JS逆向 on Lhz's blog https://lhzzz08.github.io/tags/js%E9%80%86%E5%90%91/ Recent content in JS逆向 on Lhz's blog Hugo -- 0.152.2 en-us Sat, 11 Apr 2026 16:59:39 +0800 JS加解密逆向实战案例 https://lhzzz08.github.io/posts/vulnerability1/ Sat, 11 Apr 2026 16:59:39 +0800 https://lhzzz08.github.io/posts/vulnerability1/ <h1 id="声明">声明</h1> <p><strong>本博客提供的思路和技术仅限于提升自身技术,不得用于非法活动,任何非法活动均与本博客的立场相违背,违法者将依法承担法律责任</strong></p> <h1 id="我的看法">我的看法</h1> <p>其实JS逆向在日常挖洞中不能算一种漏洞类型进行提交,而是一种技术,有了这个技术,就可以在数据包存在加密或者数据包存在签名防篡改的情况下,进行将密文解密或篡改数据包从而进行正常的渗透流程,甚至有些网站全站都存在数据包签名防篡改,那没有JS逆向的技术,你改不了数据包,连渗透的资格都没有,这还测个毛啊</p> <h1 id="案例介绍">案例介绍</h1> <h3 id="漏洞名称">漏洞名称</h3> <p>上海商米科技集团股份有限公司数字店铺存在任意用户登录漏洞(已修复)</p> <h3 id="漏洞发现">漏洞发现</h3> <p>我在测试<a href="https://store.sunmi.com/user/login">商米数字店铺</a>中发现用户登录处使用手机验证码登录时验证码做了防爆破处理,但是 要实现用户登录是不是还可以修改原来的密码,用创建的新密码来实现密码登录,【修改密码】同样需要手机验证码验证,但是<strong>这里的验证接口并没有做验证码验证次数限制,而且为四位验证码,遍历次数只要10000次,可以进行爆破验证码操作</strong> <img loading="lazy" src="https://lhzzz08.github.io/images/2026-2/202603011231.png"> 但是数据包中却没有找到验证码参数,甚至连像模像样的信息都没有,而且全站都是这样的,【重置密码】具体数据包内容如下</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-http" data-lang="http"><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">// 原始数据包如下 </span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span><span style="color:#a6e22e">POST</span> /api/user/resetPassword <span style="color:#66d9ef">HTTP</span><span style="color:#f92672">/</span><span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span>Host<span style="color:#f92672">:</span> <span style="color:#ae81ff">store.sunmi.com</span> </span></span><span style="display:flex;"><span>Cookie<span style="color:#f92672">:</span> <span style="color:#ae81ff">_c_WBKFRo=Un76hKEAvdAOAfzCsQ4Nuu8fLxA8acVXkTUnQwIV; tfstk=gcYEw-gqtavsJCkDgIbru9lECVQdzakbLU65ZQAlO9XHODhraOR8AgOBAhWyIdWHUQhdZTvkUTtIfqOp9aQohgujlBUNBRwB8a2WswC70R4yZqOp95jEIwFil4loG21hELjhjOflI6Xu-LXGsOCRZJfu-fRGBOf3qgbuIGfcNuqkEacwsOClrTvlxfRGB_blEfodcgkVNMcHMw4-R5RNYtAhQrR976mG3qBarE8GTM8ktOoEYF5FYtjyczJ2uIAHk_8-iuWyMHvC6LuqQNYeLejNz4zORI-MLG-EUPS9jILlbhH4DIdHLnjD-VlFbedf-O8-wzBHAQY54eD0N9YpdFSvyJk1FnO6-GJmCPJR4Hxc-UkqSgy7e1DI_UKUEuSh61Wj_fllLRPKMf_nNuERvJ5NhXxu2uIhY1Wj_RE82MIl_tGnF; _gcl_au=1.1.1104070136.1769850985; Hm_lvt_2018effe9e50369b4410bd0af8ecb7c9=1769850985,1769861358; _ga=GA1.2.1449330925.1769850985; _ga_RQML024HYC=GS2.2.s1769861358$o2$g0$t1769861358$j60$l0$h0; _ga_NFBQZJS49V=GS2.1.s1769861358$o2$g0$t1769861516$j60$l0$h0; Hm_lvt_61990ad31961f1bde37194ad4f2f1285=1769851055,1771835131,1772108018,1772338958; HMACCOUNT=A87FED76FCB56CAB; Hm_lpvt_61990ad31961f1bde37194ad4f2f1285=1772339825</span> </span></span><span style="display:flex;"><span>Content-Length<span style="color:#f92672">:</span> <span style="color:#ae81ff">902</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Platform<span style="color:#f92672">:</span> <span style="color:#ae81ff">&#34;macOS&#34;</span> </span></span><span style="display:flex;"><span>User-Agent<span style="color:#f92672">:</span> <span style="color:#ae81ff">Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua<span style="color:#f92672">:</span> <span style="color:#ae81ff">&#34;Not:A-Brand&#34;;v=&#34;99&#34;, &#34;Google Chrome&#34;;v=&#34;145&#34;, &#34;Chromium&#34;;v=&#34;145&#34;</span> </span></span><span style="display:flex;"><span>Content-Type<span style="color:#f92672">:</span> <span style="color:#ae81ff">multipart/form-data; boundary=----WebKitFormBoundarybqbHAefRGJzTQbtQ</span> </span></span><span style="display:flex;"><span>Version<span style="color:#f92672">:</span> <span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Mobile<span style="color:#f92672">:</span> <span style="color:#ae81ff">?0</span> </span></span><span style="display:flex;"><span>Accept<span style="color:#f92672">:</span> <span style="color:#ae81ff">*/*</span> </span></span><span style="display:flex;"><span>Origin<span style="color:#f92672">:</span> <span style="color:#ae81ff">https://store.sunmi.com</span> </span></span><span style="display:flex;"><span>Sec-Fetch-Site<span style="color:#f92672">:</span> <span style="color:#ae81ff">same-origin</span> </span></span><span style="display:flex;"><span>Sec-Fetch-Mode<span style="color:#f92672">:</span> <span style="color:#ae81ff">cors</span> </span></span><span style="display:flex;"><span>Sec-Fetch-Dest<span style="color:#f92672">:</span> <span style="color:#ae81ff">empty</span> </span></span><span style="display:flex;"><span>Referer<span style="color:#f92672">:</span> <span style="color:#ae81ff">https://store.sunmi.com/user/login</span> </span></span><span style="display:flex;"><span>Accept-Encoding<span style="color:#f92672">:</span> <span style="color:#ae81ff">gzip, deflate, br</span> </span></span><span style="display:flex;"><span>Accept-Language<span style="color:#f92672">:</span> <span style="color:#ae81ff">zh-CN,zh;q=0.9,en-GB;q=0.8,en;q=0.7</span> </span></span><span style="display:flex;"><span>Priority<span style="color:#f92672">:</span> <span style="color:#ae81ff">u=1, i</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>------WebKitFormBoundarybqbHAefRGJzTQbtQ </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=&#34;timeStamp&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>1772339853 </span></span><span style="display:flex;"><span>------WebKitFormBoundarybqbHAefRGJzTQbtQ </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=&#34;randomNum&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>3gspVBCLxtglWdCw3agGHFtrQM0sdozs </span></span><span style="display:flex;"><span>------WebKitFormBoundarybqbHAefRGJzTQbtQ </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=&#34;params&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>yXABToyr+0mTGR9u4Yf2WOq54mU+LzNTLIuQHi1TpZPCK0+NCLk72AYz55wC5Y5N70zuQnttWAzBDVEhUvnZukJ0HG3G3VSRvciKRXco7DnC/a77d1VLAdVRJJGsL5ghna4jP2BHjSjExrIrJcm5DWvHEwiH3JglZ7lJhbF7K3fADSE2nuW1K+jeze5Kmu/MBKUTrqlU1XIH/U2tdzcz6Q== </span></span><span style="display:flex;"><span>------WebKitFormBoundarybqbHAefRGJzTQbtQ </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=&#34;isEncrypted&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>1 </span></span><span style="display:flex;"><span>------WebKitFormBoundarybqbHAefRGJzTQbtQ </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=&#34;sign&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>42d6b0c68a4151e3c17cbdac1746a14a </span></span><span style="display:flex;"><span>------WebKitFormBoundarybqbHAefRGJzTQbtQ </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=&#34;lang&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>zh </span></span><span style="display:flex;"><span>------WebKitFormBoundarybqbHAefRGJzTQbtQ-- </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>HTTP/2 200 OK </span></span><span style="display:flex;"><span>Content-Type: application/json; charset=utf-8 </span></span><span style="display:flex;"><span>Content-Length: 42 </span></span><span style="display:flex;"><span>X-B3-Traceid: 21a9270d9420e83719fcc3fe1074cb6e </span></span><span style="display:flex;"><span>X-B3-Spanid: aee96733a3195d05 </span></span><span style="display:flex;"><span>X-B3-Sampled: 1 </span></span><span style="display:flex;"><span>Date: Sun, 01 Mar 2026 04:51:12 GMT </span></span><span style="display:flex;"><span>Vary: Origin </span></span><span style="display:flex;"><span>Access-Control-Allow-Origin: https://store.sunmi.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>{&#34;data&#34;:{},&#34;code&#34;:2003,&#34;msg&#34;:&#34;code error&#34;} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>//任意修改 POST 参数的返回包 </span></span><span style="display:flex;"><span>HTTP/2 400 Bad Request </span></span><span style="display:flex;"><span>Content-Type: application/json; charset=utf-8 </span></span><span style="display:flex;"><span>Content-Length: 44 </span></span><span style="display:flex;"><span>X-B3-Traceid: f062b32ce9f642ae0380d3ef32ff1dc4 </span></span><span style="display:flex;"><span>X-B3-Spanid: a3dfa9c4f8bdf4c2 </span></span><span style="display:flex;"><span>X-B3-Sampled: 1 </span></span><span style="display:flex;"><span>Date: Sun, 01 Mar 2026 05:00:35 GMT </span></span><span style="display:flex;"><span>Vary: Origin </span></span><span style="display:flex;"><span>Access-Control-Allow-Origin: https://store.sunmi.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>{&#34;code&#34;:5026,&#34;msg&#34;:&#34;Invalid sign&#34;,&#34;data&#34;:{}} </span></span></code></pre></div><p>有JS加解密经验的师傅并不会十分陌生,网站是通过<code>POST multipart/form-data</code> 类型进行传递数据,而且根据各个英文名,<code>params</code>是参数的意思,所以<code>yXABToyr+0mTGR9u4Yf2WOq54mU+LzNTLIuQHi1TpZPCK0+NCLk72AYz55wC5Y5N70zuQnttWAzBDVEhUvnZukJ0HG3G3VSRvciKRXco7DnC/a77d1VLAdVRJJGsL5ghna4jP2BHjSjExrIrJcm5DWvHEwiH3JglZ7lJhbF7K3fADSE2nuW1K+jeze5Kmu/MBKUTrqlU1XIH/U2tdzcz6Q==</code>就是所有要传递的参数,而且还是进行了加密处理,然后其他的<code>timeStamp randomNum ...</code> 就是起到了整体签名的作用,防止请求包POST部分进行任何篡改,而<code>sign</code>参数<code>42d6b0c68a4151e3c17cbdac1746a14a</code>就是整体进行签名后的结果,<strong>破解<code>params</code>参数加密算法和<code>sign</code>参数签名算法就是下一步需要做的,破解后才可以利用验证接口并没有做验证码验证次数限制进行爆破操作</strong></p>