Intercept sent packets at logon
The red circle is the 12036 system generated random parameters, each login parameter name is different, the value is not the same, if the login does not have this parameter, it must not be successful. So how do we get to this random parameter?
Using the grab Bag tool to catch the login HTTP request of a brush ticket software, the results found that it visited a JS,JS address: Https://kyfw.12306.cn/otn/dynamicJs/ljrkadr, then found the JS code, formatted the following:
var submitForm; (function ($) {var JQ = $.ajax; function fw (kw) {var haskey = false; var values = kw[' values ']; var html = $ (kw[' key '). HTML (); if (HTML) {for (var i = 0; i < values.length; i++) {if (Html.indexof (Values[i]) >-1) { Haskey = true; Break }}} return haskey; } function bin216 (s) {var i, l, o = "", N; s + = ""; b = ""; for (i = 0, L = s.length; i < L; i++) {b = s.charcodeat (i); n = b.tostring (16); O + = N.length < 2? "0" + N. } return o; }; var Base32 = new function () {var delta = 0x9e3779b8; function longarraytostring (data, includelength) {var length = Data.length; var n = (length-1) << 2; if (includelength) {var m = data[length-1]; if ((M < n-3) | | (M > N)) return null; n = m; } for (var i = 0; i < length; i++) {Data[i] = String.fromCharCode (Data[i] & 0xFF, Data[i ] >>> 8 & 0xFF, Data[i] >>> & 0xFF, Data[i] >>> & 0xff); } if (includelength) {return Data.join ('). substring (0, N); } else {return data.join ('); } }; function Stringtolongarray (string, includelength) {var length = String.Length; var result = []; for (var i = 0; i < length; i + = 4) {result[i >> 2] = string.charcodeat (i) | string.charcodeat (i + 1) << 8 | String.charcodeat (i + 2) << 16 | String.charcodeat (i + 3) << 24; } if (includelength) {result[result.length] = length; } return result; }; This.encrypt =function (string, key) {if (string = = "") {return ""; } var v = Stringtolongarray (string, True); var k = Stringtolongarray (key, false); if (K.length < 4) {k.length = 4; } var n = v.length-1; var z = v[n], y = v[0]; var mx, E, p, q = Math.floor (6 +/(n + 1)), sum = 0; while (0 < q--) {sum = sum + delta & 0xFFFFFFFF; e = Sum >>> 2 & 3; for (p = 0; p < n; p++) {y = v[p + 1]; mx = (z >>> 5 ^ y << 2) + (y >>> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z); z = v[p] = v[p] + mx & 0xffffffff; } y = v[0]; mx = (z >>> 5 ^ y << 2) + (y >>> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z); z = v[n] = v[n] + mx & 0xffffffff; } return Longarraytostring (V, false); }; }; var keystr = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/="; function Encode32 (input) {input = escape (input); var output = ""; var chr1, chr2, chr3 = ""; var enc1, Enc2, enc3, Enc4 = ""; var i = 0; do {chr1 = Input.charcodeat (i++); CHR2 = Input.charcodeat (i++); CHR3 = Input.charcodeat (i++); ENC1 = Chr1 >> 2; ENC2 = ((Chr1 & 3) << 4) | (CHR2 >> 4); Enc3 = ((CHR2 &) << 2) | (CHR3 >> 6); Enc4 = CHR3 & 63; if (IsNaN (CHR2)) {enc3 = Enc4 = 64; } else if (IsNaN (CHR3)) {Enc4 = 64; } output = output + Keystr.charat (ENC1) + Keystr.charat (ENC2) + Keystr.charat (enc3) + Keystr.charat (ENC4); CHR1 = CHR2 = CHR3 = ""; ENC1 = ENC2 = enc3 = Enc4 = ""; } while (I < input. length); return output; }; function aj () {var dobj = new Object (); dobj[' jsv '] = window.helperversion; JQ ({url: ' HTTPS://KYFW.12306.CN/OTN/DYNAMICJS/SUCZPKP ', data:dobj, type: ' POST ', Success:function (data, Textstatus) {if (Timmer) clearinterval (Timmer); }, Error:function (XMLHttpRequest, Textstatus, Errorthrown) {}}); } var timmer = null; (function check (src) {checkself (); function checkself () {var Formarr = $ (' form '); if (Formarr.length > 1) {}} Timmer = SetInterval (GC, 2000); }) (' 1_111 '); Entry $ (document). Ready (function () {(function () {var dobj = new Object (); dobj[' jsv '] = window.helperversion; JQ ({url: ' https://kyfw.12306.cn/otn/dynamicJs/sUCZPKP ', data:dobj, type: ' POST ', success:function (data, textstatus) {}, Error:function (XMLHttpRequest, Textstatus, Errorthrown) {}}); var form = document.forms[0]; var oldsubmit; if (null! = Form && Form! = ' undefined ' && form.id = = ' LoginForm ') {form.oldsubmit = form. Submit SubmitForm = function () {var keyvlues = GC (). Split (': '); var inputobj = $ (' <input type= "hidden" name= "' + keyvlues[0] + '" value= "' + encode32 (bin216 (Base32.encrypt (keyvlues[1) , Keyvlues[0]))) + '/> '); var myObj = $ (' <input type= "hidden" name= "myversion" value= "' + window.helperversion + '"/> '); Inputobj.appendto ($ (form)); Myobj.appendto ($ (form)); Delete inputobj; Delete myObj; }} else { SubmitForm = function () {var keyvlues = GC (). Split (': '); return keyvlues[0] + ",-," + encode32 (bin216 (Base32.encrypt (keyvlues[1], keyvlues[0])) + ":::" + ' myversion ' + ",-," + WI Ndow.helperversion; }; } })(); Test popup random parameter var aa=submitform (); alert (AA); }); Function gc () {var key = ' Ntq2mtcz '; var value = '; var Cssarr = [' Selectseattype ', ' ev_light ', ' ev_light ', ' fishtimerangepicker ', ' updatesfound ', ' tipscript ', ' Refreshbutton ', ' fish_clock ', ' Refreshstudentbutton ', ' btnmoreoptions ', ' btnautologin ', ' Fish_button ', ' Defaultsafemodetime ', ' Ticket-navigation-item ']; var Csschek = false; if (Cssarr && cssarr.length > 0) {for (var i = 0; i < cssarr.length; i++) {if ($ ('. ' + cssarr[i]). length > 0) {Csschek = true; Break } } } if (Csschek) {value + = ' 0 '; } else {value + = ' 1 '; } var idarr = [' btnmoreoptions ', ' Refreshstudentbutton ', ' fishtimerangepicker ', ' helpertooltable ', ' outerbox ', ' upd Ateinfo ', ' fish_clock ', ' Refreshstudentbutton ', ' Btnautorefresh ', ' btnautosubmit ', ' Btnrefreshpassenger ', ' Autologin ', ' bnautorefreshstu ', ' Ordercountcell ', ' Refreshstudentbutton ', ' enableadvpanel ', ' autodelayinvoke ', ' Refreshbutton ', ' refreshtimesbar ', ' chkallseat ']; var Idchek = false; for (var i = 0; i < idarr.length; i++) {if ($ (' # ' + idarr[i]) [0]) {Idchek = true; Break }} if (Idchek) {value + = ' 0 '; } else {value + = ' 1 '; } var attrarr = [' helperversion ']; var Attrlen = Attrarr? attrarr.length:0; var Attrchek = false; For (var p in parent) {if (!attrchek) {for (var k = 0; k < atTrlen; k++) {if (String (p). IndexOf (Attrarr[k]) >-1) {Attrchek = true; Break }}} else break; } for (var p in window) {if (!attrchek) {for (var k = 0; k < Attrlen; k++) { if (String (p). IndexOf (Attrarr[k]) >-1) {Attrchek = true; Break }}} else break; } var Stylearr = ['. Enter_right>.enter_enw>.enter_rtitle ', '. Objbox TD ']; var Stylechek = false; if (Stylearr && stylearr.length > 0) {for (var i = 0; i < stylearr.length; i++) { var Tempstyle = $ (stylearr[i]); if (Tempstyle[0]) {for (var k = 0; k < tempstyle.length > 0; k++) {if (t Empstyle.eq (k). attr (' style ')) { Stylechek = true; Break }}}}} if (Stylechek) {value + = ' 0 '; } else {value + = ' 1 '; } var Keywordarr = [{key: ". Enter_right", Values: ["Pro", "Rob Ticket", "Assistant"]}, { Key: ". Cx_form", Values: ["Point of departure", "Swipe Ticket"]}, {key: "#gridbox", Values: ["Select Only", "Select Only", "checkbox", "checkbox"]}, {key: ". Enter_w", Values: ["Assistant"]}]; var Keywordchek = false; if (Keywordarr && keywordarr.length > 0) {for (var i = 0; i < keywordarr.length; i++) { var kw = Keywordarr[i]; if (FW (kw)) {Keywordchek = true; Break }}} if (Keywordchek) {value + = ' 0 '; } else {Value + = ' 1 '; } if (Value.indexof (' 0 ') >-1) {AJ (); } Return key + ': ' + value; }}) (JQuery);
One of the
var aa=submitform ();
alert (AA);
These two sentences I added, used to test the random parameters, you can create a new Web page, first drag into the JQuery class library, and then reference this JS, you can see the effect.
This article is only for learning communication, please do not use for illegal use!
12306 access to random parameters after changing the login interface