看我鼓搗華西安全網(cha.hxsec.com)密碼泄露查詢接口（有意思的js混淆）

0x00 開始

最近爬個站的數據，然後想掃一下其他網站的同一個賬號名能否找到泄露的密碼，然後在這個站嘿嘿一下…

在 sec-wiki 找到了這個密碼泄露查詢網站。

隨便用了一下，發現網站雖然講密碼打碼了，但是某些數據還是可以猜出來原始的內容，或者通過簡單的計算拿到原始的內容。

but，我不能一個個輸入然後看吧，數據雖然少，也有上千條啊，怎麼說也是個python程序員，怎麼也得鼓搗一下。

分析一下hxsec的查詢接口，用python批量一下。

0x01 分析接口

hxsec查詢界面如下：

其實接口很簡單，f12，切換到network欄，然後隨便輸入什麼，點擊試試吧皆可以。

看到訪問的網絡接口如下：

Request URL:http://cha.hxsec.com/ajax.php?act=select
Request Method:POST
Status Code:200 OK

select_act:3
match_act:2
key:ll111
table:212300_cxhr_zhaopin_com

參數都特別簡單，select_act表示User and Email/User/Emial，match_act表示模糊/精確查詢，key就是輸入的關鍵字。最後一個table比較重要了，表示在什麼庫中查詢，掃描時看到進度變化，在什麼庫中進行了多少了，每次搜索都會在這所有庫中搜索，直到結束。

這個數據應該存在了本地，或者初始化時服務器返回了。暫時不管，後面繼續重點分析（有意思的就在這）。

請求返回數據，有下面幾種情況：

沒有返回空內容

//該庫只有一條數據
addRow("ll111","[email protected]","202**962AC59075B964B07152D234B70","212300_cxhr_zhaopin_com");

//該庫有多少數據
addRow("'fish13', '[email protected]', '**', 'mail_qq_sohu");addRow("fish13', '[email protected]', '**', 'mail_qq_sohu");addRow("fish13', '[email protected]', '**', 'mail_qq_sohu'], ['fish13', '', '176**1176671', 'qq_old_password'

0x02 分析table

其實接口很清楚了，但是還需要直到所有table的內容，然後才能完成所有數據搜索。

所以，table怎麼找，在哪裏呢！

還是要分析代碼了…

看看錶單所在位置代碼，找找搜索按鈕的響應函數（這裏也可以看到上面說的參數的詳情），很明顯響應函數是getdata。

<p><span class="input-group">
  <select class="btn btn-success" id="match_act" name="match_act">
    <option value="2" selected="">精確匹配</option>
    <option value="1">模糊查詢</option>
  </select>

  <select class="btn btn-primary" id="select_act" name="select_act">
    <option class="btn-group" value="3" selected="">User and Email</option>
    <option  class="btn-group" value="1">Username</option>
    <option class="btn-group" value="2">Email</option>
  </select>
  </span></p>
  <div id="jshint-pitch" class="alert alert-info scan-wait" style="display:none;margin-top:10px;font-size:14px">  </div>
  <div id="scan-result-box" style="font-size:12px;">
    <div class="input-group"><span class="input-group-btn scan-but-span">
      <button type="button" class="btn btn-success" onClick="getdata();">試試吧!</button>
      </span>
      <input placeholder="華西安全網提示：輸入用戶名、QQ、Email..看看你的密碼是否泄露~~~請勿非法用途~~"  name="key" class="form-control" id="key" ></input>
    </div>
    <br>

在html，js中一番搜索，tmd居然沒有。
只在system.js中看到了這個！

傻逼|你TM的來打我啊|getdata|stend|u5927|

—-手工分割線——-

TMD的，我這暴脾氣，這是挑釁啊，lz非搞你不可了！這已經上升到人身攻擊了！！！

—-手工分割線——-

很明顯，tmd代碼混淆了。怎麼辦，調試跟唄。

把system.js（用chrome格式化一下，不然…瞎眼）扒出來一看，其實也不復雜。

//jb 5/24修改
eval(function(p, a, c, k, e, d) {
    e = function(c) {
        return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    }
    ;
    if (!''.replace(/^/, String)) {
        while (c--)
            d[e(c)] = k[c] || e(c);
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return '\\w+'
        }
        ;
        c = 1;
    }
    ;while (c--)
        if (k[c])
            p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]);
    return p;
}('3o 2Y$=["",\'\',\'\\\\w+\',\'\\\\b\',\'\\\\b\',\'g\',\'d c$=["1W","#n","1T","1R","#n","\\\\2h\\\\2g\\\\k\\\\p"," \\\\2i\\\\2k\\\\1N","%","H","H","#n","\\\\k\\\\p\\\\T\\\\O!\\\\1q\\\\1t\\\\1j\\\\1k\\\\1g\\\\G\\\\D\\\\E\\\\U\\\\W \\\\z\\\\A:   ","\\\\C\\\\B","#n","\\\\k\\\\p\\\\T\\\\O! \\\\U\\\\W\\\\1v:","\\\\1u \\\\z\\\\A:","\\\\C\\\\B","#n","\\\\k\\\\p\\\\T\\\\O! \\\\U\\\\W\\\\1v:","\\\\1u \\\\z\\\\A:","\\\\C\\\\B",\\\'2j\\\',"1D","1p=","&1o=","&I=","&2c=",\\\'1O.2b?2d=2f\\\',"#H","1T","1R","#I",\\\'\\\',"#I","\\\\Z\\\\2e\\\\2l\\\\k\\\\p\\\\1r\\\\1n/\\\\G\\\\D\\\\E/\\\\2s\\\\2r","\\\\G\\\\D\\\\E\\\\2t\\\\1N\\\\Z\\\\2v\\\\2u!!","#1p","#1o","1C","\\\\1q\\\\1t\\\\2n\\\\1g\\\\2m\\\\1j\\\\1k\\\\2o\\\\1r\\\\1n\\\\2q","2p|2a~!1X~!1Z|a|1Y|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b"];d o;d N;e 1D(1y,1U,1J,Y){d l=1C["2V"]();d 1A=l["q"](0);d 1I=l["q"](1);d 1V=l["q"](2);d 1M=l["q"](3);1A["w"]=1y;1I["w"]=1U;1V["w"]=1J;1M["w"]=Y};e 1x(){$( c$[0])["2U"]()};e 1Q(1l,1e,1b){$( c$[1])["1z"]( c$[2], c$[3]);d 1c=(1l/1e)*g;d M=X(1c,1);t["r"]( c$[4],M,g, c$[5]+1b+ c$[6]+M+ c$[7])};e 1L(){v=1F 1G()["1H"]()-N;d 1s=R["Q"]( c$[8]);d y=1s["P"]["f"];i(y==1){d 1i=R["Q"]( c$[9]);d 1m=1i["P"]["f"];i(1m==1){t["r"]( c$[10],g,g, c$[11]+(v)+ c$[12])}1h{t["r"]( c$[13],g,g, c$[14]+(y-1)+ c$[15]+(v)+ c$[16])}}1h{t["r"]( c$[17],g,g, c$[18]+(y-1)+ c$[19]+(v)+ c$[20])}};e X(1a,1d){d F=1f["2T"](10,1d);S 1f["2X"](1a*F)/F};e 1S(1P,s,1K,2W){$["1O"]({2D: c$[21],2C:1P,2E:s,2G:e(J){i(J["2F"]( c$[22])>=0){2B(J)};i(1K==V["f"]){1L()}}})};e 1E(j,u,x,m,h){1Q(h+1,m["f"],m[h]);d s= c$[23]+u+ c$[24]+x+ c$[25]+j+ c$[26]+m[h];1S( c$[27],s,o+1,m["f"]);o=o+1};e 2x(){$( c$[28])["1z"]( c$[29], c$[2w]);1x();d j=$( c$[2y])["K"]();i(j== c$[2A]){$( c$[2z])["2H"]();L( c$[2P]);S 1w};i(j["f"]<4){L( c$[2O]);S 1w};d u=$( c$[2Q])["K"]();d x=$( c$[2S])["K"]();N=1F 1G()["1H"]();o=0;2R(d h=0;h<V["f"];h++){1E(j,u,x,V,h)}};e 2N(){d 1B=R["Q"]( c$[2J])["P"]["f"];i(1B==0){L( c$[2I])}};e 2K(){d 2M= c$[2L]}\',\'||||||||||4U|4R|2Y|3o|3e|4Q|4T|4S|3h|54|53|56|50|52|4z|4B|4M|4O|4J|5w|5v|5q|5s|4b|4c|49|4a|4f|4g|4d|4e|48|42|43|3Z|41|46|47|3f|44|45|4h|4t|4u|3b|4r|4s|4x|4y|4v|4w|4q|||||||||||4k|4l|2Z|4i|4j|4o|4p|4m|4n|3Y|3p|3d|3u|3v|3w|3y|3A|3z|3x|3E|3F|3D|3B|3C|3s|3t|3r|3q|3R|3S|3P|3j|3Q|3T|3W|3X|3U|3V|3I|3J|3G|3H|3K|3N|3O|3L|3M|5j|5k|5h|5i|5n|||||||||||5o|5l|5m|5g|5a|5b|58|59|5e|5f|5c|5d|5A|5B|5y|5z|5E|5F|5C|5D|5x|5r|30|5p|31|33|32|3n|5t|5u|57|4K|4L|4I|39|38|4P|40|4N|4H|35|34|36|4C|37|4A|4F|4G|4D|4E\',\'|\'];3n(3e(3g,3d,2Z,3c,e,3f){e=3e(3a){3b(3a<3d? 2Y$[0]:e(51(3a/3d)))+((3a=3a%3d)>35?3i["4Z"](3a+29):3a["55"](36))};3h(! 2Y$[1]["3k"](/^/,3i)){3m(2Z--)3f[e(2Z)]=3c[2Z]||e(2Z);3c=[3e(3l){3b 3f[3l]}];e=3e(){3b 2Y$[2]};2Z=1};3m(2Z--)3h(3c[2Z])3g=3g["3k"](3j 4Y( 2Y$[3]+e(2Z)+ 2Y$[4], 2Y$[5]),3c[2Z]);3b 3g}( 2Y$[6],4W,4X, 2Y$[7]["4V"]( 2Y$[8]),0,{}))', 62, 352, '||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||_|somd5comf78518fb1|||||||||||somd5com21a288587|return|somd5com6d38bb14b|somd5com3de2f8f6d|function|somd5comd152c7b41|somd5comf3298c8c5|if|String|new|replace|somd5com8f18e7d16|while|eval|var|u7d22|somd5com16af76eea|somd5com6cd7bc889|somd5comed2bd7eb6|css|somd5comb9e3341a3|u5bb9|match_act|somd5com4d38b6944|select_act|u5185|u6ca1|false|get_del|u91cf|u6709|u6761|ajax|somd5come0b7918e1|somd5com4823e252c|u5ea6|get_jdt|display|somd5com811fa93b4|block|ajax_post|get_data|Date|value_tables|addRow|getTime|somd5com25f9df3a7|get_okcount|somd5com6d6674984|somd5comf49be7e59|u641c|key||somd5com9a3a7ef82|u5173|somd5_table|somd5com326e7999e|u6bd5|val|alert|somd5com956a89722|u8017|u65f6|somd5comd7f929c0a|somd5comf1d14de2e|u952e|u5b57|u79d2|u6beb|rows|somd5comf46beb405|somd5com738c8372f|somd5com3b1df0e8d|somd5comdcaedb43e|else|somd5com36f2c91c7|Math|u5230|u8bf7|u5b8c|u6570|getElementById|document|decimal|somd5com5b49d9f12|database|u636e|somd5comdd52905dc|pow|u8be2|for|somd5comb39f98f6a|round|empty|insertRow|gat_kong|focus|somd5comf53e662dd|indexOf|success|insertCell|somd5comea98952b0|progress|dataxxxx|length|SOMD5|somd5comb93c3a502|100|搜MD5|split|62|184|RegExp|fromCharCode|somd5com4af3e5365|parseInt|selecting|u67e5|somd5com490d63bb2|toString|somd5comf94f3be31|data|u5728|u6b63|u8f93|select|u8fdb|u5165|u603b|POST|act|來打我啊|SOMD55|somd5comeff53bcd1|tbody|php|table|傻逼|你TM的來打我啊|getdata|stend|u5927|innerHTML|url|type|somd5combdba21b9c|Administry|u4e8e4|u7684|操你媽|u60a8|u627e|u90ae|u957f|u5462|u7bb1'.split('|'), 0, {}));

不過直接看也挺鬧人的，邊調試邊看吧。

參數是什麼？

// p是字符串
// a 是62
// c 是 352數組大小， k 是Array[352]
// e 是0 ， d 是{}

e函數幹嘛了？具體返回數據暫時也不同看了，調試到了自然可以dump出來

e = function(c) {
        //61以內的就返回字符，0-9,a-z(11-36),A-Z(36-61)
        //62以上
        //c.toString(36) 36進制轉爲字符
        return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    }

然後就解密那一長串字符了，用的e

while (c--)
            d[e(c)] = k[c] || e(c);

解出來的數據大概是這樣的一個object，

5y: 'u7684'
5x: 'u4e8e4'
5w: 'Administry'
5v: 'somd5combdba21b9c'
5u: 'type'
5t: 'url'
5s: 'innerHTML'
5r: 'u5927'
5q: 'stend'
5p: 'getdata'
5o: '你TM的來打我啊'
5n: '傻逼'
5m: 'table'
5l: 'php'
5k: 'tbody'
5j: 'somd5comeff53bcd1'

然後繼續解，將結果返回給eval執行

while (c--)
        if (k[c])
            p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]);

直接dump結果，如下

var _$ = ["", '', '\\w+', '\\b', '\\b', 'g', 'd c$=["1W","#n","1T","1R","#n","\\2h\\2g\\k\\p"," \\2i\\2k\\1N","%","H","H","#n","\\k\\p\\T\\O!\\1q\\1t\\1j\\1k\\1g\\G\\D\\E\\U\\W \\z\\A:    ","\\C\\B","#n","\\k\\p\\T\\O! \\U\\W\\1v:","\\1u \\z\\A:","\\C\\B","#n","\\k\\p\\T\\O! \\U\\W\\1v:","\\1u \\z\\A:","\\C\\B",\'2j\',"1D","1p=","&1o=","&I=","&2c=",\'1O.2b?2d=2f\',"#H","1T","1R","#I",\'\',"#I","\\Z\\2e\\2l\\k\\p\\1r\\1n/\\G\\D\\E/\\2s\\2r","\\G\\D\\E\\2t\\1N\\Z\\2v\\2u!!","#1p","#1o","1C","\\1q\\1t\\2n\\1g\\2m\\1j\\1k\\2o\\1r\\1n\\2q","2p|2a~!1X~!1Z|a|1Y|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b|a|b"];d o;d N;e 1D(1y,1U,1J,Y){d l=1C["2V"]();d 1A=l["q"](0);d 1I=l["q"](1);d 1V=l["q"](2);d 1M=l["q"](3);1A["w"]=1y;1I["w"]=1U;1V["w"]=1J;1M["w"]=Y};e 1x(){$( c$[0])["2U"]()};e 1Q(1l,1e,1b){$( c$[1])["1z"]( c$[2], c$[3]);d 1c=(1l/1e)*g;d M=X(1c,1);t["r"]( c$[4],M,g, c$[5]+1b+ c$[6]+M+ c$[7])};e 1L(){v=1F 1G()["1H"]()-N;d 1s=R["Q"]( c$[8]);d y=1s["P"]["f"];i(y==1){d 1i=R["Q"]( c$[9]);d 1m=1i["P"]["f"];i(1m==1){t["r"]( c$[10],g,g, c$[11]+(v)+ c$[12])}1h{t["r"]( c$[13],g,g, c$[14]+(y-1)+ c$[15]+(v)+ c$[16])}}1h{t["r"]( c$[17],g,g, c$[18]+(y-1)+ c$[19]+(v)+ c$[20])}};e X(1a,1d){d F=1f["2T"](10,1d);S 1f["2X"](1a*F)/F};e 1S(1P,s,1K,2W){$["1O"]({2D: c$[21],2C:1P,2E:s,2G:e(J){i(J["2F"]( c$[22])>=0){2B(J)};i(1K==V["f"]){1L()}}})};e 1E(j,u,x,m,h){1Q(h+1,m["f"],m[h]);d s= c$[23]+u+ c$[24]+x+ c$[25]+j+ c$[26]+m[h];1S( c$[27],s,o+1,m["f"]);o=o+1};e 2x(){$( c$[28])["1z"]( c$[29], c$[2w]);1x();d j=$( c$[2y])["K"]();i(j== c$[2A]){$( c$[2z])["2H"]();L( c$[2P]);S 1w};i(j["f"]<4){L( c$[2O]);S 1w};d u=$( c$[2Q])["K"]();d x=$( c$[2S])["K"]();N=1F 1G()["1H"]();o=0;2R(d h=0;h<V["f"];h++){1E(j,u,x,V,h)}};e 2N(){d 1B=R["Q"]( c$[2J])["P"]["f"];i(1B==0){L( c$[2I])}};e 2K(){d 2M= c$[2L]}', '||||||||||搜MD5|SOMD5|_|var|function|length|100|somd5comb93c3a502|if|somd5com490d63bb2|u67e5|somd5comf94f3be31|somd5com4af3e5365|selecting|somd5comdd52905dc|u8be2|insertCell|progress|somd5comf53e662dd|Administry|somd5combdba21b9c|stend|innerHTML|somd5comd7f929c0a|somd5comf1d14de2e|u8017|u65f6|u79d2|u6beb|u952e|u5b57|somd5com956a89722|u5173|somd5_table|key|somd5com9a3a7ef82|val|alert|somd5comd152c7b41|somd5com326e7999e|u6bd5|rows|getElementById|document|return|u5b8c|u6570|database|u636e|decimal|somd5com5b49d9f12|u8bf7|||||||||||somd5com3b1df0e8d|somd5comdcaedb43e|somd5comf78518fb1|somd5comf46beb405|somd5com738c8372f|Math|u5230|else|somd5com36f2c91c7|u641c|u7d22|somd5com3de2f8f6d|somd5comb9e3341a3|u5bb9|match_act|select_act|u6ca1|u5185|somd5com4d38b6944|u6709|u6761|u91cf|false|get_del|somd5comed2bd7eb6|css|somd5com6cd7bc889|somd5com16af76eea|value_tables|addRow|get_data|new|Date|getTime|somd5com6d6674984|somd5comf49be7e59|somd5com25f9df3a7|get_okcount|somd5com4823e252c|u5ea6|ajax|somd5come0b7918e1|get_jdt|block|ajax_post|display|somd5com811fa93b4|somd5comeff53bcd1|tbody|來打我啊|SOMD55|傻逼|||||||||||你TM的來打我啊|php|table|act|u8f93|select|u5728|u6b63|u603b|POST|u8fdb|u5165|u60a8|u627e|u7684|操你媽|u5462|u7bb1|u90ae|u957f|u4e8e4|u5927|30|getdata|31|33|32|eval|url|type|data|indexOf|success|focus|39|38|dataxxxx|40|somd5comea98952b0|gat_kong|35|34|36|for|37|pow|empty|insertRow|somd5comb39f98f6a|round', '|'];
eval(function(somd5comf3298c8c5, somd5com3de2f8f6d, somd5comf78518fb1, somd5com6d38bb14b, e, somd5comd152c7b41) {
    //
    e = function(somd5com21a288587) {
        return (somd5com21a288587 < somd5com3de2f8f6d ? _$[0] : e(parseInt(somd5com21a288587 / somd5com3de2f8f6d))) + ((somd5com21a288587 = somd5com21a288587 % somd5com3de2f8f6d) > 35 ? String["fromCharCode"](somd5com21a288587 + 29) : somd5com21a288587["toString"](36))
    }
    ;
    if (!_$[1]["replace"](/^/, String)) {
        while (somd5comf78518fb1--)
            somd5comd152c7b41[e(somd5comf78518fb1)] = somd5com6d38bb14b[somd5comf78518fb1] || e(somd5comf78518fb1);
        somd5com6d38bb14b = [function(somd5com8f18e7d16) {
            return somd5comd152c7b41[somd5com8f18e7d16]
        }
        ];
        e = function() {
            return _$[2]
        }
        ;
        somd5comf78518fb1 = 1
    }
    ;while (somd5comf78518fb1--)
        if (somd5com6d38bb14b[somd5comf78518fb1])
            somd5comf3298c8c5 = somd5comf3298c8c5["replace"](new RegExp(_$[3] + e(somd5comf78518fb1) + _$[4],_$[5]), somd5com6d38bb14b[somd5comf78518fb1]);
    return somd5comf3298c8c5
}(_$[6], 62, 184, _$[7]["split"](_$[8]), 0, {}))

有沒有感覺很熟悉的結果，就是上面解密的哪個函數，參數變量真tmd
好看。不詳細說了，跟前一次一樣，最後返回一個解密的js代碼，給eval執行。

這次dump出來看到了要的東西了！註釋都有了，就不說了

function getdata() {
    $(_$[28])["css"](_$[29], _$[30]);
    get_del();
    var somd5com490d63bb2 = $(_$[31])["val"]();//輸入
    if (somd5com490d63bb2 == _$[32]) {
        $(_$[33])["focus"]();
        alert(_$[34]);
        return false
    }
    ;if (somd5com490d63bb2["length"] < 4) {
        alert(_$[35]); //"關鍵字長度請大於4!!"
        return false
    }
    ;var somd5combdba21b9c = $(_$[36])["val"](); //選擇的搜索類型，1，2,3
    var somd5comd7f929c0a = $(_$[37])["val"](); //匹配類型，1模糊,2精確
    somd5com326e7999e = new Date()["getTime"](); //時間戳
    somd5comdd52905dc = 0;
    for (var somd5comb93c3a502 = 0; somd5comb93c3a502 < database["length"]; somd5comb93c3a502++) {
        get_data(somd5com490d63bb2, somd5combdba21b9c, somd5comd7f929c0a, database, somd5comb93c3a502)
    }
}

誒，忘了一件事，我們是找table的，在哪裏呢？！

其實就是上面代碼中的database了，這裏循環每個table通過get_data(內部ajax訪問)來搜索結果。

for (var somd5comb93c3a502 = 0; somd5comb93c3a502 < database["length"]; somd5comb93c3a502++) {
        get_data(somd5com490d63bb2, somd5combdba21b9c, somd5comd7f929c0a, database, somd5comb93c3a502)
    }

在dump出來的js代碼中一搜，database沒有找到定義，我靠！什麼情況！調試到getdata時，確實是有值的，dump內容如下：

["06_cn_mumayi_jd_com","1010wan_beihaiw_duowan","12306_cn","131_xiu_tianya",
"17173_com","212300_cxhr_zhaopin_com","212300_cxhr_zhaopin_copy","24buy_cd","51cto_com_new",
...] //一部分

但是我能就這麼算了嗎？！database究竟哪裏來的，真想只有一個，去html再看一眼，搜到如下內容，嗯，看來是了，服務器返回的database。

  <script src="./ajax.php?act=database"></script>

訪問http://cha.hxsec.com/ajax.php?act=database，拿到返回的結果

var database = new Array("06_cn_mumayi_jd_com","1010wan_beihaiw_duowan","12306_cn","131_xiu_tianya","17173_com","212300_cxhr_zhaopin_com","212300_cxhr_zhaopin_copy","24buy_cd","51cto_com_new","51job_com","52pk_com","55_la","766_tuan800_wanmei_37","7k7k_com","admin5_apphan_07073_soyun","aipai_com","all_hack_website","av_creditcard_com_cn","ccidnet_lashou_com","cnnb_mop_qinbao_jiapin_qd315","cnzz_com","co188_com","csdn_net","damai_cn","dangdang_com","dodonew_com","gfan_com","hiapk_com","houdao_com","ipart_cn","jxjatv_073yx_moko_treo8_paojiao","jxrsrc_zhenai","kaixin001_com-ispeak_com","mail_126_com","mail_163_com","mail_qq_sina","mail_qq_sohu","pconline_com_cn","pingan_com","qiannao_dedecms_baofeng","qq_old_password","radius-qingdaonews_com","renren_com","seowhy_shooter-tatazu_book118_cs","sorry_unknown","sorry_unknown2","tgbus_com","tpy100_com-jia_com","uuu9_com","weibo_com","xda_comicdd_game","xiaohua_other","xiaomi_com");

也知道前面的database變量怎麼來的了，爲了database有效，ajax.php?act=database是在system.js加載完之後發送的請求。

0x03 總結

ok，分析告一段落，table拿到了，接口所有信息都弄清楚了，下面就是開始碼代碼了！

另外，我只想對寫system.js的同志說，nmmmp！那一段中文啥用沒有，只能激起fn！

有不敬之處，敬請見諒！

有一點小小的分析技巧：

.......
//想看這的請移步博客原文，自己想法看這個內容。嘎嘎，沒找到請留言

封裝了一套py的代碼，有需要的請說！
https://github.com/anhkgg/hxsec_search

轉載請註明出處，博客原文：https://anhkgg.github.io/hxsec-search-pwd-interface-analyze