---
created: 2023-02-03T14:58:51+08:00
updated: 2023-02-21T20:51:40+08:00
---
遇到一个js加密的登录框,js代码如下:
遇到个密码加密,只有一个函数
```javascript
function encode(_str) {
var staticchars = "PXhw7UT1B0a9kQDKZsjIASmOezxYG4CHo5Jyfg2b8FLpEvRr3WtVnlqMidu6cN";
var encodechars = "";
for (var i = 0; i < _str.length; i++) {
var num0 = staticchars.indexOf(_str[i]);
if (num0 == -1) {
var code = _str[i];
} else {
var code = staticchars[(num0 + 3) % 62];
}
var num1 = parseInt(Math.random() * 62, 10);
var num2 = parseInt(Math.random() * 62, 10);
encodechars += staticchars[num1] + code + staticchars[num2];
}
return encodechars;
}
```
直接利用python的execjs来执行,代码如下:
```python
# -*- coding: utf-8 -*-
# @Time : 2023/2/3 2:05 下午
# @Software: f0ng
from flask import Flask,request
import execjs
from urllib.parse import parse_qsl, parse_qs
app = Flask(__name__)
ctx = execjs.compile("""
function encode(_str) { var staticchars = "PXhw7UT1B0a9kQDKZsjIASmOezxYG4CHo5Jyfg2b8FLpEvRr3WtVnlqMidu6cN"; var encodechars = ""; for (var i = 0; i < _str.length; i++) { var num0 = staticchars.indexOf(_str[i]); if (num0 == -1) { var code = _str[i]; } else { var code = staticchars[(num0 + 3) % 62]; } var num1 = parseInt(Math.random() * 62, 10); var num2 = parseInt(Math.random() * 62, 10); encodechars += staticchars[num1] + code + staticchars[num2]; } return encodechars; }
""")
@app.route('/encode',methods=["POST"])
def encrypt():
total = ""
param = request.form.get('dataBody') # 获取 post 参数
# print(param)
dict = parse_qs(param)
en_pwd = ctx.call("encode", dict["password"][0])
# print(en_pwd)
dict["password"][0] = en_pwd
for key in dict.keys():
# print(key)
total = total + key + "=" + dict[key][0] + "&"
print(total[:-1])
return total[:-1]
@app.route('/decode',methods=["POST"]) # 不解密
def decrypt():
param = request.form.get('dataBody') # 获取 post 参数
# print(param) return param
if __name__ == '__main__':
app.debug = True # 设置调试模式,生产模式的时候要关掉debug
app.run(host="0.0.0.0",port="8888")
```
autodecoder配置如下:
直接设置为明文密码就行了,intruder如下
通过logger查看如下
