教程
手机真机抓包较为简单,配置直接看这个教程:https://juejin.cn/post/6976686129672257550
fiddler加一个过滤器,不然包太多不好看
然后真机开始打卡,点进去健康打卡先别点提交,fiddler上点左下角的抓包,不让他自动放包,点一下变成红色就行
然后点提交,第一个包是下面这样的,放掉,点下面那个绿色的,然后抓到的健康打卡的数据包如第二个图,这个就别点绿色的了,存下来
数据包类似这样:
POST https://yq.huanghuai.edu.cn:7992/questionAndAnser/wenjuanSubmit HTTP/1.1
Host: yq.huanghuai.edu.cn:7992
Connection: keep-alive
Content-Length: 824
Accept: application/json, text/plain, */*
x-auth-token:
User-Agent: Mozilla/5.0 (Linux; Android 12; M2012K11AC Build/SKQ1.220201.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/96.0.4664.104 Mobile Safari/537.36 SuperApp
Content-Type: application/x-www-form-urlencoded
Origin: https://yk.huanghuai.edu.cn:8993
X-Requested-With: com.lantu.MobileCampus.huanghuai
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://yk.huanghuai.edu.cn:8993/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie:
content=然后就是愉快的写脚本了,还是放在gayhub:https://github.com/yq1ng/healthCheck-in
下到vps,写个定时任务,命令:crontab -e ,然后光标放到最后输入i,添加以下内容
59 9 * * * /usr/bin/python3 /opt/healthCheck-in/getToken.py
59 9 * * * /usr/bin/python3 /opt/healthCheck-in/getSession.py
00 10 * * * /usr/bin/python3 /opt/healthCheck-in/healthCheck-in.py>>/tmp/healthCheck-in.log 2>&1&然后安装一个sendmail,这样就可以发邮箱了,参考:
https://blog.mimvp.com/article/26872.html
https://blog.csdn.net/SUDDEV/article/details/100056083
http://www.hellokvm.com/?p=426
下面的可以不用看了,以前的没啥用
0x00 前言
记一次无聊下午写的自动化健康打卡,本脚本适用于黄淮学院,开箱即用,略改配置即可。
因为前几天忘打卡了,趁着今天下午没事就来试试写个脚本一劳永逸
- 9.13 更:提交数据更改了,原脚本不能再用,新脚本如下
- github链接:https://github.com/yq1ng/healthCheck-in
将下面三个脚本放到:/opt/healthCheck-in/中
然后先运行第一个,脚本名字为:getToken.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# @Author: yq1ng
# @Date: 2021-03-27 14:20:49
# @Last Modified by: yq1ng
import requests
def getToken():
"""
获取用户idToken
"""
# 准备数据
url = 'https://token.huanghuai.edu.cn/password/passwordLogin'
data = {
'username':'',# 账户名
'password':'',# 密码
'appId':'com.lantu.MobileCampus.huanghuai',
'geo':'',
'''
Cnc21GOk0UN7y2RvzOfjG6hr,
Ddc97bdlm3uBkgwxMrcTp8oU,
m4MDqJ3dVmCLAJTHgzPeGB6c,
Iff2YSxzsjXG2TqyiPdR1RAc,
t0R7zgvjMTVx3lDn43BTVCDK,
9o2D3PHYp1GzOMmOlyABmplA,
xLMhT6gSWyRO4Qonm3TdlWit,
jOvOWHCMCFKJKzw7E4n4flOe,
7CtVZdJzPitq99RkIGYkdmaE,
wIP1j8DEubR1obMcw7h1TQq7
'''
'deviceId':'', # 上面自己挑一个,去掉逗号
'osType':'android',
'''
xo6Ila3AqJs9VDQEOHFhObNeItJI00Ao,
fpCg0WG5J0qmF1ML0nfFpHXTtEwYzGVp,
rBIWcgAdhCl3YuB1rwod9YIrRs1O0TxJ,
wgqInz615IhPoSvdJnDka3NEMaj7H3x8,
4pOcPyxWFEsC2sTcuiIYuNZ7RQwju5JT,
IgIfXPBZMvNBvIWfK3NDsJfC09vzzDVo,
4qQQLkDhbCBK6NepdLtarG2NTQtTgUi1,
AO7EG9lKTwca1yY34RkgtNrpcHSqhKZk,
4eULQFWLDDQfGKNpLP8hh11tGx8KbQtO,
3Hk2qYEuzRZ52KVuIktIP1G7FFffXExR
'''
'clientId':'' # 同理
}
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36',
'Content-Type':'application/x-www-form-urlencoded',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding':'gzip, deflate',
'Accept-Language':'zh-CN,zh;q=0.9'
}
# 发送数据并获取响应包
req = requests.post(url, headers=headers, data=data)
print(req.text)
# 得到 idToken
idToken = req.text[17:-1].split(':')[2].split(',')[0][1:-1]
# 保存token
saveidToken(idToken)
def saveidToken(idToken):
"""
保存idToken
"""
fp = open('/opt/healthCheck-in/cookies.txt','w')
fp.write(idToken)
fp.close()
if __name__=="__main__":
getToken()在运行第二个,getSession.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# @Author: yq1ng
# @Date: 2021-03-27 15:42:09
# @Last Modified by: yq1ng
import requests
def readCookies():
"""
从本地读取cookie
"""
# 打开文件
fp = open('/opt/healthCheck-in/cookies.txt', 'r')
idToken = fp.read()
getSession(idToken)
def getSession(idToken):
"""
获取用户唯一token页面
"""
# 准备各种数据
url = 'https://yq.huanghuai.edu.cn:7992/cas/studentLogin'
headers = {
'Upgrade-Insecure-Requests':'1',
'User-Agent':'Mozilla/5.0 (Linux; Android 5.1.1; MI 9 Build/NMF26X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/74.0.3729.136 Mobile Safari/537.36 SuperApp',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'x-id-token':'',
'Accept-Encoding':'gzip, deflate',
'Accept-Language':'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7',
'X-Requested-With':'com.lantu.MobileCampus.huanghuai'
}
cookies = {
'userToken':'',
'Domain':'.huanghuai.edu.cn',
'Path':'/'
}
# 设置参数
headers['x-id-token'] = idToken
cookies['userToken'] = idToken
# 获取session, 并禁止302
req = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)
saveSession(req.headers['Location'])
def saveSession(Location):
"""
保存session
"""
try:
fp = open('/opt/healthCheck-in/Location.txt', 'w')
fp.write(Location)
fp.close()
except Exception as e:
exit(1)
def main():
readCookies()
if __name__ == '__main__':
main()然后查看第二个生成的连接:cat Location.txt,样式如:https://yk.huanghuai.edu.cn:8993?type=app&token=一串随机数
然后按F12 、F1 (Edge浏览器)
去 https://lbs.amap.com/tools/picker 搜索想要定位的位置,将经纬度输进去
接着按图操作
刷新,位置已经变更,此处重新打开 F12 点击网络,然后提交数据,记下表单数据,更新第三个脚本
healthCheck-in.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# @Author: yq1ng
# @Date: 2021-03-27 15:04:12
# @Last Modified by: yq1ng
import requests
import base64
import os
def ProcessingParameters():
"""
处理各种健康打卡函数所需参数
"""
# get Referer
fp = open('/opt/healthCheck-in/Location.txt', 'r')
Referer = fp.read()
fp.close()
# get xAuthToken
xAuthToken = Referer.split('=')[-1]
# get Session
Session = base64.b64encode(xAuthToken.encode()).decode()
# get isToken
fp = open('/opt/healthCheck-in/cookies.txt', 'r')
idToken = fp.read()
fp.close()
healthCheckIn(xAuthToken, Referer, Session, idToken)
def healthCheckIn(xAuthToken, Referer, Session, userToken):
"""
健康打卡
"""
# 准备数据
url = 'https://yq.huanghuai.edu.cn:7992/questionAndAnser/wenjuanSubmit'
data = {
'content':'' # 写上上面的数据
}
headers = {
'Host':'yq.huanghuai.edu.cn:7992',
'Accep':'application/json, text/plain, */*',
'x-auth-token':'',
'User-Agent':'Mozilla/5.0 (Linux; Android 5.1.1; MI 9 Build/NMF26X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/74.0.3729.136 Mobile Safari/537.36 SuperApp',
'Origin':'https://yk.huanghuai.edu.cn:8993',
'Referer':'',
'Content-Type':'application/x-www-form-urlencoded',
'Accept-Encoding':'gzip, deflate',
'Accept-Language':'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7',
}
cookies = {
'userToken':'',
'Domain':'.huanghuai.edu.cn',
'Path':'/',
'SESSION':''
}
# 设置参数
headers['x-auth-token'] = xAuthToken
headers['Referer'] = Referer
cookies['userToken'] = userToken
cookies['SESSION'] = Session
# 发送打卡数据
# req = requests.post(url, headers=headers, cookies=cookies, data=data)
req = requests.post(url=url, headers=headers, data=data)
print(req.text)
'''
if "20000" in req.text:
os.system('echo "今日打卡成功啦! --会下雪的晴天" | mail -v -s "健康打卡" *\@qq.com')
'''
def main():
ProcessingParameters()
if __name__ == '__main__':
main()完成,接着定时任务,crontab -e 照抄即可
30 7 1,20 * * /usr/local/bin/python3 /opt/healthCheck-in/getToken.py
50 7 * * * /usr/local/bin/python3 /opt/healthCheck-in/getSession.py
00 8 * * * /usr/local/bin/python3 /opt/healthCheck-in/healthCheck-in.py>>/tmp/healthCheck-in.log 2>&1&下面的不用看了,懒得删
0x01 所需工具
- fiddler
- 夜神模拟器
- 云上黄淮app
0x02 抓包&分析
从登陆界面开始抓包,一直抓到打卡结束,定位用虚拟定位随意找个地方,我用的北区一号楼
登陆包是明文传输账户密码,彳亍!响应包是json,其中idToken是jwt,加密方式是RS512也就是sha521,破解几乎不可能啦,我没试,无聊的话可以试试爆破。jwt有到期的时间戳,看了一下有效期为一个月,可以的,拉到bp里面测试看看,成了,还给了设备id和操作系统,无关紧要啦
跟着往下走是拉取了上一次的打卡记录,里面存放着打卡的各种信息,没啥用。
再往下就是提交打卡数据了(获取定位略过就行),提交方式是POST,写脚本的时候发现一个headers参数x-auth-token不知从何而来,顺着往上一个数据包一个数据包找发现有个包带着idToken访问了一个api,这个api负责分发session也就是我们要的x-auth-token,这就简单了,写脚本吧 。
带着自己的idToken取分发session的页面,返回一个唯一id,直接访问可以看到已经是打卡页面
最后带着cookies和post的数据去了https://yq.huanghuai.edu.cn:7992/questionAndAnser/wenjuanSubmit,打卡结束
脚本已上传至gayhub,传送门,代码能力较差,懒得优化了,能用就行。
0x03 使用
脚本地址:https://github.com/yq1ng/healthCheck-in
需要一个vps,安装python3.x,如果是centos则自带了py2,按照下面教程
先安装epel扩展源:
yum -y install epel-release然后安装python-pip
yum -y install python-pip在安装python3
wget https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tgz
tar -zxvf Python-3.6.2.tgz
cd Python-3.6.2/
./configure --prefix=/usr/local
make
make install验证
安装脚本运行环境pip3 install requests
如果想在加个邮件发送服务就看下面的,不想加的话把healthCheck-in.py里面的import os和下图两行删除 
下载的脚本随便放个目录(强烈建议和我放的一样,不然你还要改东西,我的是/opt/healthCheck-in/),如果不一样请自行修改三个文件里面打开文件与关闭文件的路径(使用绝对路径!),再写个定时任务,本人定时任务如下
30 7 1,20 * * /usr/local/bin/python3 /opt/healthCheck-in/getToken.py
50 7 * * * /usr/local/bin/python3 /opt/healthCheck-in/getSession.py
00 8 * * * /usr/local/bin/python3 /opt/healthCheck-in/healthCheck-in.py>/tmp/healthCheck-in.log 2>&1&crontab -u root -e进入编辑页面,直接把我的配置粘进去就行
按照getToken.py和healthCheck-in.py注释修改配置,另外设备id和客户端id去这个网站生成:https://www.345tool.com/zh-hans/generator/random-id-generator
deviceId是24位,这样生成(0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ)
clientId是32位,这样
再运行一遍前两个文件,确保生成cookies.txt和Location.txt两个文件,然后就不用管了,芜湖~
/usr/local/bin/python3 /opt/healthCheck-in/getToken.py
/usr/local/bin/python3 /opt/healthCheck-in/getSession.py邮件发送
每次打卡完成向自己qq发送邮件提醒
yum -y install sendmail* mailx
vim /etc/mail.rc
在末尾添加
set from=xxx@mimvp.com
set smtp=smtp.exmail.qq.com
set smtp-auth-user=xxx@mimvp.com
set smtp-auth-password=mimvp-password //qq邮箱授权码
set smtp-auth=login更详细的看下面的连接,祝好运~
参考连接
https://blog.mimvp.com/article/26872.html
https://blog.csdn.net/SUDDEV/article/details/100056083
http://www.hellokvm.com/?p=426
