聲明
原創文章,請勿轉載!
本文內容僅限於安全研究,不公開具體源碼。維護網絡安全,人人有責。
本文配合其他文章一起服用效果更好,能更全面體會安全產品的設計。
(1)《第三代驗證碼研究》https://www.cnblogs.com/boycelee/p/11363611.html(推薦)
(2)《頂象驗證碼破解與研究》https://www.cnblogs.com/boycelee/p/14269941.html(推薦)
(3)《極驗驗證碼破解與研究》https://www.cnblogs.com/boycelee/p/14021048.html(推薦)
(4)《極驗無感驗證破解》https://www.cnblogs.com/boycelee/p/13951819.html
(5)《同盾小程序指紋破解》https://www.cnblogs.com/boycelee/category/1819211.html
本文主要通過破解協議的方式繞過極驗安全驗證,思路與網上自動化的方式有很大的不同
一、完整流程1、極驗官網完整流程一、實例研究1、實例研究地址2、實例研究場景二、請求分析1、網絡請求抓包2、數據說明3、請求分析請求1:gt.js(1)請求介紹(2)關鍵代碼解釋說明請求2:gettype.js(1)請求介紹(2)請求詳情請求3:fullpage.js請求介紹請求4:get.php(1)請求介紹(2)關鍵步驟請求5:ajax.php(1)請求介紹(2)關鍵步驟請求6:slide.js請求介紹請求詳情請求7:get.php(1)請求介紹(2)請求詳情請求8:ajax.php(1)請求介紹(2)請求詳情關鍵步驟4、整體流程三、成果展示四、總結五、最后
一、完整流程
1、極驗官網完整流程
一、實例研究
我們以春秋航空注冊場景的驗證碼為研究對象
1、實例研究地址
https://account.ch.com/NonRegistrations-Regist
2、實例研究場景
二、請求分析
1、網絡請求抓包
從網絡抓包結果可以看到,整個極驗驗證碼與極驗服務器一共交互了8次。要想破解極驗驗證碼,首先我們就需要搞清楚每次請求都攜帶了哪些參數,其次就是參數如何生成的?只有搞明白每個參數的意義,后續我們才能夠通過偽造參數以達到破解的目的。
2、數據說明
在分析極驗請求前,需要先解釋說明兩個參數。
(1)gt:極驗為每個使用方提供一個唯一身份標識用於進行服務區分
(2)challenge:用於請求串聯,我們都知道http是無狀態的,有了challenge就能把各個請求串聯起來。(注意:challenge是會發生改變的,記得及時更換)
3、請求分析
請求1:gt.js
(1)請求介紹
關於第一個請求,在極驗的官方文檔已經給我們介紹了(https://docs.geetest.com/sensebot/deploy/client/web)。gt.js文件用於加載對應的驗證JS庫。
(2)關鍵代碼
1Config.prototype = {
2 api_server: 'api.geetest.com',
3 protocol: 'http://',
4 typePath: '/gettype.php',
5 fallback_config: {
6 slide: {
7 static_servers: ["static.geetest.com", "dn-staticdown.qbox.me"],
8 type: 'slide',
9 slide: '/static/js/geetest.0.0.0.js'
10 },
11 fullpage: {
12 static_servers: ["static.geetest.com", "dn-staticdown.qbox.me"],
13 type: 'fullpage',
14 fullpage: '/static/js/fullpage.0.0.0.js'
15 }
16 },
17 _get_fallback_config: function () {
18 var self = this;
19 if (isString(self.type)) {
20 return self.fallback_config[self.type];
21 } else if (self.new_captcha) {
22 return self.fallback_config.fullpage;
23 } else {
24 return self.fallback_config.slide;
25 }
26 },
27 _extend: function (obj) {
28 var self = this;
29 new _Object(obj)._each(function (key, value) {
30 self[key] = value;
31 })
32 }
33};
解釋說明
(1)正常請求會發送gettype.php請求
1# Request URL
2https://api.geetest.com/gettype.php?gt=25ba81caec944f8d74c98befd841a667&callback=geetest_1605974702024
3
4# Query String Parammeters
5gt: 25ba81caec944f8d74c98befd841a667
6callback: geetest_1605974702024
(2)兜底策略
如果發生異常情況,極驗服務器無法響應。這時就會發送http://static.geetest.com/static/js/geetest.0.0.0.js獲取能夠在本地驗證的js文件,確保應用服務正常運行。具體可以參考我的另一篇博客《極驗無感驗證破解》https://www.cnblogs.com/boycelee/p/13951819.html
請求2:gettype.js
(1)請求介紹
該請求的目的是獲取極驗安全的核心js文件/static/js/fullpage.9.0.2.js和極驗提供的各類型驗證碼對應的js文件。
(2)請求詳情
1# Request URL
2https://api.geetest.com/gettype.php?gt=25ba81caec944f8d74c98befd841a667&callback=geetest_1605974702024
3
4# Query String Parammeters
5gt: 25ba81caec944f8d74c98befd841a667
6callback: geetest_1605974702024
7
8# Response
9geetest_1605974702024({status: "success",…})
10data: {type: "fullpage", voice: "/static/js/voice.1.2.0.js", maze: "/static/js/maze.1.0.1.js",…}
11aspect_radio: {slide: 103, voice: 128, click: 128, pencil: 128, beeline: 50}
12beeline: "/static/js/beeline.1.0.1.js"
13click: "/static/js/click.2.9.4.js"
14fullpage: "/static/js/fullpage.9.0.2.js"
15geetest: "/static/js/geetest.6.0.9.js"
16maze: "/static/js/maze.1.0.1.js"
17pencil: "/static/js/pencil.1.0.3.js"
18slide: "/static/js/slide.7.7.5.js"
19static_servers: ["static.geetest.com/", "dn-staticdown.qbox.me/"]
20type: "fullpage"
21voice: "/static/js/voice.1.2.0.js"
22status: "success"
請求3:fullpage.js
請求介紹
該js文件就是極驗驗證碼的核心文件,其主要功能是指紋數據、環境檢測數據收集。獲取js文件可以通過https://static.geetest.com/static/js/fullpage.9.0.2.js得到。
請求4:get.php
(1)請求介紹
該請求主要發送的內容是通過執行fullpage.js文件收集的瀏覽器數據,用於后續設備指紋計算以及初步風險檢測。如果該請求偽造得足夠好,就會觸發無感驗證
(2)關鍵步驟
流程圖
a、數據收集
瀏覽器數據:js文件元素、瀏覽器大小、瀏覽器插件、canvas、字體、時區等數據
1{
2 textLength,
3 HTMLLength,
4 documentMode,
5 A,
6 IMG,
7 INPUT,
8 LINK,SPAN,
9 STYLE,
10 screenLeft,
11 screenTop,
12 screenAvailLeft,
13 screenAvailTop,
14 innerWidth,
15 innerHeight,
16 outerWidth,
17 outerHeight,
18 browserLanguage,
19 browserLanguages,
20 devicePixelRatio,
21 colorDepth,
22 userAgent,
23 screenWidth,
24 screenHeight,
25 screenAvailWidth,
26 screenAvailHeight,
27 localStorageEnabled,
28 sessionStorageEnabled,
29 indexedDBEnabled,
30 platform,
31 doNotTrack,
32 timezone,
33 canvas2DFP,
34 canvas3DFP,
35 plugins,
36 maxTouchPoints,
37 flashEnabled,
38 javaEnabled,
39 hardwareConcurrency,
40 jsFonts,
41 timestamp,
42 performanceTiming
43 ...等等(不完全暴露,以免被有心人利用)
44};
b、格式處理
在每個收集的數據中間,通過“!”感嘆號來對數據進行切割。
c、請求參數構造
1{
2 gt: gt,
3 challenge: challenge,
4 new_captcha: true,
5 protocol: https == true ? "https://" : "http://",
6 beeline: scriptInfo.beeline,
7 fullpage: scriptInfo.fullpage,
8 static_servers: scriptInfo.static_servers,
9 pencil: scriptInfo.pencil,
10 click: scriptInfo.click,
11 voice: scriptInfo.voice,
12 slide: "/static/js/slide.7.7.5.js",
13 geetest: "/static/js/geetest.6.0.9.js",
14 https: https,
15 i: # 收集的瀏覽器數據
16}
d、明文請求參數加密
使用對稱加密算法對上述明文參數進行加密(可能是AES)。
e、構造密文請求參數
1gt: 25ba81caec944f8d74c98befd841a667
2challenge: 61f4492c9e8ea1e136e98b38107d561e
3lang: zh-cn
4pt: 0
5client_type: web
6w: Wt(lNJWNy9DeW5Z6nJck3NZCQaoyQdi3TTcxtdnFpU65OTMLZvjnrK9bgDx94DdhAlV0bvg61eh)qX0m(bWYmvFzG84QiCW7S5tLICB4QMC(zoR0YLHui9VVj6iJwWEK9lFIqklAGbsFUYHM3GEGr6mrnflcVvbIyyo8SJGIF4j70VqCLwmmcChYl4TX9GZQb0pN0)dJHSIJucHlyrrxhSpqk4b(ox65Ur4IX)De0of3r6WB78QI7)XNqxKheWL(L7peMT)f(bIl6ut5S1gO7d9dRSSZac9SjtQGUfXPNHtbm1tOts(zRdjihk8z)Zfsh)JFqM4QQgrhnd6wBOQ8pyv60bjgpONQeJdKnNBIb(SXgo)flKztgLn1cehGDcCTTQcNlnWi5E7R)(5X01pqSyc16(8YSj)CXk2T6JHUXCXXFAXrSFWs7noM4IR7KUawc1KLmu4lDLA913wOOGoCv5C06D4D48IkVeDIalagtcLwMVd(S7TAVVwWtxXXzsnxLipWbB9HjYSiYPeg3YzjvnJpbV)oDukpEkYkl2kjs53ucZ8jo33(QE09ubUvMLgQuHwIWOoqaO5VJ4ESffY)87yPJrLJprSRUTYHmuTAo6yyI0OeQGk5CHxx67iHrgzHnNxAAPZY5yrv)CJ3xcBhZgu0tk8lCYgiH1wbigIChhPgd5QTP0nJiOJPgQs76yVkvX7bLEMWJfWjLqIzZ1hd9XQmt)2yGvVLC0iiApcqGuKSvRhxvVrW01WPp6pzFOywFXULhI7vsqUOTvqoNnwJtnSv1b40F)F2y6lC8LRsj1AKBcxREtAtqKvpXOcCFPxT2qMdLKgISgYJ33RVknFDS4JfOhTk9AgXBFtSJ2zM7tpPROoRoBsPVMOrbO)mdip4Z62PxxSDS8cA0PW980wi6ZhaDamumAlxx8RQKLPW587)9Xehn5s6cIMdMFRIAubg0VXlnW5Us2IvKeI6cjEfHNMyCJz4Fmv3)IYsXh3iigq87dCjtkGlGiVTrjjo2q44e(qr0GAo5CrxuKO)EgbdLDAyqf)5WFlSx)VXn5UoZF(AunphgVIn4(vMeFVWN(fWYj(MKztePyzCi2Cdd3pLrrL2IrD7NvNo87wvdX6ro5Q6GVVHP14IvrQsArUDdnIZjz5kMJ0IG0rsd2oQL2XFndtTcuJNlRewL5KYai(K2uPNjCQmXLfEfH2LMIjerHM126aAv5EhwLuFhvxKhIjoEGoQqMGg3FZorOHWIJEt6jSDtKNwLeeUXomknlRtaVwVCJJkrR9MfM8vldLCZ..e581bf73fb48171a223c9fac8fc74f151438380e515f1775cb26d78086253beef82f250f02349285fd86ed2d52d0acb6f45fa1733340ea282c3524c432d93df20d22b28c2c382e1ad52d72b20fcc2104188b7e99d11ca440325cb4391e34d78f2122162d3e3fb3efa810139c6d1f933b1dacfdc1e044686369271275d2ac258a
w參數:步驟4中對稱加密后的數據(gt、chanllenge、瀏覽器數據、驗證碼js路徑)+ 使用非對稱加密對“對稱加密密鑰”進行加密后的加密串
f、返回數據
1geetest_1605981310309({
2 "status": "success",
3 "data": {
4 "logo": false,
5 "s": "73304840",
6 "i18n_labels": {
7 "read_reversed": false,
8 "copyright": "\u7531\u6781\u9a8c\u63d0\u4f9b\u6280\u672f\u652f\u6301",
9 "goto_confirm": "\u524d\u5f80",
10 "ready": "\u70b9\u51fb\u6309\u94ae\u8fdb\u884c\u9a8c\u8bc1",
11 "goto_homepage": "\u662f\u5426\u524d\u5f80\u9a8c\u8bc1\u670d\u52a1Geetest\u5b98\u7f51",
12 "next": "\u6b63\u5728\u52a0\u8f7d\u9a8c\u8bc1",
13 "next_ready": "\u8bf7\u5b8c\u6210\u9a8c\u8bc1",
14 "loading_content": "\u667a\u80fd\u9a8c\u8bc1\u68c0\u6d4b\u4e2d",
15 "success": "\u9a8c\u8bc1\u6210\u529f",
16 "fullpage": "\u667a\u80fd\u68c0\u6d4b\u4e2d",
17 "reset": "\u8bf7\u70b9\u51fb\u91cd\u8bd5",
18 "goto_cancel": "\u53d6\u6d88",
19 "refresh_page": "\u9875\u9762\u51fa\u73b0\u9519\u8bef\u5566\uff01\u8981\u7ee7\u7eed\u64cd\u4f5c\uff0c\u8bf7\u5237\u65b0\u6b64\u9875\u9762",
20 "success_title": "\u901a\u8fc7\u9a8c\u8bc1",
21 "error_content": "\u8bf7\u70b9\u51fb\u6b64\u5904\u91cd\u8bd5",
22 "error": "\u7f51\u7edc\u4e0d\u7ed9\u529b",
23 "error_title": "\u7f51\u7edc\u8d85\u65f6"
24 },
25 "static_servers": ["static.geetest.com", "dn-staticdown.qbox.me"],
26 "theme": "wind",
27 "feedback": "",
28 "c": [12, 58, 98, 36, 43, 95, 62, 15, 12],
29 "api_server": "api.geetest.com",
30 "theme_version": "1.5.8"
31 }
32})
g、無感驗證
如果該請求偽造的瀏覽器信息足夠好,就會觸發無感驗證,不需要進行加強驗證。
1# Response
2geetest_1606035710872({status: "success", data: {s: "6b402d61", theme: "wind", api_server: "api.geetest.com",…}})
3data: {s: "6b402d61", theme: "wind", api_server: "api.geetest.com",…}
4api_server: "api.geetest.com"
5c: [12, 58, 98, 36, 43, 95, 62, 15, 12]
6feedback: ""
7i18n_labels: {success_title: "通過驗證", refresh_page: "頁面出現錯誤啦!要繼續操作,請刷新此頁面", ready: "點擊按鈕進行驗證", next: "正在加載驗證",…}
8logo: false
9s: "6b402d61"
10static_servers: ["static.geetest.com", "dn-staticdown.qbox.me"]
11theme: "wind"
12theme_version: "1.5.8"
13status: "success"
請求5:ajax.php
(1)請求介紹
a、請求詳情
1# Request URL
2https://api.geetest.com/ajax.php?
3
4# Query String Parameters
5gt: 25ba81caec944f8d74c98befd841a667
6challenge: f91e9b5f7cb34fc2fef98a1281c4f9a5
7lang: zh-cn
8pt: 0
9client_type: web
10w: PN3AyfkANbA5SEGeV3zj3wrdYwzvdZZw0hxaGHTXJUKFj7oeqLehkFa0c2Wma0D)DkvqU4xfIcbZGjnFyBK0NQ7VFAKCE(BnrKk5RDHCLXGrU3jkPh1pPGCXxywO2y2gg332yjxU7Wk7ZZzYroMNgrNZdc4ebUioVkgivWUbGFSEOBLPBPtU3Mg56FixAAO8jr1VsKXQsJFbmmMeGZ)QgmtJ9xUOhmFXjBNIbfVlsxvFljpNYaGrYxb7jV8(PhtHROTS37gGcpBoLuCXJo1iSHXEPixniDFZoQYt8r9gxFiK)CTPgwmiqXHeg0mkCQTxUTDr1)fVw9(1DCVTOXgXwCQ3LDIfdmi7bTNOqOf2F)8kXGv8g8cvMcSxkoAK(FWIblKoHjk4BT(thhJG4oyphzxQkRFLjXKE8aEmBI1Wn3legt66SGj3zZJk94OyWrkEWLyK2YnT7SYS1KVjj1Gd81mZlVA5P5sfnhZl72IRuaLGWn4jIFJhcd0dAZs5sTrIXzMpmoInN6TvMHTlux3oHs3c6l8TUPExxMoQ6oMLVAi6IZM0hrUDozyrWRJ8UT6KaeKBIgruAM)YXdQCGM4zDzL0fPwzTJC3cmlBLFmuGE(hAxbBzCuuyD8)7g2no7n0okLw9tpovsBaISZLH8pP4ujt05oz0ekEYnYZloSgQFTs40s(31TB8Pg5IO7Mg83WqgvDhKH1t1nsgqtwEmOuP6ra1yV6UHqqcg1MoPb2Rk5IbXws)utkSbrfLBlEYKVNuCqIuTqr9pvvhnHSeD5Y7pJYLBqS6sWCNQo8H()S8bQ)R2n0j8kAGUnJ27tIHzVKJE3BiO5ZO4WudFKpcqQVffhPpjtzl(f65)nLI5Hd0X7MLpXbUR36DC7FkTHwlVR4jMh3s2MboNIhpxuzzDgNzxwH9gmlgPpL3eU0s2UYGUY5L94DWTNktRlTaVEGNdpDAIoaoVKC6uf2wBJvwZh0TWrhGr2PdHiBpcmJYXlDpH0csf5PTGyBHxcNv0(AiOoKsYc0xcaLUJq)OlFBzErRIbxTnG1bfB4u1KG9vBs)qxGqux7n8DfIQ8tQCswqKk(5Yr7fnGTlO6zGlPmMQdcSfuCasd9T573MrZsIc(sX)VC5wc4Rd2BI31RVbu6P7DhQBnt)1IPPLKOmNo)liGCgG9PaFyAX(TJvyD5DDKDE)0fAbl7DD2i9NBW)Eoq9lVDalE(F8xxnlVxfQCJP)CyJEG8F0SxJo4AG6kQF(JFOEn8zH)UDbeYz1tgOWEcO0hDTdlmOIEVP1Ipmrpa95bQm4lSlbtE(vFjy2NrWt1AN)fyAgIvWaQH9bypqoUinzSxK4DJlaipaMee3Z9odzZw9aB5z9KaEixqDrCsf7H7Nfus.
11callback: geetest_1605981541804
12
13# Response
14geetest_1605981541804({"status": "success", "data": {"result": "slide"}})
問題:w參數如何生成?
(2)關鍵步驟
a、數據收集
1 瀏覽器數據:再一次收集“請求4”中的瀏覽器數據。
b、格式處理
(1)在每個收集的數據中間,通過“!”感嘆號來對數據進行切割。
(2)在每個收集的數據中間,通過“magic”來對數據進行切割。例子:11078magic data34095magic dataCSS1Compatmagic data168magic data-1magic data-1magic data-1magic
此處相對於“請求4”有點不一樣,為什么一份數據要用兩種方式進行切割,請求4與請求5都發送一遍,我也沒想明白。
c、鼠標數據收集
數據格式:行為 + x坐標 + y坐標 + 時間戳 + 行為
var pointArray = [["move",900,400,1552388419164,"pointermove"],["move",904,397,1552388419180,"pointermove"],["move",911,381,1552388419195,"pointermove"],["move",916,379,1552388419210,"pointermove"],["move",923,377,1552388419225,"pointermove"],["move",930,373,1552388419240,"pointermove"],["move",937,369,1552388419256,"pointermove"],["move",942,366,1552388419271,"pointermove"],["move",949,364,1552388419287,"pointermove"],["move",953,362,1552388419302,"pointermove"],["move",957,360,1552388419318,"pointermove"],["move",961,356,1552388419333,"pointermove"],["move",966,352,1552388419349,"pointermove"],["move",973,350,1552388419364,"pointermove"],["move",978,348,1552388419380,"pointermove"],["move",983,345,1552388419396,"pointermove"],["move",990,343,1552388419411,"pointermove"],["move",994,340,1552388419427,"pointermove"],["move",999,336,1552388419442,"pointermove"],["down",1059,411,1552388422125,"pointerdown"],["focus",1552388422126],["up",1059,411,1552388422375,"pointerup"]];
d、s與c參數加密
s參數與c參數是“請求4返回的”,我的理解是與s參數是“請求4”進行綁定而c參數是圖片順序(從極驗服務器返回的圖片是被無規則切割后的,我們需要c參數配合算法還原)
e、上述參數各種加密后進行再一次加密
f、生成最終w參數
與“請求4”中的w參數加密方法相同。
w參數:(gt, challenge, ip, version, c, s, 瀏覽器信息, 鼠標軌跡)對稱加密 + 使用非對稱加密對“對稱加密密鑰”進行加密后的加密串
g、數據結構圖
此處加密結構實在是太過於冗余,所以用圖的方式更清晰。
請求6:slide.js
請求介紹
“請求5”中Response返回數據geetest_1605981541804({"status": "success", "data": {"result": "slide"}})表明,使用滑塊進行加強驗證。后續進行滑塊驗證碼驗證時,會使用該js進行數據收集與加密處理。
請求詳情
1# Request URL
2https://static.geetest.com/static/js/slide.7.7.5.js
3
4# Response
5返回滑塊驗證相關js代碼
請求7:get.php
(1)請求介紹
獲取驗證碼相關信息,例如圖片路徑、圖片還原數組,請求串聯參數challenge、y坐標等數據。
(2)請求詳情
1geetest_1605982735902({
2 "hide_delay": 800,
3 "static_servers": ["static.geetest.com/", "dn-staticdown.qbox.me/"],
4 "logo": false,
5 "https": true,
6 "width": "100%",
7 "feedback": "",
8 "product": "embed",
9 "so": 0,
10 "ypos": 37,
11 "link": "",
12 "version": "6.0.9",
13 "fullbg": "pictures/gt/7d068eca5/7d068eca5.jpg",
14 "clean": false,
15 "height": 160,
16 "xpos": 0,
17 "theme_version": "1.2.4",
18 "id": "aa812df54ff9aee0ddb35400abe906992",
19 "gt": "25ba81caec944f8d74c98befd841a667",
20 "s": "476e6b52",
21 "api_server": "https://api.geetest.com/",
22 "slice": "pictures/gt/7d068eca5/slice/b5afeb19a.png",
23 "i18n_labels": {
24 "logo": "\u7531\u6781\u9a8c\u63d0\u4f9b\u6280\u672f\u652f\u6301",
25 "cancel": "\u53d6\u6d88",
26 "close": "\u5173\u95ed\u9a8c\u8bc1",
27 "error": "\u8bf7\u91cd\u8bd5",
28 "feedback": "\u5e2e\u52a9\u53cd\u9988",
29 "voice": "\u89c6\u89c9\u969c\u788d",
30 "success": "sec \u79d2\u7684\u901f\u5ea6\u8d85\u8fc7 score% \u7684\u7528\u6237",
31 "tip": "\u8bf7\u5b8c\u6210\u4e0b\u65b9\u9a8c\u8bc1",
32 "read_reversed": false,
33 "refresh": "\u5237\u65b0\u9a8c\u8bc1",
34 "fail": "\u8bf7\u6b63\u786e\u62fc\u5408\u56fe\u50cf",
35 "forbidden": "\u602a\u7269\u5403\u4e86\u62fc\u56fe\uff0c\u8bf7\u91cd\u8bd5",
36 "loading": "\u52a0\u8f7d\u4e2d...",
37 "slide": "\u62d6\u52a8\u6ed1\u5757\u5b8c\u6210\u62fc\u56fe"
38 },
39 "theme": "ant",
40 "bg": "pictures/gt/7d068eca5/bg/b5afeb19a.jpg",
41 "mobile": true,
42 "challenge": "a812df54ff9aee0ddb35400abe906992lw",
43 "show_delay": 250,
44 "benchmark": false,
45 "type": "multilink",
46 "fullpage": false,
47 "template": "",
48 "c": [12, 58, 98, 36, 43, 95, 62, 15, 12]
49})
請求8:ajax.php
(1)請求介紹
該請求就是最重要的一步,驗證碼驗證數據收集,主要收集數據包括滑塊相對偏移位置(x坐標)、鼠標滑動軌跡、c參數、s參數、版本信息等。
(2)請求詳情
1# Request URL
2https://api.geetest.com/ajax.php?
3
4# Query String Param
5gt: 25ba81caec944f8d74c98befd841a667
6challenge: a812df54ff9aee0ddb35400abe906992g1
7lang: zh-cn
8pt: 0
9client_type: web
10w: 01xw)7RkAQTxgt5(KAirHJNk(GQHPSqovqV(huofhVj6LOrChUNg6NV)sMQYfBVZFGoug6B7VB0X)0rw3kI3rEXkMGOk1ewLqxZTVSDud7N6ryucakpAMXzhXRimQa4vPmjYz1nus80DQKvG7iq6XPSbdFxARitg0b4TIcRgX(3AOGK)V2cujs6ExkH7puvD9M8887mK6lCSee6FfBXrO2PdgmlamfM8omcLDwkDECw4g9fODBjYzKnSb1qq27JIyEfyBT77A1xmfhBtgJ8vKEIsm5MyR7LZGMIrXYMwd5IL0317NtnpvpeMGXey8DbABEt43y0UQDpIxkkfwbzJs6BGUKI)FGKlmO5ZA4gX5V(t951E76rZVmSAJBuNuv(doL5nYt(LdhoEq2ElpMts02jxmGT9Zkf0(H3McshaIWT5pcyM6ReRXVbOo2WFzxXZz9ITykQjFtoTr(ld4ydqpvejZSxyUZk5FIhKe4PYExT1Lms2sMXZu)gHYGFRmJf8KlYfsArButqV4zkhSajAnvE0cN1dhkB5J36rlwDqT6tG4XqJ9GbY1BcCisT1GKCEy402TCeCHeE)PfDKBeMzJ0ZeWpnVEEYmciKtc9eCfdklIrEUefWMYDdX0IUIDyjQ7rvPghprHhdw(uFp1UPAmTraHyxqVAOcJBd1YFkOLI9xoBdmFP9n0UJVXtuzcCvVNIPPBznXmw6RaEoGg(i1((OkQeu9lp4BqFRQmS76NFd5oJ1LVT5o)((CzOsB03X2L6FIeLVw(v6Y09QAmFRfqw..7bce8d8ab16eaf8c1342a4a7b3e7b0100f58082dd49d8cc5d8ee528f161bb0ba579580015dce1747d454b545158b47f0bf4660f293adf3fc8392a86f498eec6ebb5fb6bc891e696987aef7d9d5282d9dce43729ac87a3515283b833b028bca48a5d5004842cd88bee068f495fbcb02ae4c493bc51dbb67811bb49852f498be64
11callback: geetest_1605984542722
12
13# Response
14geetest_1605984542722({"message": "success", "success": 0})
關鍵步驟
a、圖片還原
配合前序請求返回的c數組和圖片還原算法對被切割打亂的圖片進行還原。
b、缺口識別
計算x坐標可以參考我的另一篇文章《第三代驗證碼研究》https://www.cnblogs.com/boycelee/p/11363611.html
c、w參數
(gt, challenge, x坐標, 滑動軌跡, c參數, s參數, 版本)對稱加密 + 使用非對稱加密對“對稱加密密鑰”進行加密后的加密串
使用對稱加密對參數進行加密,再使用非對稱加密對密鑰進行加密
d、數據圖
此處加密結構實在是太過於冗余,所以用圖的方式更清晰
4、整體流程
三、成果展示
一旦驗證碼驗證通過就會返回validate。validate可以理解為通行令牌,該令牌會將環境檢測數據、行為數據以及風險結果等數據進行串聯,一般情況下如果成功獲取到validate參數,就預示着我們破解極驗驗證碼工作取得成功。
四、總結
總體來說,極驗驗證碼的整體設計不算復雜,但數據加密實在是太過於冗余復雜了。從設計角度上看中規中矩,環境數據收集 -> 環境檢測 -> 加強驗證/無感驗證 -> 再次數據收集(環境 + 行為)-> 完成驗證。相對而言我個人覺得頂象和瑞數的設計可能更有特點一些,在破解和對抗的難度上來講,它們也相對更難一些。
五、最后
本文配合其他文章一起服用效果更好,能更全面體會安全產品的設計。
(1)《第三代驗證碼研究》https://www.cnblogs.com/boycelee/p/11363611.html(推薦)
(2)《頂象驗證碼破解與研究》https://www.cnblogs.com/boycelee/p/14269941.html(推薦)
(3)《極驗驗證碼破解與研究》https://www.cnblogs.com/boycelee/p/14021048.html(推薦)
(4)《極驗無感驗證破解》https://www.cnblogs.com/boycelee/p/13951819.html
(5)《同盾小程序指紋破解》https://www.cnblogs.com/boycelee/category/1819211.html
本文不提供完整解決方案和完整數據,僅用於理論研究,維護網絡安全,人人有責。