current position:Home>The beginning of passion, the ending of carelessness, python anti climbing, Jiageng, friends asked for MIHA's API and arranged y24 for him

The beginning of passion, the ending of carelessness, python anti climbing, Jiageng, friends asked for MIHA's API and arranged y24 for him

2022-04-29 12:46:55Hua Weiyun


You are reading 【 Dream eraser 】 The blog of

️ Actual combat scene

This blog belongs to the gagen series , Derived from 78 Tech community ( Click the card under the blog, you can also join )
image.png

The demand this time is a site , The address is as follows , The address provided by the group .

bbs.mihoyo.com/dby/article/21147956

Open the page and have a look , Sure enough ~

image.png

In accordance with the information provided by group friends API Find the corresponding request logic , The following is the address provided by the group .

bbs-api.Python Desensitization treatment .com/post/wapi/getPostFull?gids=5&post_id=21147956&read=1

Its code screenshot is shown below .

image.png

When the basic parameters in the request header are available , Still got 403 Status code , It can be guessed that there is a high probability of encryption logic in the request header , It's a coincidence , The case of hitting the door .

️ Anti creep analysis

After opening the developer tool , Directly by infinity debugger Stopped .

Disable this line of code first , Select the button shown in the figure below at the line number position .

Find the interface provided by group friends , View its request header , Judge the verification parameters .

Request URL : bbs-api. Desensitization treatment .com/post/wapi/getPostFull?gids=5&post_id=21147956&read=1
Request method : GET

except cookie Outside , Several parameters selected in the box below are highly suspected .

Here's the format of the data , It can be guessed blindly that it is time stamp and md5 encryption .

Use PostMan Simulate the request , The result is direct access to the data , Embarrassed , Has nothing to do with encryption parameters ?

Write the code as follows :

import requestsheaders = {    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",    "Origin": 'https://bbs.mihoyo.com/',    "User-Agent": "https://bbs.mihoyo.com/"}r = requests.get('https://bbs-api.mihoyo.com/post/wapi/getPostFull?gids=5&post_id=21147956&read=1', headers=headers,                 timeout=3)print(r.text)

The result is still 403 , Blocking access .

In this case, we may lack some request header parameters , Continue to make up .

After many attempts , Find out Cookie One of the parameters in the is acw_tc, It changes every time you refresh , Is this the reason why we cannot access data ?

Use the following code :

import requestsheaders = {    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",    "Origin": 'https://bbs.mihoyo.com/',    "User-Agent": "https://bbs.mihoyo.com/",    "Host": "bbs-api.mihoyo.com"}s = requests.Session()params = {    "gids": 5,    "post_id": 21147956,    "read": 1}with s.get('https://bbs-api.mihoyo.com/post/wapi/getPostFull', params=params, headers=headers) as r:    print(r)

Still can't request data , Discover from developer tools acw_tc It's a httponly Formal Cookie.

image.png

But the parameters of this format , Just to prevent XSS Cross domain attack , That is to prevent JS obtain cookie, In principle, from Python There are no restrictions on initiation in code .

Are there other parameters encrypted , however PostMan It can be requested normally , At this time, I fell into confusion ~

But when I redo the code , I found that I made a mistake , I didn't write referer.

After modifying the code , The data was successfully obtained .


There is a thumb in the lower right corner , Double the beauty of praise

copyright notice
author[Hua Weiyun],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/119/202204291122394557.html

Random recommended