spencercjh / fakecallonapi Goto Github PK
View Code? Open in Web Editor NEWa CSRF project to a App 's Server
a CSRF project to a App 's Server
我的思路:
1、登录,获得本次登录的 utoken以及 userid
2、请求跑步,获得信息:选过点,必经点,runPageId
3、伪造跑步数据( data 是按照之前某次监听到的上传数据,逐项构造的 )
data = {}
for i in range(2):
bNode_info[i]['speed'] = 0.0
data['bNode'] = [bNode_info[0]]
data['bupin'] = input('输入步频(保留一位小数):')
data['duration'] = input('请输入耗时(秒为单位,保留整数):')
data['endTime'] = input('请输入结束时间(如 2019-10-13 19:20:07):')
data['frombp'] = '0'
data['goal'] = '2.00'
data['real'] = '2.14'
data['runPageId'] = str(runPageId)
duration = eval(data['duration'])
real = eval(data['real'])
peisu = duration / real
peisu_min = peisu // 60
peisu_sec = peisu % 60
data['speed'] = str(peisu_min) + '\\u0027' + str(peisu_sec) + '\\u0027\\u0027'
data['startTime'] = input('请输入开始时间(如 2019-10-13 19:20:07):')
for i in range(4):
tNode_info[i]["latitude"] = eval(tNode_info[i]["latitude"])
tNode_info[i]["longitude"] = eval(tNode_info[i]["longitude"])
tNode_info[i]["speed"] = 0.0
data['tNode'] = [tNode_info[0], tNode_info[2]]
data['totalNum'] = '56' # 意义不明
data['track'] = [...很长...]
data['trend'] = [...也很长...]
data['type'] = '1'
data['userid'] = str(userid)
# 制作 sign
data_json = json.dumps(data)
sign_raw = salt + 'data' + data_json
sign = jiami(sign_raw)
# 制作首部信息,公共首部加两行
public_header['Content-Type'] = 'application/x-www-form-urlencoded'
public_header['Content-Length'] = str(len(data_json))
# 制作请求报文
res_3 = requests.post(url=url_3, data={'sign':sign, 'data':data_json}, headers=public_header)
# 发出请求报文,获得响应报文
res3_body = eval(res_3.text)
print(res3_body)
运行程序:
{'code': '200', 'msg': '登录成功', 'data': {'userid': '205885', 'school': '苏州大学', 'schoolId': '98', 'signature': '', 'username': '手动打码', 'photo': 'http:\\/\\/www.sportcampus.cn\\/static\\/images\\/auto.jpg', 'goal': '80.00', 'surplus': '80.00', 'last_time': '2019-10-13 21:04:35', 'teacher': '', 'course': '', 'utoken': '0c30b352ba4e71e21fb2c33a382bb3c5'}}
{'code': '200', 'msg': '获取成功', 'data': {'beaconcount': 1, 'beaconsinfo': [], 'gpscount': 2, 'distance': 20, 'peisu': 540, 'gpsinfo': [{'latitude': '31.3856120000', 'longitude': '120.6779020000'}, {'latitude': '31.3874010000', 'longitude': '120.6773970000'}, {'latitude': '31.3850670000', 'longitude': '120.6785290000'}, {'latitude': '31.3847150000', 'longitude': '120.6765450000'}], 'length': '2.00', 'dayTarget': '2.00', 'ibeacon': [{'name': 'szdx100060', 'type': 1, 'number': 'szdx100060', 'position': {'latitude': '31.3865130000', 'longitude': '120.6817960000'}, 'id': '1008', 'uuid': 'FDA50693-A4E2-4FB1-AFCF-C6EB07647825', 'major': 'szdx1', 'minor': '00060'}, {'name': 'szdx100074', 'type': 1, 'number': 'szdx100074', 'position': {'latitude': '31.3838360000', 'longitude': '120.6753700000'}, 'id': '1022', 'uuid': 'FDA50693-A4E2-4FB1-AFCF-C6EB07647825', 'major': 'szdx1', 'minor': '00074'}], 'runPageId': 19373441, 'maxSeconds': '0'}}
输入步频(保留一位小数):152.2
请输入耗时(秒为单位,保留整数):753
请输入结束时间(如 2019-10-13 19:20:07):2019-10-13 19:20:07
请输入开始时间(如 2019-10-13 19:20:07):2019-10-13 18:55:23
{'msg': 'km必传', 'code': 404}
即得到的响应报文body:
{'msg': 'km必传', 'code': 404}
之后测试过在data数据中加入:
data['km'] = '2.14'
但仍得到上面的响应:
{'msg': 'km必传', 'code': 404}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.