I'm bypassing the rugged back of the verified simulation landing

Because Curiosity has always wanted to try a mock landing, and then set the target on a university's landing site

It's like that style.

Through the interface we can roughly understand the request may be after Username,password, CAPTCHA, remember the user

Then use the burp to grab the bag:

It is possible to know from the POST request that the DLM is Uesrname,hexmd5 is encrypted password (the encryption should be MD5), the cookie is to remember the user

... Wait, how come there's no verification code, it's weird, I'll see the Captcha again later.

To view the source code through the browser, you have:

We can see that DLMM is the original password, and HEXMD5 is the value after MD5 encryption.

Then my curiosity returned to the verification code, the source code shows:

hahaha, verification code incredibly on the materializing, that is simply too simple, grab a try, the code is as follows:

1 Import Re 2 def reg_html (HTML): 3     Parttern = Re.compile (R'<input type= "hid.*')    4     Yzm = parttern.findall (HTML)5     return Yzm

But the result is also disappointed, caught the value of empty, it may be my knowledge of the front end is not very understanding, willing to insist on watching

Found this captcha called a JS generatemixed function

To find this function:

Generally understand, the other good to say, the key to this random let people can not get ah. Distressed to give up ..... Go home!

On the way, I asked a brother Siang, and I said there was no verification code in my post request what was the case, he told me two things:

1 captcha in just the front end as a check that can bypass

2 verification code may be divided by the user's password and other parameters sent past

I do not understand, go back to use fiddler again to do a clutch, post data does not have the verification code, so I guess is the second kind of possible

So I wrote a script to verify the code as follows:

1 #!/usr/bin/env python2 #Coding:utf-83 4 ImportRe5 ImportRequests6  fromBs4ImportBeautifulSoup7 ImportHashlib8 9URL ='http://xxxxx.xxxxxx.edu.cn/login.login.action'                    #Login_urlTenUrl_p ='http://xxxxx.xxxxxx.edu.cn/login.toStudentJsp.action?math=4636' #jump URL, can be found by JS OneURL_P2 ='http://xxxxxx.xxxxxx.edu.cn/stumiddle.jsp'                      #User_info_url A   - defMd5encode (String): -m =hashlib.md5 () the m.update (String) -     returnm.hexdigest () -   - defpost_html (URL,URL2,URL3): +Session =requests. Session () -headers = {'user-agent':'mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) applewebkit/537.36 (khtml, like Gecko) chrome/30.0.1581.2 safari/537.36'} +Payload = {'DLM':'xxxxxxxxxxxxxxx', A                'HexMd5':'%s'%md5encode ('xxxxxxxxxxxxxx'), at                'Cookies':'0' -                } -Session.post (url,data=payload,headers=headers) -Session.get (url2,headers=headers) -Text = Session.get (url3,headers=headers). Text -     returntext in  - defparser_html (HTML): toSoup = BeautifulSoup (HTML,'Html.parser') +     returnsoup.prettify () -      the      * if __name__=='__main__': $Parser_html (post_html (URL,URL_P,URL_P2))

Where url_p can be obtained through Fiddler grab or through JS jump code can also be found, wherein math=4636, if you see the JS source, this is JS randomly generated a 4-digit number, may be to mark each user Information page is not the same bar

URL_P2 can be found by Fildder

Run this script and if our username or password have errors, this text will be returned

But if it is correct, it will get to the correct page, is the above script run, Fiddler caught

The simulation landed successfully! , completely bypassing the verification code link of the page.

Then again, since there is an account password, I use so much trouble, I personally think there are two reasons

One is to practice a mock landing.

Two is can b r u T E F o r c e Ah, but I have a bad news, the university's login system, if 5 attempts failed, will username freeze for 30 minutes. This is a kill 1000 self-damage 800 ah,

But if you really want this user to collapse, you can write a 30-minute login 5-time mock-up script so that the user will never be able to get on.

Haha, don't talk, watch the TV show.

I'm bypassing the rugged back of the verified simulation landing