type
status
date
slug
summary
tags
category
icon
password
URL
前情提要:因为出国留学需要在`杭州国际旅行卫生保健中心`小程序上预约体检。体检有两种选择,1、自费350元,2、拥有美国签证免费体检。免费的羊毛不薅白不薅,我就提交了美国签证的证明材料。一天之后审核通过了,于是打开预约的界面。可是谁曾想到,免费的体检已经约到了8月11日(而我在8月8日就已经启程去美国了),而付费的预约却每天都有名额…这不是明显的区别对待吗??而且只有杭州这样搞,不能忍😡😡😡😡。开始想办法绕过这一个限制,试图约上最近的体检日期。Previously: Because of studying abroad, you need to make an appointment on the mini program of Hangzhou International Travel Health Care Center. There are two options for physical examination, 1, 350 yuan at your own expense, 2, free physical examination with a US visa. The free wool was not collected, so I submitted the proof of the United States visa. A day later, the review is approved, and the appointment screen is opened. But who would have thought that the free medical examination has been about August 11 (and I have left for the United States on August 8), and the paid appointment has a place every day... Isn't that a clear distinction? And only Hangzhou is doing this. 😡😡😡😡. Start looking for ways to get around this restriction, trying to schedule a recent medical exam date.
杭州国际旅行卫生保健中心 小程序可以在电脑端微信和浏览器打开。并且其后端接口没有加密(狂喜)。这意味着我们又多了一条破解的路可以走(劫持/伪造后端响应)。Hangzhou International Travel Health Care Center mini program can be opened on the computer side of wechat and browser. And the back-end interface is not encrypted (ecstatic). This means we have one more way to hack (hijacking/faking backend responses).
修改前端HTML属性
Modify front-end HTML properties
首先尝试的肯定是最简单的,修改前端html以发送伪造的前端表单给后端。先尝试直接修改html的class类,将其篡改为可选中的日期。例如7月24日这天原本无法预约,我们打开浏览器`F12`开发者模式。仿照可选的日期将约满的属性修改成可约的class,修改成可点击。
The first attempt is certainly the easiest, modifying the front-end html to send a forged front-end form to the back-end. Try modifying the html class class directly first, changing it to a selectable date. For example, the day of July 24 could not be booked, we opened the browser 'F12' developer mode. Modify the full property to a reducible class based on the optional date, to be clickable.
但是不起效果,依旧无法选中7月24日这天。说明这套程序不是按照纯html设计的。
However, it did not work, and still could not select July 24. This program is not designed in pure html.
哪怕强行选中该日期,下面的预约时间段表单也不会触发js代码,导致下面的选择时间段界面无法跳出,同样无法点击确认按钮。
Even if the date is forcibly selected, the following booking period form will not trigger the js code, resulting in the following selection period interface can not jump out, also can not click the confirm button.
难道没有办法了吗?
Is there no way?
不晓得为什么选择时间段的菜单不会自动跳出来。即使我将可约日期的选择时间段的HTML代码复制下来拼凑到不可约日期下。照样无法选中该HTML的选择框。
I don't know why the menu for selecting a time period doesn't pop up automatically. Even though I copied down the HTML code for the selected time period of the reducible date and pieced it together under the irreducible date. You still can't check the selection box for the HTML.
后端突破
Back-end breakthrough
还记得我前面说的后端接口未加密吗?这很容易想到去F12的网络请求中看一下接口的响应。
对于每次刷新请求,前端会去发送两个请求,一个`0000050`一个`personal`。显然,对于预约名额的判断是从personal接口得出的。对于约满的日期,接口显示如下:
Remember what I said earlier about the back-end interface not being encrypted? It's easy to think about going to F12 for a network request and seeing how the interface responds.
For each refresh request, the front end sends two requests, one '0000050' and one 'personal'. Obviously, the judgment about the reservation quota is derived from the personal interface. For the expiration date, the interface displays the following:
对于未约满的日期,接口显示如下:
For unexpired dates, the interface displays the following:
很容易能看出来,`freeCount`是判断剩余名额的变量,`disabled`为1时,代表当日无法选中。periodList代表该日期的可选时间段,也就是前面无法跳出来的表单。
It is easy to see that 'freeCount' is the variable that determines the number of remaining seats, and 'disabled' is 1, which means that it cannot be selected on that day. periodList represents the optional time period for the date, which is the form that can't pop up before.
如何劫持并修改后端响应呢?
How do you hijack and modify the backend response?
这是一个对于前端来说可能会用到的方法,因为实际开发中,在后端未开发好的时候,为了调试前端。前端开发人员往往会用到一些工具来模拟后端的响应。然而我并没有实操过,而且后面也证实了并没有这么简单,仅仅通过手动篡改就能破解。
去Google了一下关于如何劫持修改后端请求响应的问题。发现有一些非常好用的工具和浏览器插件。尝试了几个
例如某网友编写的,js代码,可以方便的直接嵌入浏览器中使用。拦截到请求过后,可以直接在弹出的消息框中修改请求和响应的参数。
This is a method that may be used for the front end, because in actual development, when the back end is not well developed, in order to debug the front end. Front-end developers often use tools to simulate responses on the back end. However, I have not implemented it, and it has been confirmed that it is not so simple, and it can be cracked only by manual tampering.
Went to Google for a question about how to hijack the response to a modified backend request. Found some very useful tools and browser plugins. Tried a few
For example, js code written by a netizen can be easily embedded directly into the browser for use. After the request is intercepted, the parameters of the request and response can be modified directly in the pop-up message box.
同时我也尝试了其他例如浏览器插件等工具。发现即使篡改成功了,也无法点击(依旧显示不可约)。
到这里我快要放弃了。。。。没想到这个系统设计的这么完美。猜测可能是对接口响应的时间有限制,只是手动篡改的话等修改完了就超时了。前端这个时候已经渲染好了,因为没有接收到后端的响应,前端所有日期都显示不可约了😂
I also tried other tools such as browser plugins. Found that even if the tampering was successful, it could not be clicked (still showing irreducibility).
I'm about to give up here... I didn't realize the system was so well designed. It may be that there is a limit on the response time of the interface, but the manual tampering will timeout after the modification. The front end has rendered at this point, and since no response was received from the back end, all dates appear irreducible 😂
Fiddler!一款抓包工具
Fiddler! A bag grab tool
网上搜索劫持的时候搜到了这款工具。发现自己电脑上之前好像装过这个软件。打开研究了一下。
因为是https协议,首先安装好该工具的https证书。之后过滤抓取解密这个后端接口流量。
It came up in an Internet search of the hijacking. I think I had this software installed on my computer. Opened it up and studied it.
Install the https certificate for the tool because the https protocol is used. After filtering, capture and decrypt the back-end interface traffic.
成功解密了。后面又发现了这个软件有个功能autoResponder。看了介绍写着`Fiddler can return previously generated responses instead of using the network`
这不正是我想要的功能吗?!!
Successfully decrypted. And then it turns out that this software has a function called autoResponder. It says' Fiddler can return previously generated responses instead of using the network '
Isn't that what I want? Daaaaaa!
这个AutoResponder简而言之就是可以设定自动拦截对应url的后端请求,并由Fiddler代理响应之前的请求。噔噔咚!自动响应!
我把之前请求的记录拖到AutoResponder里面,打开拦截。果然,Fiddler自动拦截了该请求!
The AutoResponder, in short, can be configured to automatically intercept back-end requests for the url and have the Fiddler agent respond to previous requests. Tramp, tramp, tramp! Automatic response!
I drag the record of the previous request into the AutoResponder and turn on intercept. Sure enough, Fiddler automatically intercepted the request!
现在就是最后一步,修改自动拦截的响应体!
Now is the final step, to modify the autointercept response body!
根据之前的规则,我改了7月24日这天的响应参数,设置了2个freeCount和periodList。并启用自动响应规则。
According to the previous rule, I changed the response parameter on July 24th and set 2 freeCount and periodList. And enable automatic response rules.
刷新界面,成功!7月24日这天成功选中,同时预约时间段也可以选择!
点击确认后,来到付款时间!缴费0元,很快就收到了预约成功的通知。!
Click to confirm, come to the payment time! Pay 0 yuan, soon received a successful appointment notice. !
白嫖的感觉真不错!再一次谴责杭州国际旅行卫生保健中心的区别对待付费和免费用户行为!
后端还是要加密!
White whoring feels so good! Once again, we condemn Hangzhou International Travel Health Care Center for discriminating between paid and free users!
The back end still needs to be encrypted!
- 作者:NotionNext
- 链接:https://blog.battleboy.top/article/ff45626d-5036-46a8-8372-e3e883a7dcc0
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。