(super simple) decoding the landing verification of Wenquan school

On the landing verification of Wenquan school

Write at the beginning

It's awkward to say
Yesterday morning, I just shared the detailed explanation of Jwt-HS256 encryption and decryption of Wenquan school. In the afternoon, the server was attacked by a malicious reptile.
console.log('I really didn't do it ')

Wenquan school reptile: details of Jwt-HS256 encryption and decryption

So Wenquan temporarily shut down the server, updated the anti climbing mechanism and went back online.
To tell you the truth, people's servers are all broken by playing, which is also very sad. So we launched the login verification in a hurry, and those who don't log on are not allowed to learn.


  1. This paper only deals with the available cookies to get the login status of Wenquan school, not the downloading and crawling of books;
  2. This article is only for learning and communication, not for commercial or illegal use, otherwise, all consequences shall be borne by the user.
  3. In case of infringement, please contact me by email.

Applications & dependencies

python 3.8
PostMan Canary
pip install requests


Skip login or simulated Login and access the resources we need.

  1. Check whether the login affects the access rights of resources;
  2. Analyze the login request and try to simulate the login;

Check whether login affects access rights of resources

Take an api from the website and try to request:

api_initRead = 'https://www.wqxuetang.com/v1/read/initread'
import requests

session = requests.session()
api_initRead = 'https://www.wqxuetang.com/v1/read/initread'
response = session.get(api_initRead)

{"data": [], "errcode": 3001, "errmsg": "please log in"}

Oh, it's over. The resources that can be requested in the past can only be seen after logging in.

Analyze login request and try to simulate login

Enter the official website of Wenquan school and log in as required:


Click to log in to jump to the login interface, select log in with password and enter the console to view the JS function corresponding to the login button:

See the login button respond to the post ﹣ login function.

Search the post ﹣ login function globally, and click to enter the function body:

By analyzing the function body, we can see that the post ﹣ login function performs the ajax request, we break the point at the end of the function and log in to see the specific link and parameter information.

Get request link

When the web page pauses at the breakpoint, you can see the request link and request parameters. It is found that the request link is spliced by / checklogin? And u[1], and the console outputs u[1]:


Splicing with baseUrl and / checklogin:


It is found that there is a text encoded by UrlEncode in the Url. After decoding UrlEncode:


api_checklogin = 'http://open.izhixue.cn/checklogin?response_type=code&client_id=wqxuetang&redirect_uri=https://www.wqxuetang.com/v1/login/callbackwq&scope=userinfo&state=https://lib-nuanxin.wqxuetang.com/#/'

At this point, the login request link has been successfully generated, which is named API "checklogin".

Get request parameters

The request parameter is the content of data, including two parts: accout and password. There is no doubt that it is the account and password. However, the landing parameters here are actually transmitted in plaintext, which is really a shock to gouma. Tsinghua always surprises us.

data = 'account=XXXXXXXXXXX&password=XXXXXXXXXXX'

Analysis of landing ideas

After obtaining the request link and request parameters, we use Postman to perform Post request and try to log in:

Tips: note that the POST request needs to set the corresponding content type, otherwise the request may fail!

You can see that the request is successful. The return value is a string of JSON, including code, message and data. You can see that the only valid field is data, which is also a URL information encoded by UrlEncode

After attempting to decode using UrlEncode:


Tips: the URL still has urlencode text after one decoding. The above content can be obtained after the second decoding.

At this point, the Callback link is generated successfully, which is named API "Callback".

api_callback = 'https://www.wqxuetang.com/v1/login/callbackwq?code=f3e9b5931b53764aeebd529a3d03fc5ed9ce9f33&state=https://lib-nuanxin.wqxuetang.com/#/'

After that, we continue to analyze JS and find that after the first successful request, we will call the windows.location.href function to request the URL:

It is concluded that the checklogin link will be requested first when logging in, the callback link will be returned after the authentication is successful, and then the browser will request the callback link and set the Cookie information returned by the callback to the browser.

Simulated login using Python

Directly on the code, the notes are very clear:

import urllib.parse
import requests

def login(account, password):
    api_checklogin = 'http://open.izhixue.cn/checklogin?response_type=code&client_id=wqxuetang&redirect_uri=https://www.wqxuetang.com/v1/login/callbackwq&scope=userinfo&state=https://lib-nuanxin.wqxuetang.com/#/'

    # Created a request Session
    session = requests.session()
    # Generate login parameters
    headers = {"Content-Type": 'application/x-www-form-urlencoded;charset=UTF-8'}
    data = 'account={}&password={}'.format(account, password)
    # Request for
    response_checklogin = session.post(api_checklogin, data=data, headers=headers)
    # Decode callback link
    api_callback = urllib.parse.unquote(response_checklogin.json()['data'])
    # Request a callback link and return the call to Cooike
    response_callback = session.get(api_callback, allow_redirects=False)
    return response_callback.cookies

def get_user(cookies):
    session = requests.session()
    api_login = 'https://www.wqxuetang.com/v1/login/checklogin'
    response = session.get(api_login, cookies=cookies)
    return response.text

if __name__ == '__main__':
    account = 'XXXXXXXX'
    password = 'XXXXXXXX'
    cookies = login(account, password)
    userInfo = get_user(cookies)


You can see that the login user information has been successfully returned.


It's quite simple.

Edited at Tues Feb 4 19:20:46 2020
Left element

Published 3 original articles, won praise 4, visited 920
Private letter follow

Tags: Session Python JSON Windows

Posted on Wed, 05 Feb 2020 07:09:09 -0500 by CKPD