NotionNext BLOG

Record a reverse engineering, intercept and tamper with the back-end response, and successfully schedule the physical examination

Fri, 21 Jul 2023 00:00:00 GMT

前情提要：因为出国留学需要在`杭州国际旅行卫生保健中心`小程序上预约体检。体检有两种选择，1、自费350元，2、拥有美国签证免费体检。免费的羊毛不薅白不薅，我就提交了美国签证的证明材料。一天之后审核通过了，于是打开预约的界面。可是谁曾想到，免费的体检已经约到了8月11日（而我在8月8日就已经启程去美国了），而付费的预约却每天都有名额…这不是明显的区别对待吗？？而且只有杭州这样搞，不能忍😡😡😡😡。开始想办法绕过这一个限制，试图约上最近的体检日期。Previously: Because of studying abroad, you need to make an appointment on the mini program of Hangzhou International Travel Health Care Center. There are two options for physical examination, 1, 350 yuan at your own expense, 2, free physical examination with a US visa. The free wool was not collected, so I submitted the proof of the United States visa. A day later, the review is approved, and the appointment screen is opened. But who would have thought that the free medical examination has been about August 11 (and I have left for the United States on August 8), and the paid appointment has a place every day... Isn't that a clear distinction? And only Hangzhou is doing this. 😡😡😡😡. Start looking for ways to get around this restriction, trying to schedule a recent medical exam date.

杭州国际旅行卫生保健中心 小程序可以在电脑端微信和浏览器打开。并且其后端接口没有加密（狂喜）。这意味着我们又多了一条破解的路可以走（劫持/伪造后端响应）。

Hangzhou International Travel Health Care Center mini program can be opened on the computer side of wechat and browser. And the back-end interface is not encrypted (ecstatic). This means we have one more way to hack (hijacking/faking backend responses).

修改前端HTML属性

Modify front-end HTML properties

首先尝试的肯定是最简单的，修改前端html以发送伪造的前端表单给后端。先尝试直接修改html的class类，将其篡改为可选中的日期。例如7月24日这天原本无法预约，我们打开浏览器`F12`开发者模式。仿照可选的日期将约满的属性修改成可约的class，修改成可点击。

The first attempt is certainly the easiest, modifying the front-end html to send a forged front-end form to the back-end. Try modifying the html class class directly first, changing it to a selectable date. For example, the day of July 24 could not be booked, we opened the browser 'F12' developer mode. Modify the full property to a reducible class based on the optional date, to be clickable.

但是不起效果，依旧无法选中7月24日这天。说明这套程序不是按照纯html设计的。

However, it did not work, and still could not select July 24. This program is not designed in pure html.

哪怕强行选中该日期，下面的预约时间段表单也不会触发js代码，导致下面的选择时间段界面无法跳出，同样无法点击确认按钮。

Even if the date is forcibly selected, the following booking period form will not trigger the js code, resulting in the following selection period interface can not jump out, also can not click the confirm button.

难道没有办法了吗？

Is there no way?

不晓得为什么选择时间段的菜单不会自动跳出来。即使我将可约日期的选择时间段的HTML代码复制下来拼凑到不可约日期下。照样无法选中该HTML的选择框。

I don't know why the menu for selecting a time period doesn't pop up automatically. Even though I copied down the HTML code for the selected time period of the reducible date and pieced it together under the irreducible date. You still can't check the selection box for the HTML.

后端突破

Back-end breakthrough

还记得我前面说的后端接口未加密吗？这很容易想到去F12的网络请求中看一下接口的响应。

对于每次刷新请求，前端会去发送两个请求，一个`0000050`一个`personal`。显然，对于预约名额的判断是从personal接口得出的。对于约满的日期，接口显示如下：

Remember what I said earlier about the back-end interface not being encrypted? It's easy to think about going to F12 for a network request and seeing how the interface responds.

For each refresh request, the front end sends two requests, one '0000050' and one 'personal'. Obviously, the judgment about the reservation quota is derived from the personal interface. For the expiration date, the interface displays the following:

对于未约满的日期，接口显示如下：

For unexpired dates, the interface displays the following:

很容易能看出来，`freeCount`是判断剩余名额的变量，`disabled`为1时，代表当日无法选中。periodList代表该日期的可选时间段，也就是前面无法跳出来的表单。

It is easy to see that 'freeCount' is the variable that determines the number of remaining seats, and 'disabled' is 1, which means that it cannot be selected on that day. periodList represents the optional time period for the date, which is the form that can't pop up before.

如何劫持并修改后端响应呢？

How do you hijack and modify the backend response?

这是一个对于前端来说可能会用到的方法，因为实际开发中，在后端未开发好的时候，为了调试前端。前端开发人员往往会用到一些工具来模拟后端的响应。然而我并没有实操过，而且后面也证实了并没有这么简单，仅仅通过手动篡改就能破解。

去Google了一下关于如何劫持修改后端请求响应的问题。发现有一些非常好用的工具和浏览器插件。尝试了几个

例如某网友编写的，js代码，可以方便的直接嵌入浏览器中使用。拦截到请求过后，可以直接在弹出的消息框中修改请求和响应的参数。

This is a method that may be used for the front end, because in actual development, when the back end is not well developed, in order to debug the front end. Front-end developers often use tools to simulate responses on the back end. However, I have not implemented it, and it has been confirmed that it is not so simple, and it can be cracked only by manual tampering.

Went to Google for a question about how to hijack the response to a modified backend request. Found some very useful tools and browser plugins. Tried a few

For example, js code written by a netizen can be easily embedded directly into the browser for use. After the request is intercepted, the parameters of the request and response can be modified directly in the pop-up message box.

(64条消息) 比fiddler简单，浏览器端的拦截方案，请求参数篡改，响应返回值篡改，请求和响应的拦截注入，请求前的二次确认_比fiddler好用的拦截工具_宁-苦中作乐才是人生巅峰的博客-CSDN博客

同时我也尝试了其他例如浏览器插件等工具。发现即使篡改成功了，也无法点击（依旧显示不可约）。

到这里我快要放弃了。。。。没想到这个系统设计的这么完美。猜测可能是对接口响应的时间有限制，只是手动篡改的话等修改完了就超时了。前端这个时候已经渲染好了，因为没有接收到后端的响应，前端所有日期都显示不可约了😂

I also tried other tools such as browser plugins. Found that even if the tampering was successful, it could not be clicked (still showing irreducibility).

I'm about to give up here... I didn't realize the system was so well designed. It may be that there is a limit on the response time of the interface, but the manual tampering will timeout after the modification. The front end has rendered at this point, and since no response was received from the back end, all dates appear irreducible 😂

Fiddler！一款抓包工具

Fiddler! A bag grab tool

网上搜索劫持的时候搜到了这款工具。发现自己电脑上之前好像装过这个软件。打开研究了一下。

因为是https协议，首先安装好该工具的https证书。之后过滤抓取解密这个后端接口流量。

It came up in an Internet search of the hijacking. I think I had this software installed on my computer. Opened it up and studied it.

Install the https certificate for the tool because the https protocol is used. After filtering, capture and decrypt the back-end interface traffic.

成功解密了。后面又发现了这个软件有个功能autoResponder。看了介绍写着`Fiddler can return previously generated responses instead of using the network`

这不正是我想要的功能吗？！！

Successfully decrypted. And then it turns out that this software has a function called autoResponder. It says' Fiddler can return previously generated responses instead of using the network '

Isn't that what I want? Daaaaaa!

这个AutoResponder简而言之就是可以设定自动拦截对应url的后端请求，并由Fiddler代理响应之前的请求。噔噔咚！自动响应！

我把之前请求的记录拖到AutoResponder里面，打开拦截。果然，Fiddler自动拦截了该请求！

The AutoResponder, in short, can be configured to automatically intercept back-end requests for the url and have the Fiddler agent respond to previous requests. Tramp, tramp, tramp! Automatic response!

I drag the record of the previous request into the AutoResponder and turn on intercept. Sure enough, Fiddler automatically intercepted the request!

现在就是最后一步，修改自动拦截的响应体！

Now is the final step, to modify the autointercept response body!

根据之前的规则，我改了7月24日这天的响应参数，设置了2个freeCount和periodList。并启用自动响应规则。

According to the previous rule, I changed the response parameter on July 24th and set 2 freeCount and periodList. And enable automatic response rules.

刷新界面，成功！7月24日这天成功选中，同时预约时间段也可以选择！

点击确认后，来到付款时间！缴费0元，很快就收到了预约成功的通知。！

Click to confirm, come to the payment time! Pay 0 yuan, soon received a successful appointment notice. !

白嫖的感觉真不错！再一次谴责杭州国际旅行卫生保健中心的区别对待付费和免费用户行为！

后端还是要加密！

White whoring feels so good! Once again, we condemn Hangzhou International Travel Health Care Center for discriminating between paid and free users!

The back end still needs to be encrypted!

openwrt openclash+smartDNS

Mon, 08 May 2023 00:00:00 GMT

A soft route tamper diary was recorded

China block the access to some aboard websites using The Great Firewall

🤔 new bing and chatGPT shunt

What is the problem and background?

Microsoft conducts business in China, so the default diversion rule is to connect bing.com directly instead of the agent, which will be redirected to cn.bing.com. In theory, add a shunt rule

Step 2 Get in the way

windows clash above to subscribe to the converted Microsoft rules to Taiwan node. However, on the soft route, I used the same steps to modify the node of Microsoft services and it did not take effect after...

Accidents, turns

While comparing clash for windows and openclash, I found that clash records the page where the connection was made. clash on local and soft routes is inconsistent. The local clash displays all domain names while the clash on soft routes displays all ip (and the routing rules are all missing)

📝 Resolve the pothole process

Apparently, the openclash link list is full of ip addresses and matches are all missing from the net. I searched the Internet for relevant information, and as expected, it was a dns problem. Because I disabled openclash's built-in dns service. Therefore, when accessing other domain names, clash will look for the local default dns server, namely smartdns I configured before, to find the target ip address, and clash will get the ip address after smartdns processing on behalf of SmartDNS.

This created a problem, clash couldn't get the domain name, and the connection list was full of ip addresses that didn't match any rules. This also shows that although I was able to go to google and youtube before, all the matching rules are missing the net. This may explain why my soft routing proxy is always very unstable.

ChatGPT transformed Web interaction

Thu, 13 Apr 2023 00:00:00 GMT

The current web application development model

The current model of Web application development is gradually being replaced by a model of front end separation. With the rapid development of front-end technology, more and more business logic is transferred to the front end, and the responsibilities of the back end are more focused on providing API interfaces and processing data. The emergence of this pattern makes front-end development more complex, but also provides better flexibility and maintainability.

Feasibility of chatGPT as middleware

chatgpt will then replace the front end and make interface requests according to the interface specification documentation provided by the back end, which has several advantages:

Simplified front-end development: the front-end only needs to do static page rendering (such as tables/images), and even chatgpt can replace the front-end to render some basic pages (such as basic latex formulas, markdown syntax)

It is possible to interact directly with the database in natural language After chatgpt tracks a project, the user's simple requirements can be completed directly with natural language input, such as basic CRUD business. And chatgpt only replaces the front end to request the background interface, the specific business logic as long as the back end is well verified should not have any big problems

For process tasks, process documents are required to be entered into chatgpt.

Clash DNS service analysis

Fri, 02 Jul 2021 00:00:00 GMT

公司内部有自己的dns服务器，clash开启系统代理后默认也开启了本地dns服务，导致部分公司内网网站无法访问。

在github/clash issue中看到解决办法，开启clash mixin模式，覆写掉clash默认配置文件，将dns enable设置为false即可解决问题。

> The company has its own dns server. After clash enabled the system proxy, the local dns service was also enabled by default. As a result, some Intranet websites of the company could not be accessed.

See the workaround in github/clash issue, enable clash mixin mode, override clash's default configuration file, and set dns enable to false to resolve the issue.

同时建议设置clash的时候可以开启DOT或者DOH，可以减小域名解析污染方面的问题。详见参考文章2

It is also recommended to enable DOT or DOH when setting clash, which can reduce the problem of domain name resolution pollution. See article 2 for details

参考文章

1、在 Clash 的 nameserver 里添加公司内网DNS后，部分公司内网域名无法解析 · Issue #495 · Dreamacro/clash (github.com)

2、使用 Clash DNS 分流解析与加密 DNS 防止 DNS 劫持 - xkww3n's site

致谢：

💡

有关Notion安装或者使用上的问题，欢迎您在底部评论区留言，一起交流~

MyBatis-Plus Paging Query

Wed, 22 Mar 2023 00:00:00 GMT

🤔 如何使用Mybatis-plus的分页查询插件

首先在pom.xml中添加Mybatis-plus的依赖

在Mapper接口中，继承BaseMapper，使用自带的分页方法

在Service层中，调用Mapper接口的分页方法

📝主旨内容

观点1

Mybatis-plus是一款非常方便实用的ORM框架，分页查询插件是其重要的特性之一。

观点2

使用Mybatis-plus的分页查询插件，可以轻松地实现分页查询，避免手动编写SQL语句的繁琐。

🤗总结归纳

Mybatis-plus的分页查询插件是一款方便实用的工具，能够极大地提高开发效率。

参考文章

MyBatis-Plus (baomidou.com)

MyBatis-Plus实战教程

USC Deposit Bug

Tue, 02 May 2023 00:00:00 GMT

方法一：中国时间已经5月2日，显示deadline过期。因为项目选择必选项选择框是灰色的，选不了。这时候只要F12检查网页元素找到这个选择框的属性`disabled`然后删除这个属性即可勾选该选择框。选择之后，下一步支付的界面就可以进入了。说明USC只做了前端是否超出时间→能否勾选表单选择框的校验，后台并没有对当前时间做验证（大概率，需要验证）。理论上来说，任何时间哪怕过了占位费ddl很久之后都可以进入下一步交钱。

Method 1: It's already May 2nd in China, and the deadline is shown as expired. Because the required selection box for project selection is grayed out and cannot be selected. At this time, you only need to inspect the webpage elements by pressing F12 and find the attribute disabled of this selection box, then delete this attribute to enable the selection box. After selecting, you can proceed to the payment page. This indicates that USC only performs front-end validation to check whether the deadline has passed and whether the form selection box can be checked, but the back-end does not validate the current time (most likely, validation is needed). In theory, at any time, even long after the deadline for paying the deposit, you can proceed to the next step of payment.

选择该元素属性，删掉

Choose the element attribute and delete it

你现在即可勾选选择框

You can now check the checkbox.

点击下一步交费

Click on the next step to make a payment.

方法二：改时区（仅限于太平洋时间UTC-12 还在DDL当日），改成时间仍为DDL内的时间，网页会获取系统时间来判定是否勾选项目进入下一步流程。（亲测用此方法成功交费）

Method 2: Change time zone (only applicable if Pacific Time UTC-12 is still on the deadline day) to a time that is still within the deadline. The webpage will check the system time to determine whether to proceed to the next step. (Tested and successfully paid using this method)