Python RSA cryptographic decryption and impersonation login Cnblog

1. Public Key encryption

Also called asymmetric encryption, a pair of keys is required, one is a private key, and the other is a public key. Public key encryption can only be decrypted by the private key, which encrypts the customer's upload data. Private key encrypted data, the public key can be decrypted, mainly for digital signatures. Details can be found in Wikipedia.

2. RSA encryption algorithm

RSA encryption belongs to asymmetric encryption. The RSA algorithm is based on a very simple number theory fact: it is easy to multiply two large prime numbers, but it is extremely difficult to factorization the product, so you can expose the product as an encryption key. The security of RSA algorithm is explained in Wikipedia: RSA encryption algorithm

"The difficulty of factoring the maximal integer determines the reliability of the RSA algorithm." In other words, the more difficult the factorization of a large integer, the more reliable the RSA algorithm. If someone finds a fast factorization algorithm, then the reliability of the information encrypted with RSA is bound to fall substantially. But the likelihood of finding such an algorithm is very small. Only short RSA keys today can be broken by brute force mode. So far, there is no reliable way to attack the RSA algorithm in the world. As long as its key length is long enough, the information encrypted with RSA is not actually broken. ”

RSA encryption algorithm can be consulted: RSA algorithm principle (a), the principle of RSA algorithm (ii)

3, Python encryption and decryption of RSA

　　

#Generate RSA Key fromCrypto.publickeyImportRsarsa_obj= Rsa.generate (1024) Private_pem= Rsa_obj.exportkey ()#input private key in PEM formatPublic_key =Rsa_obj.publickey () Public_pem= Public_key.exportkey ()#Enter the public key into PEM formatPrintPublic_pem#The results are similar to the following" "-----BEGIN Public KEY-----migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqc8jxuvkhjb0ksyrmobvdv20iyna1aqs2+ohgb5lnlv+ cdmttldwozwnbhyzrya4l/mtqhqr4e5jozhsqe14j2rawy+99uxea88upt3rpafojprcn9larupxo4yf/5kxi5eo5h2src+k6gu+ 1d1pw411rqqd/uzw8zfx8q5gah6hwidaqab-----END Public KEY-----" " fromCrypto.cipherImportPkcs1_v1_5 as Cipher_pkcs1_v1_5#RSA encryption, typically base64 encoding of cryptographic resultsdefEncrypt (public_key, message): Cipher=cipher_pkcs1_v1_5.new (public_key) Cipher_text=Base64.b64encode (cipher.encrypt (message))returnCipher_text#RSA DecryptiondefDecrypt (Rsakey, Encrypt_text): Cipher=cipher_pkcs1_v1_5.new (Rsakey)returnCipher.decrypt (Base64.b64decode (Encrypt_text),"') msg='Hello World'Encrypt_text=Encrypt (Public_key, msg)PrintEncrypt_text" "gowbz961d34rdeegvjjtatacaxxiy6qfti7tosmxqeyekchtnlqddkzt3iqwkhtfro4xcplm4g+xqsqrnnn+3uq9/ fahk6tzmi9ercte5fu72jwyk6yboaln8chl8h14bjisoaahmp9nuydefi7tv4ydne75kmuachglsjytnju=" "text=Decrypt (rsa_obj, Encrypt_text)Printtext'Hello World'

4. Analog Login Cnblog

Visit the login page, Https://passport.cnblogs.com/user/signin, enter the user name password, view the login information, found that the user name password is encrypted

Read the following source code, found the following information

We found that the user name password is encrypted by RSA, there is no private key information, it is unable to decrypt the content. Next there is the Verificationtoken field. We can encrypt the user name password RSA and then impersonate the login. The code is as follows:

#to get public key from the login page, you need to format it manuallyPub ='\ n'. Join (['-----BEGIN Public KEY-----','migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcp0whybg/nopo3nzmd3dndws0m','CCUMEXCHGVLGOOYYFWLDS24IM2E7YYHB0WRUSYYF0/NHZCZBK8ZC9ECWQD0AHBDG','OQT6CUFQBMJBYGYVLVYU2ZP7KG9FT6YV6OC9AMBUO7NPZH+BVXH0ZDKFI02PRKNR','Scakc0xhadtht3al0qidaqab','-----END Public KEY-----'])#Import Public KeyPublic_key =Rsa.importkey (pub) input1= Encrypt (Public_key,'****')#User nameInput2 = Encrypt (Public_key,"****")#Password#The login information is stored in the cookie and needs to be Cookeis verified#using the requests session, you can automatically help us with cookiess =requests. Session () Headers= {#' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 ',#' accept-encoding ': ' gzip, deflate, SDCH, Br ',#' accept-language ': ' zh-cn,zh;q=0.8 ',#' Connection ': ' keep-alive ','Host':'passport.cnblogs.com','upgrade-insecure-requests': 1,'user-agent':'mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/57.0.2987.133 safari/537.36',}#Open the login pageR = S.get ('Https://passport.cnblogs.com/user/signin', headers=headers)ImportRe#Get Verificationtokentoken = Re.search (r"' verificationtoken ': ' (. *?) '", R.text) token= Token.group (1) Headers= {#' Accept ': ' Application/json, Text/javascript, */*; q=0.01 ',#' accept-encoding ': ' gzip, deflate, BR ',#' accept-language ': ' zh-cn,zh;q=0.8 ',#' Connection ': ' keep-alive ','Content-type':'Application/json; Charset=utf-8','Host':'passport.cnblogs.com','Origin':'https://passport.cnblogs.com','Referer':'Https://passport.cnblogs.com/user/signin','user-agent':'mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/57.0.2987.133 safari/537.36','Verificationtoken': Token,'X-requested-with':'XMLHttpRequest' #it's a must.}data= {'INPUT1': INPUT1,'Input2': Input2,"Remember": True}r= S.post ('Https://passport.cnblogs.com/user/signin', data = json.dumps (data), headers=headers) Headers= {#' Accept ': ' Text/plain, */*; q=0.01 ',#' accept-encoding ': ' gzip, deflate, BR ',#' accept-language ': ' zh-cn,zh;q=0.8 ',#' Connection ': ' keep-alive ','Host':'home.cnblogs.com','Referer':'https://home.cnblogs.com/','user-agent':'mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/57.0.2987.133 safari/537.36','X-requested-with':'XMLHttpRequest'}#get current user information to verify login successPrintS.get ('Https://home.cnblogs.com/user/CurrentUserInfo', headers=headers). Text" "
" "

You can see that the impersonation login was successful. If you're just trying to simulate a login, don't bother, consider:

1, do not need to do RSA encryption, directly crawl the user name and password after login encryption.

2. Analyze the cookies on the successful login page, save them, and simply bring the cookies with you upon request.

Python RSA cryptographic decryption and impersonation login Cnblog