Phpcurl simulates single sign-on PHP to implement JS encryption function

This article describes in detail how to simulate single-point logon using curl in php and how to implement JS encryption functions using PHP. Php curl simulates single-point logon

Here, the simulated logon, that is, the basic part of the website capture, simulates logon, obtains the logon status, simulates the access process of a person, obtains access results, analyzes and saves the results ......

First, we can use firebug in firefox or developer tools in chrome. In fact, I used firefox or chrome, but I heard that httpwatch is good, let's try it out. The results are very comfortable and good. The second is Snoopy. class. php. I use PHP. This PHP class is used to catch the site so easy. However, it is okay to use this class to catch general http-based websites. If https is troublesome, this class is used to capture https websites, the curl of php is not used, and the native CURL of Linux/Unix is used. Therefore, it is very troublesome to use this class in windows, you need to install a curl that can be used in windows and configure the environment. This is simply not possible under sae. if Linux/Unix is used, it will be very convenient ~~ Specify the curl path. I also have an https script for simulated login sign-in. it uses php curl and does not use Snoopy.

Because Sina uses single-point logon, the general logon method is no longer feasible. instead of directly constructing the user name and password to POST to a login action page. Use httpwatch to capture the logon process.

The entire login process is as follows:

1) enter the user name and password, and click log on. (the onblur user name automatically checks the validity of the email address, which can be ignored during simulation ).

2) visit a page and get several special values, including servertime, pcid, and nonce. What are these values used for? let's analyze the JavaScript code and find out, is used to encrypt the user name and password.

3) submit the encrypted user name, password, and other information to the SSO login to apply for ticket. (Ticket is the ticket used in SSO logon)

4) after successful authentication, you can access several other sites to plant cookies. (this is equivalent to giving a ticket to someone else and telling him that I have the permission to access your website ).

5) return to the love question homepage.

The main thing to do is how to encrypt the user name and password, because the client is implemented using js, but we write it in the script and cannot call js, you can only use PHP to simulate the implementation of js encryption.

Sina's JS should adopt the Dean Edwards packer algorithm. In fact, you don't have to worry about it. if you use it, you can decrypt it on Google. if you put it in, it will be the restored code.

After the restoration, I probably looked at it and understood a process. The user name and password are encrypted separately. The most important part is the encryption. The username is encrypted with base64, and the password is encrypted with hex_sha1 and then encrypted with salt. What we need to do now is to use PHP to implement these two encryption methods. (In fact, after analysis, we found that the user name is encrypted with base64 without adding salt, so the data after each encryption is the same, and we do not need to implement the base64 encryption method .)

// Username encryption d ["su"] = sinaSSOEncoder. base64.encode (bi (a); // password encryption B = sinaSSOEncoder. hex_sha1 ("" + sinaSSOEncoder. hex_sha1 (sinaSSOEncoder. hex_sha1 (B) + k. servertime + k. nonce) var sinaSSOEncoder = sinaSSOEncoder | |{}; (function () {var n = 0; var o = 8; this. hex_sha1 = function (s) {return A (p (z (s), s. length * o)}; var p = function (x, f) {x [f> 5] | = 0x80 <(24-f % 32 ); x [(f + 64> 9) <4) + 15] = F; var w = Array (80); var a = 1732584193; var B =-271733879; var c =-1732584194; var d = 271733878; var e =-1009589776; for (var I = 0; I <x. length; I + = 16) {var g = a; var h = B; var k = c; var l = d; var m = e; for (var j = 0; j <80; j ++) {if (j <16) w [j] = x [I + j]; else w [j] = v (w [j-3] ^ w [j-8] ^ w [j-14] ^ w [j-16], 1 ); var t = u (v (a, 5), q (j, B, c, d), u (e, w [j]), r (j ); E = d; d = c; c = v (B, 30); B = a; a = t} a = u (a, g ); B = u (B, h); c = u (c, k); d = u (d, l); e = u (e, m )} return Array (a, B, c, d, e)}; var q = function (t, B, c, d) {if (t <20) return (B & c) | ((~ B) & d); if (t <40) return B ^ c ^ d; if (t <60) return (B & c) | (B & d) | (c & d); return B ^ c ^ d}; var r = function (t) {return (t <20 )? 1518500249: (t <40 )? 1859775393 :( t <60 )? -1894007588:-899497514} var u = function (x, y) {var a = (x & 0 xFFFF) + (y & 0 xFFFF ); var B = (x> 16) + (y> 16) + (a> 16); return (B <16) | (a & 0 xFFFF )}; var v = function (a, B) {return (a <B) | (a >>>( 32-B)}; var z = function () {var B = Array (); var c = (1 <o)-1; for (var I = 0; I <. length * o; I + = o) B [I> 5] | = (. charCodeAt (I/o) & c) <(24-I % 32); return B}; Var A = function (a) {var B = n? "0123456789 ABCDEF": "0123456789 abcdef"; var c = ""; for (var I = 0; I <. length * 4; I ++) {c + = B. charAt (a [I> 2]> (3-I % 4) * 8 + 4) & 0xF) + B. charAt (a [I> 2] >>( (3-I % 4) * 8) & 0xF)} return c}; this. base64 = {encode: function (a) {a = "" + a; if (a = "") return ""; var B = ''; var c, chr2, chr3 = ''; var d, enc2, enc3, enc4 =''; var I = 0; do {c =. charCodeAt (I ++); chr2 =. charCodeAt (I ++); chr3 =. charCodeAt (I ++); d = c> 2; enc2 = (c & 3) <4) | (chr2> 4 ); enc3 = (chr2 & 15) <2) | (chr3> 6); enc4 = chr3 & 63; if (isNaN (chr2 )) {enc3 = enc4 = 64} else if (isNaN (chr3) {enc4 = 64} B = B + this. _ keys. charAt (d) + this. _ keys. charAt (enc2) + this. _ keys. charAt (enc3) + this. _ keys. charAt (enc4); c = chr2 = chr3 = ''; d = enc2 = enc3 = enc4 =''} while (I <. length); return B}, _ keys: 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789 +/= '}}). call (sinaSSOEncoder );

Then, through hard work, I encapsulated this JS object into a PHP class, and I will not post the specific code. I am also a waste man, so I will not harm myself, it's easy for everyone to study it.

The most difficult highlights are >>> unsigned right shifting and charCodeAt (I) in js. PHP does not have these two implementations, so you need to write them yourself.

I will post these two difficulties for your reference. In fact, I am also referring to these two algorithms. I found that one of them is wrong, it took me a long time .....

/*** Unsigned 32-bit right shift; simulate JS >>>, unsigned right shift. The implementation principle is converted to binary, first shifted to the right, and then zero. * @ Param mixed $ x refers to the number to be operated. if it is a string, it must be in decimal format * @ param string $ bits shifted right digit * @ return mixed result, if the integer range is exceeded, the floating point number */function shr32 ($ x, $ bits) is returned. {// if ($ bits <= 0) {return $ x;} if ($ bits >=32) {return 0;} // Convert it to a string representing a binary number $ bin = decbin ($ x ); $ l = strlen ($ bin); // if the string length exceeds the upper limit, it is truncated to 32 bits at the bottom. if the length is insufficient, it is filled to 0 to 32 bits if ($ l> 32) {$ bin = substr ($ bin, $ l-32, 32);} elseif ($ l <32) {$ bin = str_pad ($ bin, 32, '0 ', STR_PAD_L EFT);} // Retrieve the number of digits to be moved, and fill 0 return bindec (str_pad (substr ($ bin, 0, 32-$ bits), 32, '0', STR_PAD_LEFT);} // simulate the implementation of JS's chaCodeAt () function getUnicodeFromOneUTF8 ($ word) {// Obtain the internal array representation of its characters, therefore, this file uses UTF-8 encoding! If (is_array ($ word) $ arr = $ word; else $ arr = str_split ($ word); // at this time, $ arr should be similar to array (228,189,160) // define an empty string to store $ bin_str = ''; // Convert it to a number, convert it to a binary string, and then combine it. Foreach ($ arr as $ value) $ bin_str. = decbin (ord ($ value); // at this time, $ bin_str should be similar to 111001001011110110100000. if it is a Chinese character "you" // regular cut $ bin_str = preg_replace ('/^. {4 }(. {4 }). {2 }(. {6 }). {2 }(. {6}) $/',' $1 $2 $ 3', $ bin_str); // at this time, $ bin_str should be similar to 0100111101100000, if it is a Chinese character "you" return bindec ($ bin_str); // return something similar to 20320, Chinese character "you" // return dechex (bindec ($ bin_str )); // If you want to return the hexadecimal 4f60, use this sentence}

There is another unsigned left shift algorithm, which is not used here. it is also posted and recorded.

Example:

 = 32) {return 0 ;}// convert to a string representing a binary number $ bin = decbin ($ x); $ l = strlen ($ bin ); // if the string length exceeds the upper limit, it is truncated to 32 characters. if ($ l> 32) {$ bin = substr ($ bin, $ l-32, 32);} elseif ($ l <32) {$ bin = str_pad ($ bin, 32, '0', STR_PAD_LEFT );} // Retrieve the number of digits to be moved and fill 0 return bindec (str_pad (substr ($ bin, $ bits), 32, '0', STR_PAD_RIGHT) on the right ));}

One thing to note is the use of the three Element identifier in PHP and JS. in PHP, it is from right to left, and in JS, it is from left to right. So use if... Else... The replacement is better.

Another problem is the JS array and PHP array. you can solve it yourself.

After solving this problem, there is no problem left. it is the same as a normal website capturing.

Construct the required POST data and submit it.

Then, retrieve the returned ticket, simulate access to several other pages, and give the ticket a look. next time, you can directly access it with a Cookie.

The above describes how php curl simulates single-point logon to PHP to implement JS encryption functions. For more information, see PHP Chinese website (www.php1.cn )!