "",
    "time": "143ms",
    "download": "0ms",
    "response": "67ms",
    "request": "51ms",
    "dns": "25ms",
    "protocol": "HTTP",
    "hostname": "微信公众号的服务器地址",
    "path": "/weixin/rs/weixin/getcode?state=标签参数",
    "order": 85,
    "hide": false,
    "lost": true,
    "selected": true,
    "active": false,
    "filename": "getcode"
  },
  {
    "startTime": 1601264250958,
    "id": "1601264250956-106",
    //微信授权登陆后会重新跳转到公众号的回调地址
    "url": "http://微信公众号的服务器地址/weixin/rs/weixin/getOpenid?code=微信授权登陆后返回的CODE&state=标签参数",
    "req": {
      "method": "GET",
      "httpVersion": "1.1",
      "ip": "192.168.110.198",
      "port": 61389,
      "rawHeaderNames": {
        "host": "Host",
        "proxy-connection": "Proxy-Connection",
        "upgrade-insecure-requests": "Upgrade-Insecure-Requests",
        "accept": "Accept",
        "user-agent": "User-Agent",
        "accept-language": "Accept-Language",
        "accept-encoding": "Accept-Encoding",
        "connection": "Connection",
        "proxy-authorization": "Proxy-Authorization"
      },
      "headers": {
        "host": "微信公众号的服务器地址",
        "upgrade-insecure-requests": "1",
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f31) NetType/WIFI Language/zh_CN",
        "accept-language": "zh-cn",
        "accept-encoding": "gzip",
        "connection": "keep-alive"
      },
      "trailers": {},
      "size": 0,
      "body": false,
      "rawHeaders": {
        "Host": "微信公众号的服务器地址",
        "Upgrade-Insecure-Requests": "1",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f31) NetType/WIFI Language/zh_CN",
        "Accept-Language": "zh-cn",
        "Accept-Encoding": "gzip",
        "Connection": "keep-alive"
      }
    },
    "res": {
      "ip": "IP地址",
      "port": 80,
      "rawHeaderNames": {
        "x-frame-options": "X-Frame-Options",
        "x-content-type-options": "X-Content-Type-Options",
        "x-xss-protection": "X-XSS-Protection",
        "location": "Location",
        "content-length": "Content-Length",
        "date": "Date",
        "server": "Server"
      },
      "statusCode": 302,
      "statusMessage": "Found",
      "headers": {
        "x-frame-options": "DENY",
        "x-content-type-options": "nosniff",
        "x-xss-protection": "1; mode=block",
        //公众号服务器后台验证前面返回的code并和用户信息匹配并返回了用户身份标签，之后所有的操作都通过这个openid来识别用户
        "location": "http://微信公众号的服务器地址/weixin/index.html?openid=用户身份标签&filiale=标签参数",
        "content-length": "0",
        "date": "Mon, 28 Sep 2020 03:37:25 GMT",
        "server": ""
      },
      "trailers": {},
      "size": 0,
      "body": false,
      "rawHeaders": {
        "X-Frame-Options": "DENY",
        "X-Content-Type-Options": "nosniff",
        "X-XSS-Protection": "1; mode=block",
        "Location": "http://微信公众号的服务器地址/weixin/index.html?openid=用户身份标签&filiale=标签参数",
        "Content-Length": "0",
        "Date": "Mon, 28 Sep 2020 03:37:25 GMT",
        "Server": ""
      }
    },
    "rules": {},
    "pipe": null,
    "rulesHeaders": {},
    "dnsTime": 1601264250958,
    "useH2": false,
    "requestTime": 1601264250960,
    "responseTime": 1601264251268,
    "endTime": 1601264251269,
    "method": "GET",
    "hostIp": "IP地址",
    "clientIp": "192.168.110.198",
    "date": "2020/9/28 上午11:37:30",
    "clientPort": 61389,
    "serverPort": 80,
    "body": 0,
    "result": 302,
    "type": "",
    "time": "311ms",
    "download": "1ms",
    "response": "308ms",
    "request": "2ms",
    "dns": "0ms",
    "protocol": "HTTP",
    "hostname": "微信公众号的服务器地址",
    "path": "/weixin/rs/weixin/getOpenid?code=微信授权登陆后返回的CODE&state=标签参数",
    "order": 88,
    "hide": false,
    "lost": true,
    "selected": true,
    "active": false
  },
  {
    "startTime": 1601264251288,
    "id": "1601264251287-107",
    "url": "http://微信公众号的服务器地址/weixin/index.html?openid=用户身份标签&filiale=标签参数",
    "req": {
      "method": "GET",
      "httpVersion": "1.1",
      "ip": "192.168.110.198",
      "port": 61389,
      "rawHeaderNames": {
        "host": "Host",
        "proxy-connection": "Proxy-Connection",
        "upgrade-insecure-requests": "Upgrade-Insecure-Requests",
        "accept": "Accept",
        "user-agent": "User-Agent",
        "accept-language": "Accept-Language",
        "accept-encoding": "Accept-Encoding",
        "connection": "Connection",
        "proxy-authorization": "Proxy-Authorization"
      },
      "headers": {
        "host": "微信公众号的服务器地址",
        "upgrade-insecure-requests": "1",
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f31) NetType/WIFI Language/zh_CN",
        "accept-language": "zh-cn",
        "accept-encoding": "gzip",
        "connection": "keep-alive"
      },
      "trailers": {},
      "size": 0,
      "body": false,
      "rawHeaders": {
        "Host": "微信公众号的服务器地址",
        "Upgrade-Insecure-Requests": "1",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f31) NetType/WIFI Language/zh_CN",
        "Accept-Language": "zh-cn",
        "Accept-Encoding": "gzip",
        "Connection": "keep-alive"
      }
    },
    "res": {
      "ip": "IP地址",
      "port": 80,
      "rawHeaderNames": {
        "x-frame-options": "X-Frame-Options",
        "x-content-type-options": "X-Content-Type-Options",
        "x-xss-protection": "X-XSS-Protection",
        "accept-ranges": "Accept-Ranges",
        "etag": "ETag",
        "last-modified": "Last-Modified",
        "content-type": "Content-Type",
        "content-length": "Content-Length",
        "date": "Date",
        "server": "Server"
      },
      "statusCode": 200,
      "statusMessage": "OK",
      "headers": {
        "x-frame-options": "DENY",
        "x-content-type-options": "nosniff",
        "x-xss-protection": "1; mode=block",
        "accept-ranges": "bytes",
        "etag": "W/\"1804-1599700714957\"",
        "last-modified": "Thu, 10 Sep 2020 01:18:34 GMT",
        "content-type": "text/html",
        "content-length": "1804",
        "date": "Mon, 28 Sep 2020 03:37:25 GMT",
        "server": ""
      },
      "trailers": {},
      "size": 1804,
      "body": "",
      "base64": "数据",
      "rawHeaders": {
        "X-Frame-Options": "DENY",
        "X-Content-Type-Options": "nosniff",
        "X-XSS-Protection": "1; mode=block",
        "Accept-Ranges": "bytes",
        "ETag": "W/\"1804-1599700714957\"",
        "Last-Modified": "Thu, 10 Sep 2020 01:18:34 GMT",
        "Content-Type": "text/html",
        "Content-Length": "1804",
        "Date": "Mon, 28 Sep 2020 03:37:25 GMT",
        "Server": ""
      }
    },
    "rules": {},
    "pipe": null,
    "rulesHeaders": {},
    "dnsTime": 1601264251289,
    "useH2": false,
    "requestTime": 1601264251290,
    "responseTime": 1601264251339,
    "endTime": 1601264251340,
    "method": "GET",
    "hostIp": "IP地址",
    "clientIp": "192.168.110.198",
    "date": "2020/9/28 上午11:37:31",
    "clientPort": 61389,
    "serverPort": 80,
    "body": 1804,
    "result": 200,
    "type": "text/html",
    "time": "52ms",
    "download": "1ms",
    "response": "49ms",
    "request": "1ms",
    "dns": "1ms",
    "protocol": "HTTP",
    "hostname": "微信公众号的服务器地址",
    "path": "/weixin/index.html?openid=用户身份标签&filiale=标签参数",
    "order": 89,
    "hide": false,
    "lost": true,
    "selected": true,
    "active": false,
    "filename": "index.html"
  },

分析完后，我们用浏览器打开地址：
http://微信公众号的服务器地址/weixin/index.html?openid=用户身份标签&filiale=标签参数

这时我们看到了熟悉的界面，没错，就是微信上面的界面。。

二、Chrome调试

接下来打开Chrome浏览器，输入刚刚的地址，打开页面，打开调试窗口切换到network标签页，点击我们需要查询的按钮，这时结果如下

此时我们可以知道查询的链接，查询的参数，但是查询参数是经过AES加密的，再看返回结果也是加密后的数据。

接下来我们找一下是否有相关解密的方法。

我们在刚刚返回的js里搜索查询参数里面的aoteEncrypt关键词，找到如下结果

这时我们发现了新的关键词：encryKey: this._scan

猜测this._scan应该就是AES的加密key，但是我们在返回的这些js里都没找到这个key。
我们返回到前页，清除调试窗口内容后刷新页面，在所有文件里已_scan为关键词进行搜索

发现有3个文件里有这个关键词，接着我们在单独的文件里再次搜索，这时我们找到了我们需要的加密KEY

为了验证我们的猜测是否正确，打开一个在线解密http://tool.chacuo.net/cryptaes/
输入加密内容和秘钥，解密成功，再看f_open_id的内容是不是很熟悉？没错就是前面打开的链接里的openid

我们再试试返回结果是否能解密，里面的数据和我们在网页上面看到的一样，这个就是我们需要的数据了。

下面就要进行下一步操作了，把我们手工完成的步骤转成NR自动完成，由于篇幅太长，内容太多放不下了。。。接下来的内容请看下一楼

Samuel · 2020 年9 月 29 日 11:54

三、NR自动化查询

我们先构造一个基础的http请求流

分别编辑函数和http请求节点，http请求节点使用从函数节点传递的参数

先用加密数据测试是否有效

经过比对，返回数据与我们调试的时候是一样的

接下来我们就要进行加密解密操作了

我们新建一个流程

在第一个注入中填入加密的文本

接着在后面的函数节点中添加加密解密函数，因为我们前面用在线解密测试的时候是AES ECB加密模式，所以要使用相应的算法，使用CryptoJS 来实现

/*
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
*/
var CryptoJS = CryptoJS || function (u, p) {
    var d = {}, l = d.lib = {}, s = function () { }, t = l.Base = { extend: function (a) { s.prototype = this; var c = new s; a && c.mixIn(a); c.hasOwnProperty("init") || (c.init = function () { c.$super.init.apply(this, arguments) }); c.init.prototype = c; c.$super = this; return c }, create: function () { var a = this.extend(); a.init.apply(a, arguments); return a }, init: function () { }, mixIn: function (a) { for (var c in a) a.hasOwnProperty(c) && (this[c] = a[c]); a.hasOwnProperty("toString") && (this.toString = a.toString) }, clone: function () { return this.init.prototype.extend(this) } },
    r = l.WordArray = t.extend({
        init: function (a, c) { a = this.words = a || []; this.sigBytes = c != p ? c : 4 * a.length }, toString: function (a) { return (a || v).stringify(this) }, concat: function (a) { var c = this.words, e = a.words, j = this.sigBytes; a = a.sigBytes; this.clamp(); if (j % 4) for (var k = 0; k < a; k++)c[j + k >>> 2] |= (e[k >>> 2] >>> 24 - 8 * (k % 4) & 255) << 24 - 8 * ((j + k) % 4); else if (65535 < e.length) for (k = 0; k < a; k += 4)c[j + k >>> 2] = e[k >>> 2]; else c.push.apply(c, e); this.sigBytes += a; return this }, clamp: function () {
            var a = this.words, c = this.sigBytes; a[c >>> 2] &= 4294967295 <<
                32 - 8 * (c % 4); a.length = u.ceil(c / 4)
        }, clone: function () { var a = t.clone.call(this); a.words = this.words.slice(0); return a }, random: function (a) { for (var c = [], e = 0; e < a; e += 4)c.push(4294967296 * u.random() | 0); return new r.init(c, a) }
    }), w = d.enc = {}, v = w.Hex = {
        stringify: function (a) { var c = a.words; a = a.sigBytes; for (var e = [], j = 0; j < a; j++) { var k = c[j >>> 2] >>> 24 - 8 * (j % 4) & 255; e.push((k >>> 4).toString(16)); e.push((k & 15).toString(16)) } return e.join("") }, parse: function (a) {
            for (var c = a.length, e = [], j = 0; j < c; j += 2)e[j >>> 3] |= parseInt(a.substr(j,
                2), 16) << 24 - 4 * (j % 8); return new r.init(e, c / 2)
        }
    }, b = w.Latin1 = { stringify: function (a) { var c = a.words; a = a.sigBytes; for (var e = [], j = 0; j < a; j++)e.push(String.fromCharCode(c[j >>> 2] >>> 24 - 8 * (j % 4) & 255)); return e.join("") }, parse: function (a) { for (var c = a.length, e = [], j = 0; j < c; j++)e[j >>> 2] |= (a.charCodeAt(j) & 255) << 24 - 8 * (j % 4); return new r.init(e, c) } }, x = w.Utf8 = { stringify: function (a) { try { return decodeURIComponent(escape(b.stringify(a))) } catch (c) { throw Error("Malformed UTF-8 data"); } }, parse: function (a) { return b.parse(unescape(encodeURIComponent(a))) } },
    q = l.BufferedBlockAlgorithm = t.extend({
        reset: function () { this._data = new r.init; this._nDataBytes = 0 }, _append: function (a) { "string" == typeof a && (a = x.parse(a)); this._data.concat(a); this._nDataBytes += a.sigBytes }, _process: function (a) { var c = this._data, e = c.words, j = c.sigBytes, k = this.blockSize, b = j / (4 * k), b = a ? u.ceil(b) : u.max((b | 0) - this._minBufferSize, 0); a = b * k; j = u.min(4 * a, j); if (a) { for (var q = 0; q < a; q += k)this._doProcessBlock(e, q); q = e.splice(0, a); c.sigBytes -= j } return new r.init(q, j) }, clone: function () {
            var a = t.clone.call(this);
            a._data = this._data.clone(); return a
        }, _minBufferSize: 0
    }); l.Hasher = q.extend({
        cfg: t.extend(), init: function (a) { this.cfg = this.cfg.extend(a); this.reset() }, reset: function () { q.reset.call(this); this._doReset() }, update: function (a) { this._append(a); this._process(); return this }, finalize: function (a) { a && this._append(a); return this._doFinalize() }, blockSize: 16, _createHelper: function (a) { return function (b, e) { return (new a.init(e)).finalize(b) } }, _createHmacHelper: function (a) {
            return function (b, e) {
                return (new n.HMAC.init(a,
                    e)).finalize(b)
            }
        }
    }); var n = d.algo = {}; return d
}(Math);
(function () {
    var u = CryptoJS, p = u.lib.WordArray; u.enc.Base64 = {
        stringify: function (d) { var l = d.words, p = d.sigBytes, t = this._map; d.clamp(); d = []; for (var r = 0; r < p; r += 3)for (var w = (l[r >>> 2] >>> 24 - 8 * (r % 4) & 255) << 16 | (l[r + 1 >>> 2] >>> 24 - 8 * ((r + 1) % 4) & 255) << 8 | l[r + 2 >>> 2] >>> 24 - 8 * ((r + 2) % 4) & 255, v = 0; 4 > v && r + 0.75 * v < p; v++)d.push(t.charAt(w >>> 6 * (3 - v) & 63)); if (l = t.charAt(64)) for (; d.length % 4;)d.push(l); return d.join("") }, parse: function (d) {
            var l = d.length, s = this._map, t = s.charAt(64); t && (t = d.indexOf(t), -1 != t && (l = t)); for (var t = [], r = 0, w = 0; w <
                l; w++)if (w % 4) { var v = s.indexOf(d.charAt(w - 1)) << 2 * (w % 4), b = s.indexOf(d.charAt(w)) >>> 6 - 2 * (w % 4); t[r >>> 2] |= (v | b) << 24 - 8 * (r % 4); r++ } return p.create(t, r)
        }, _map: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
    }
})();
(function (u) {
    function p(b, n, a, c, e, j, k) { b = b + (n & a | ~n & c) + e + k; return (b << j | b >>> 32 - j) + n } function d(b, n, a, c, e, j, k) { b = b + (n & c | a & ~c) + e + k; return (b << j | b >>> 32 - j) + n } function l(b, n, a, c, e, j, k) { b = b + (n ^ a ^ c) + e + k; return (b << j | b >>> 32 - j) + n } function s(b, n, a, c, e, j, k) { b = b + (a ^ (n | ~c)) + e + k; return (b << j | b >>> 32 - j) + n } for (var t = CryptoJS, r = t.lib, w = r.WordArray, v = r.Hasher, r = t.algo, b = [], x = 0; 64 > x; x++)b[x] = 4294967296 * u.abs(u.sin(x + 1)) | 0; r = r.MD5 = v.extend({
        _doReset: function () { this._hash = new w.init([1732584193, 4023233417, 2562383102, 271733878]) },
        _doProcessBlock: function (q, n) {
            for (var a = 0; 16 > a; a++) { var c = n + a, e = q[c]; q[c] = (e << 8 | e >>> 24) & 16711935 | (e << 24 | e >>> 8) & 4278255360 } var a = this._hash.words, c = q[n + 0], e = q[n + 1], j = q[n + 2], k = q[n + 3], z = q[n + 4], r = q[n + 5], t = q[n + 6], w = q[n + 7], v = q[n + 8], A = q[n + 9], B = q[n + 10], C = q[n + 11], u = q[n + 12], D = q[n + 13], E = q[n + 14], x = q[n + 15], f = a[0], m = a[1], g = a[2], h = a[3], f = p(f, m, g, h, c, 7, b[0]), h = p(h, f, m, g, e, 12, b[1]), g = p(g, h, f, m, j, 17, b[2]), m = p(m, g, h, f, k, 22, b[3]), f = p(f, m, g, h, z, 7, b[4]), h = p(h, f, m, g, r, 12, b[5]), g = p(g, h, f, m, t, 17, b[6]), m = p(m, g, h, f, w, 22, b[7]),
                f = p(f, m, g, h, v, 7, b[8]), h = p(h, f, m, g, A, 12, b[9]), g = p(g, h, f, m, B, 17, b[10]), m = p(m, g, h, f, C, 22, b[11]), f = p(f, m, g, h, u, 7, b[12]), h = p(h, f, m, g, D, 12, b[13]), g = p(g, h, f, m, E, 17, b[14]), m = p(m, g, h, f, x, 22, b[15]), f = d(f, m, g, h, e, 5, b[16]), h = d(h, f, m, g, t, 9, b[17]), g = d(g, h, f, m, C, 14, b[18]), m = d(m, g, h, f, c, 20, b[19]), f = d(f, m, g, h, r, 5, b[20]), h = d(h, f, m, g, B, 9, b[21]), g = d(g, h, f, m, x, 14, b[22]), m = d(m, g, h, f, z, 20, b[23]), f = d(f, m, g, h, A, 5, b[24]), h = d(h, f, m, g, E, 9, b[25]), g = d(g, h, f, m, k, 14, b[26]), m = d(m, g, h, f, v, 20, b[27]), f = d(f, m, g, h, D, 5, b[28]), h = d(h, f,
                    m, g, j, 9, b[29]), g = d(g, h, f, m, w, 14, b[30]), m = d(m, g, h, f, u, 20, b[31]), f = l(f, m, g, h, r, 4, b[32]), h = l(h, f, m, g, v, 11, b[33]), g = l(g, h, f, m, C, 16, b[34]), m = l(m, g, h, f, E, 23, b[35]), f = l(f, m, g, h, e, 4, b[36]), h = l(h, f, m, g, z, 11, b[37]), g = l(g, h, f, m, w, 16, b[38]), m = l(m, g, h, f, B, 23, b[39]), f = l(f, m, g, h, D, 4, b[40]), h = l(h, f, m, g, c, 11, b[41]), g = l(g, h, f, m, k, 16, b[42]), m = l(m, g, h, f, t, 23, b[43]), f = l(f, m, g, h, A, 4, b[44]), h = l(h, f, m, g, u, 11, b[45]), g = l(g, h, f, m, x, 16, b[46]), m = l(m, g, h, f, j, 23, b[47]), f = s(f, m, g, h, c, 6, b[48]), h = s(h, f, m, g, w, 10, b[49]), g = s(g, h, f, m,
                        E, 15, b[50]), m = s(m, g, h, f, r, 21, b[51]), f = s(f, m, g, h, u, 6, b[52]), h = s(h, f, m, g, k, 10, b[53]), g = s(g, h, f, m, B, 15, b[54]), m = s(m, g, h, f, e, 21, b[55]), f = s(f, m, g, h, v, 6, b[56]), h = s(h, f, m, g, x, 10, b[57]), g = s(g, h, f, m, t, 15, b[58]), m = s(m, g, h, f, D, 21, b[59]), f = s(f, m, g, h, z, 6, b[60]), h = s(h, f, m, g, C, 10, b[61]), g = s(g, h, f, m, j, 15, b[62]), m = s(m, g, h, f, A, 21, b[63]); a[0] = a[0] + f | 0; a[1] = a[1] + m | 0; a[2] = a[2] + g | 0; a[3] = a[3] + h | 0
        }, _doFinalize: function () {
            var b = this._data, n = b.words, a = 8 * this._nDataBytes, c = 8 * b.sigBytes; n[c >>> 5] |= 128 << 24 - c % 32; var e = u.floor(a /
                4294967296); n[(c + 64 >>> 9 << 4) + 15] = (e << 8 | e >>> 24) & 16711935 | (e << 24 | e >>> 8) & 4278255360; n[(c + 64 >>> 9 << 4) + 14] = (a << 8 | a >>> 24) & 16711935 | (a << 24 | a >>> 8) & 4278255360; b.sigBytes = 4 * (n.length + 1); this._process(); b = this._hash; n = b.words; for (a = 0; 4 > a; a++)c = n[a], n[a] = (c << 8 | c >>> 24) & 16711935 | (c << 24 | c >>> 8) & 4278255360; return b
        }, clone: function () { var b = v.clone.call(this); b._hash = this._hash.clone(); return b }
    }); t.MD5 = v._createHelper(r); t.HmacMD5 = v._createHmacHelper(r)
})(Math);
(function () {
    var u = CryptoJS, p = u.lib, d = p.Base, l = p.WordArray, p = u.algo, s = p.EvpKDF = d.extend({ cfg: d.extend({ keySize: 4, hasher: p.MD5, iterations: 1 }), init: function (d) { this.cfg = this.cfg.extend(d) }, compute: function (d, r) { for (var p = this.cfg, s = p.hasher.create(), b = l.create(), u = b.words, q = p.keySize, p = p.iterations; u.length < q;) { n && s.update(n); var n = s.update(d).finalize(r); s.reset(); for (var a = 1; a < p; a++)n = s.finalize(n), s.reset(); b.concat(n) } b.sigBytes = 4 * q; return b } }); u.EvpKDF = function (d, l, p) {
        return s.create(p).compute(d,
            l)
    }
})();
CryptoJS.lib.Cipher || function (u) {
    var p = CryptoJS, d = p.lib, l = d.Base, s = d.WordArray, t = d.BufferedBlockAlgorithm, r = p.enc.Base64, w = p.algo.EvpKDF, v = d.Cipher = t.extend({
        cfg: l.extend(), createEncryptor: function (e, a) { return this.create(this._ENC_XFORM_MODE, e, a) }, createDecryptor: function (e, a) { return this.create(this._DEC_XFORM_MODE, e, a) }, init: function (e, a, b) { this.cfg = this.cfg.extend(b); this._xformMode = e; this._key = a; this.reset() }, reset: function () { t.reset.call(this); this._doReset() }, process: function (e) { this._append(e); return this._process() },
        finalize: function (e) { e && this._append(e); return this._doFinalize() }, keySize: 4, ivSize: 4, _ENC_XFORM_MODE: 1, _DEC_XFORM_MODE: 2, _createHelper: function (e) { return { encrypt: function (b, k, d) { return ("string" == typeof k ? c : a).encrypt(e, b, k, d) }, decrypt: function (b, k, d) { return ("string" == typeof k ? c : a).decrypt(e, b, k, d) } } }
    }); d.StreamCipher = v.extend({ _doFinalize: function () { return this._process(!0) }, blockSize: 1 }); var b = p.mode = {}, x = function (e, a, b) {
        var c = this._iv; c ? this._iv = u : c = this._prevBlock; for (var d = 0; d < b; d++)e[a + d] ^=
            c[d]
    }, q = (d.BlockCipherMode = l.extend({ createEncryptor: function (e, a) { return this.Encryptor.create(e, a) }, createDecryptor: function (e, a) { return this.Decryptor.create(e, a) }, init: function (e, a) { this._cipher = e; this._iv = a } })).extend(); q.Encryptor = q.extend({ processBlock: function (e, a) { var b = this._cipher, c = b.blockSize; x.call(this, e, a, c); b.encryptBlock(e, a); this._prevBlock = e.slice(a, a + c) } }); q.Decryptor = q.extend({
        processBlock: function (e, a) {
            var b = this._cipher, c = b.blockSize, d = e.slice(a, a + c); b.decryptBlock(e, a); x.call(this,
                e, a, c); this._prevBlock = d
        }
    }); b = b.CBC = q; q = (p.pad = {}).Pkcs7 = { pad: function (a, b) { for (var c = 4 * b, c = c - a.sigBytes % c, d = c << 24 | c << 16 | c << 8 | c, l = [], n = 0; n < c; n += 4)l.push(d); c = s.create(l, c); a.concat(c) }, unpad: function (a) { a.sigBytes -= a.words[a.sigBytes - 1 >>> 2] & 255 } }; d.BlockCipher = v.extend({
        cfg: v.cfg.extend({ mode: b, padding: q }), reset: function () {
            v.reset.call(this); var a = this.cfg, b = a.iv, a = a.mode; if (this._xformMode == this._ENC_XFORM_MODE) var c = a.createEncryptor; else c = a.createDecryptor, this._minBufferSize = 1; this._mode = c.call(a,
                this, b && b.words)
        }, _doProcessBlock: function (a, b) { this._mode.processBlock(a, b) }, _doFinalize: function () { var a = this.cfg.padding; if (this._xformMode == this._ENC_XFORM_MODE) { a.pad(this._data, this.blockSize); var b = this._process(!0) } else b = this._process(!0), a.unpad(b); return b }, blockSize: 4
    }); var n = d.CipherParams = l.extend({ init: function (a) { this.mixIn(a) }, toString: function (a) { return (a || this.formatter).stringify(this) } }), b = (p.format = {}).OpenSSL = {
        stringify: function (a) {
            var b = a.ciphertext; a = a.salt; return (a ? s.create([1398893684,
                1701076831]).concat(a).concat(b) : b).toString(r)
        }, parse: function (a) { a = r.parse(a); var b = a.words; if (1398893684 == b[0] && 1701076831 == b[1]) { var c = s.create(b.slice(2, 4)); b.splice(0, 4); a.sigBytes -= 16 } return n.create({ ciphertext: a, salt: c }) }
    }, a = d.SerializableCipher = l.extend({
        cfg: l.extend({ format: b }), encrypt: function (a, b, c, d) { d = this.cfg.extend(d); var l = a.createEncryptor(c, d); b = l.finalize(b); l = l.cfg; return n.create({ ciphertext: b, key: c, iv: l.iv, algorithm: a, mode: l.mode, padding: l.padding, blockSize: a.blockSize, formatter: d.format }) },
        decrypt: function (a, b, c, d) { d = this.cfg.extend(d); b = this._parse(b, d.format); return a.createDecryptor(c, d).finalize(b.ciphertext) }, _parse: function (a, b) { return "string" == typeof a ? b.parse(a, this) : a }
    }), p = (p.kdf = {}).OpenSSL = { execute: function (a, b, c, d) { d || (d = s.random(8)); a = w.create({ keySize: b + c }).compute(a, d); c = s.create(a.words.slice(b), 4 * c); a.sigBytes = 4 * b; return n.create({ key: a, iv: c, salt: d }) } }, c = d.PasswordBasedCipher = a.extend({
        cfg: a.cfg.extend({ kdf: p }), encrypt: function (b, c, d, l) {
            l = this.cfg.extend(l); d = l.kdf.execute(d,
                b.keySize, b.ivSize); l.iv = d.iv; b = a.encrypt.call(this, b, c, d.key, l); b.mixIn(d); return b
        }, decrypt: function (b, c, d, l) { l = this.cfg.extend(l); c = this._parse(c, l.format); d = l.kdf.execute(d, b.keySize, b.ivSize, c.salt); l.iv = d.iv; return a.decrypt.call(this, b, c, d.key, l) }
    })
}();
(function () {
    for (var u = CryptoJS, p = u.lib.BlockCipher, d = u.algo, l = [], s = [], t = [], r = [], w = [], v = [], b = [], x = [], q = [], n = [], a = [], c = 0; 256 > c; c++)a[c] = 128 > c ? c << 1 : c << 1 ^ 283; for (var e = 0, j = 0, c = 0; 256 > c; c++) { var k = j ^ j << 1 ^ j << 2 ^ j << 3 ^ j << 4, k = k >>> 8 ^ k & 255 ^ 99; l[e] = k; s[k] = e; var z = a[e], F = a[z], G = a[F], y = 257 * a[k] ^ 16843008 * k; t[e] = y << 24 | y >>> 8; r[e] = y << 16 | y >>> 16; w[e] = y << 8 | y >>> 24; v[e] = y; y = 16843009 * G ^ 65537 * F ^ 257 * z ^ 16843008 * e; b[k] = y << 24 | y >>> 8; x[k] = y << 16 | y >>> 16; q[k] = y << 8 | y >>> 24; n[k] = y; e ? (e = z ^ a[a[a[G ^ z]]], j ^= a[a[j]]) : e = j = 1 } var H = [0, 1, 2, 4, 8,
        16, 32, 64, 128, 27, 54], d = d.AES = p.extend({
            _doReset: function () {
                for (var a = this._key, c = a.words, d = a.sigBytes / 4, a = 4 * ((this._nRounds = d + 6) + 1), e = this._keySchedule = [], j = 0; j < a; j++)if (j < d) e[j] = c[j]; else { var k = e[j - 1]; j % d ? 6 < d && 4 == j % d && (k = l[k >>> 24] << 24 | l[k >>> 16 & 255] << 16 | l[k >>> 8 & 255] << 8 | l[k & 255]) : (k = k << 8 | k >>> 24, k = l[k >>> 24] << 24 | l[k >>> 16 & 255] << 16 | l[k >>> 8 & 255] << 8 | l[k & 255], k ^= H[j / d | 0] << 24); e[j] = e[j - d] ^ k } c = this._invKeySchedule = []; for (d = 0; d < a; d++)j = a - d, k = d % 4 ? e[j] : e[j - 4], c[d] = 4 > d || 4 >= j ? k : b[l[k >>> 24]] ^ x[l[k >>> 16 & 255]] ^ q[l[k >>>
                    8 & 255]] ^ n[l[k & 255]]
            }, encryptBlock: function (a, b) { this._doCryptBlock(a, b, this._keySchedule, t, r, w, v, l) }, decryptBlock: function (a, c) { var d = a[c + 1]; a[c + 1] = a[c + 3]; a[c + 3] = d; this._doCryptBlock(a, c, this._invKeySchedule, b, x, q, n, s); d = a[c + 1]; a[c + 1] = a[c + 3]; a[c + 3] = d }, _doCryptBlock: function (a, b, c, d, e, j, l, f) {
                for (var m = this._nRounds, g = a[b] ^ c[0], h = a[b + 1] ^ c[1], k = a[b + 2] ^ c[2], n = a[b + 3] ^ c[3], p = 4, r = 1; r < m; r++)var q = d[g >>> 24] ^ e[h >>> 16 & 255] ^ j[k >>> 8 & 255] ^ l[n & 255] ^ c[p++], s = d[h >>> 24] ^ e[k >>> 16 & 255] ^ j[n >>> 8 & 255] ^ l[g & 255] ^ c[p++], t =
                    d[k >>> 24] ^ e[n >>> 16 & 255] ^ j[g >>> 8 & 255] ^ l[h & 255] ^ c[p++], n = d[n >>> 24] ^ e[g >>> 16 & 255] ^ j[h >>> 8 & 255] ^ l[k & 255] ^ c[p++], g = q, h = s, k = t; q = (f[g >>> 24] << 24 | f[h >>> 16 & 255] << 16 | f[k >>> 8 & 255] << 8 | f[n & 255]) ^ c[p++]; s = (f[h >>> 24] << 24 | f[k >>> 16 & 255] << 16 | f[n >>> 8 & 255] << 8 | f[g & 255]) ^ c[p++]; t = (f[k >>> 24] << 24 | f[n >>> 16 & 255] << 16 | f[g >>> 8 & 255] << 8 | f[h & 255]) ^ c[p++]; n = (f[n >>> 24] << 24 | f[g >>> 16 & 255] << 16 | f[h >>> 8 & 255] << 8 | f[k & 255]) ^ c[p++]; a[b] = q; a[b + 1] = s; a[b + 2] = t; a[b + 3] = n
            }, keySize: 8
        }); u.AES = p._createHelper(d)
})();


/*
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
*/
/**
 * Electronic Codebook block mode.
 */
CryptoJS.mode.ECB = (function () {
    var ECB = CryptoJS.lib.BlockCipherMode.extend();

    ECB.Encryptor = ECB.extend({
        processBlock: function (words, offset) {
            this._cipher.encryptBlock(words, offset);
        }
    });

    ECB.Decryptor = ECB.extend({
        processBlock: function (words, offset) {
            this._cipher.decryptBlock(words, offset);
        }
    });

    return ECB;
}());

/*
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
*/
/**
 * Zero padding strategy.
 */
CryptoJS.pad.ZeroPadding = {
    pad: function (data, blockSize) {
        // Shortcut
        var blockSizeBytes = blockSize * 4;

        // Pad
        data.clamp();
        data.sigBytes += blockSizeBytes - ((data.sigBytes % blockSizeBytes) || blockSizeBytes);
    },

    unpad: function (data) {
        // Shortcut
        var dataWords = data.words;

        // Unpad
        var i = data.sigBytes - 1;
        while (!((dataWords[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff)) {
            i--;
        }
        data.sigBytes = i + 1;
    }
};

// 加密
function encrypt(word, keyStr){ 
    keyStr = keyStr ? keyStr : 'vWxi6q1gmmELLgDi';
    var key  = CryptoJS.enc.Utf8.parse(keyStr);
    var srcs = CryptoJS.enc.Utf8.parse(word);
    var encrypted = CryptoJS.AES.encrypt(srcs, key, {
        mode:CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    return encrypted.toString();
}

// 解密
function decrypt(word, keyStr) {
    keyStr = keyStr ? keyStr : "vWxi6q1gmmELLgDi";
    var key = CryptoJS.enc.Utf8.parse(keyStr);
    var decrypt = CryptoJS.AES.decrypt(word, key, {
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    return CryptoJS.enc.Utf8.stringify(decrypt).toString();
}

msg.payload = decrypt(msg.payload);

return msg;

部署并执行，然后看一下调试输出结果

成功解密！

接下来测试加密，将前面http请求参数中的data的数据进行解密，然后再对解密的内容使用我们的加密算法重新加密，比对2次数据是否一致，如果一致就说明我们的算法没有问题，接着就可以进行下一步操作了。

我们将前面提到的2个流程进行合并，这样我们就能请求公众号并得到相应的数据。

四、晋升

前面的操作已经达到我们的使用要求，但是我们继续研究，我们将前面提到的data数据进行解密，解密后的内容是 {“f_userinfo_id”:一些数字}，这个和我们解密查询结果里面的一个内容一致，猜测这个数字就是对应的服务器数据查询关键词，但是这个是怎么来的呢，总不可能从最后查询的结果里取吧？

我们接着研究最最开始的时候我们使用的那个链接

一个 Request URL:http://服务地址/weixin/rs/logic/searchBandList 进入我们的视野
我们直接解密冲Chrome中获得的结果，发现内容和我们前面的查询结果是几乎一样的，但是有一个关键参数"f_balance"的内容却是0。

我们对查询参数进行解密，内容是{“condition”:“f_open_id = ‘oKgXXXXXXXXXXXXXXsYOc’”}，
f_open_id的内容是不是很熟悉？就是我们最开始链接里面的openid

于是我们可以基本确定整个数据获取的流程：
利用openid查询用户基本信息 → 再用基本信息中的f_userinfo_id查询账户余额

有了上述思路，我们就可以构造整个数据获取的流了

当然中间涉及的一些数据处理就不一一赘述了

全文完！

谢谢阅读

zuola1006 · 2020 年9 月 29 日 12:34

三木大佬，一如既往的牛逼

jxbk · 2023 年12 月 21 日 08:44

大佬NB,依照案例到搜索查询参数里面的aoteEncrypt，未发现类似关键词：encryKey: this._scan，还求大佬看下网站源码是不是更新了