声明
本文章中所有内容仅供学习交流使用，不用于其他任何目的，抓包内容、敏感网址、数据接口 等均已做脱敏处理，严禁用于商业用途和非法用途，否则由此产生的一切后果均与作者无关！

前言

逆向分析

sign=cp2.call('getSign',.........)
token = cp.call('getToken', ..................)
print(token)
print(sign)
cp3 = execjs.compile(open('w-payload-source.js','r',encoding='utf-8').read())
result = cp3.call('getWPayloadSource',..............)
w_payload_source = result['w_payload_source']
data = result['data']
headers = {
    'sessionid': '1',
    'sign': sign,
    'token': token,
    'transactionid': transactionID,
    'w-payload-source': w_payload_source,
}
response = requests .post(
   'search/api/search/batchSearch',
   params=params,
   cookies=cookies,
   headers=headers,
   json=data,
)
 
print(response.text [0:1000])

# wx a15018601872
sign=cp2.call('getSign',.........)
token = cp.call('getToken', ..................)
print(token)
print(sign)
cp3 = execjs.compile(open('w-payload-source.js','r',encoding='utf-8').read())
result = cp3.call('getWPayloadSource',..............)
w_payload_source = result['w_payload_source']
data = result['data']
headers = {
    'sessionid': '1',
    'sign': sign,
    'token': token,
    'transactionid': transactionID,
    'w-payload-source': w_payload_source,
}
response = requests.post(
   'search/api/search/batchSearch',
   params=params,
   cookies=cookies,
   headers=headers,
   json=data,
)

结果

f94K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7$3c8F1K9h3#2Y4i4K6u0W2j5$3&6Q4x3V1k6J5k6h3I4W2j5i4y4W2i4K6u0r3j5X3I4G2k6#2)9#2k6X3g2V1K9i4c8G2M7W2)9#2k6X3S2@1L8h3I4Q4x3V1k6J5k6h3I4W2j5i4y4W2x3W2)9J5k6e0c8Q4x3X3f1$3i4K6u0r3j5$3E0W2k6r3W2@1L8%4u0Q4x3V1k6H3L8s2g2Y4K9h3&6K6i4K6u0r3N6$3W2V1k6$3g2@1i4K6u0r3K9h3#2S2k6$3g2K6i4K6u0r3K9r3q4F1k6r3I4W2i4K6u0W2M7r3&6Y4i4K6t1&6i4K6y4n7">编辑

总结

1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。

[培训]Windows内核深度攻防：从Hook技术到Rootkit实战！