jsRpc使用方法

2021-12-28

字数统计: 558字 | 阅读时长: 3分

文章导航

js逆向之远程调用(rpc)免去抠代码补环境

From:https://github.com/jxhczhl/JsRpc

1.粘贴js环境

打开JsEnv.js 复制粘贴到网站控制台(注意有时要放开断点)

function Hlclient(wsURL) {
    this.wsURL = wsURL;
    this.handlers = {};
    this.socket = {};

    if (!wsURL) {
        throw new Error('wsURL can not be empty!!')
    }
    this.connect()
};

Hlclient.prototype.connect = function () {
    console.log('begin of connect to wsURL: ' + this.wsURL);
    var _this = this;
    try {
        this.socket["ySocket"] = new WebSocket(this.wsURL);
        this.socket["ySocket"].onmessage = function (e) {
            console.log("send func", e.data);
            _this.handlerRequest(e.data);
        }
    } catch (e) {
        console.log("connection failed,reconnect after 10s");
        setTimeout(function () {
            _this.connect()
        }, 10000)
    }
    this.socket["ySocket"].onclose = function () {
        console.log("connection failed,reconnect after 10s");
        setTimeout(function () {
            _this.connect()
        }, 10000)
    }

};
Hlclient.prototype.send = function (msg) {
    this.socket["ySocket"].send(msg)
};

Hlclient.prototype.regAction = function (func_name, func) {
    if (typeof func_name !== 'string') {
        throw new Error("an func_name must be string");
    }
    if (typeof func !== 'function') {
        throw new Error("must be function");
    }
    console.log("register func_name: " + func_name);
    this.handlers[func_name] = func;
};

Hlclient.prototype.handlerRequest = function (requestJson) {
  var _this = this;
  var result=JSON.parse(requestJson);
  //console.log(result)
  if (!result['action']) {
        this.sendResult('','need request param {action}');
        return
}
    action=result["action"]
    var theHandler = this.handlers[action];
    if (!theHandler ||theHandler==undefined){
      this.sendResult(action,'action not found');
      return
    }
    try {
    if (!result["param"]){
      theHandler(function (response) {
        _this.sendResult(action, response);
      })
    }else{
      theHandler(function (response) {
        _this.sendResult(action, response);
      },result["param"])
    }
    
    } catch (e) {
        console.log("error: " + e);
        _this.sendResult(action+e);
    }
};

Hlclient.prototype.sendResult = function (action, e) {
    this.send(action + atob("aGxeX14") + e);
};

2.注入wss和方法

var demo = new Hlclient("wss://rpc.5uks.net:12443/ws?group=hhh&name=baidu");

demo.regAction("hello", function (resolve,param) {
      var c="好困啊"+param
        resolve(c);
    });

3.直接访问接口就能获得数据

https://rpc.5uks.net:12443/go?group=hhh&name=baidu&action=hello&param=yes

4.实战

练习网址aHR0cHM6Ly9reWZ3LjEyMzA2LmNuL290bi9yZXNvdXJjZXMvbG9naW4uaHRtbA==,获取密码加密的字符串。

复制JS环境，并在控制台执行。
先建WSS链接，并注入方法。

var demo = new Hlclient("wss://rpc.5uks.net:12443/ws?group=hhh&name=12306");
demo.regAction("getpwd",function(resolve, param) {
var c = '@' + encrypt_ecb(param.trim(), SM4_key);
console.log(c);
resolve(c);
});

调用https://rpc.5uks.net:12443/go?group=hhh&name=12306&action=getpwd&param=p123456,注：param就是明文密码.