Skip to content

Instantly share code, notes, and snippets.

@zeroday0619

zeroday0619/WKU_courseRegistration.md

Last active February 10, 2025 13:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zeroday0619/b34215113b7aa5666ee1b537bcf6db2b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zeroday0619/b34215113b7aa5666ee1b537bcf6db2b to your computer and use it in GitHub Desktop.
Download ZIP
원광대학교 수강신청 시스템 분석
Raw
login.py
import os
import base64
import httpx
import re
from fake_useragent import UserAgent
from Crypto.Random import get_random_bytes
from Crypto.Protocol.KDF import PBKDF2
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
class AesUtil:
def __init__(self):
self.user_agent = UserAgent().random
self.keySize = int(128 / 8)
self.iterationCount = 1000
self.headers = {
"User-Agent": self.user_agent,
}
def get_password(self):
resp = httpx.get("http://course.wku.ac.kr/ULecture/login.jsp", headers=self.headers)
regex = re.compile(r'[0-9]{22}')
listed = regex.findall(resp.text)[0]
return [listed, listed[:13], resp.cookies]
def generateKey(self, salt, passPhrase: str):
key = PBKDF2(
password=passPhrase.encode('utf-8'),
salt=salt,
dkLen=self.keySize,
count=self.iterationCount
)
return key
def encrypt(self, salt, iv: str, password, plainText: str):
print(plainText)
key = self.generateKey(salt, password)
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
padder = padding.PKCS7(algorithms.AES.block_size).padder()
padded_data = padder.update(plainText.encode('utf-8')) + padder.finalize()
chipper_text = encryptor.update(padded_data) + encryptor.finalize()
encrypted_data = base64.b64encode(chipper_text).decode('utf-8')
return encrypted_data
if __name__ == '__main__':
iv = get_random_bytes(int(128/8))
salt = get_random_bytes(int(128/8))
AESEngine = AesUtil()
passwords = AESEngine.get_password()
ID = AESEngine.encrypt(salt, iv, passwords[0], os.environ.get('WKU_ID'))
PW = AESEngine.encrypt(salt, iv, passwords[0], os.environ.get('WKU_PW'))
res = 'I`' + iv.hex() + '`' + salt.hex() + '`' + ID + '`' + PW + f'`{passwords[1]}`'
print(res)
resp = httpx.post("http://course.wku.ac.kr/ULecture/User/Login/login.jsp", headers=AESEngine.headers, data={'dummystring': res}, cookies=passwords[2])
print(resp.text)
Raw
WKU_courseRegistration.md

원광대학교 수강신청 시스템 분석

일부 참고 (넷퍼널) 자료 https://gist.github.com/HelloWorld017/2f4e43dac04998f91a1d21339d9d3fb9

NetFunnel

GET http://123.108.19.10/ts.wseq

Global Params:

  • opcode: 실행할 명령어 코드
  • nfid: 0
  • prefix: Response 맨 앞에 붙음
  • js: yes
  • 1660623187043 (timestemp)

Opcode Table:

opcode 이름
5101 getTidChkEnter
5002 chkEnter
5003 aliveNotice
5004 setComplete

System Login

코드 분석

var tform = document.trlogin;
tform.dummystring.value = 'I`' + iv + '`' + salt + '`' + id + '`' + pw + '`1707368498341`';

tform.action='http://course.wku.ac.kr/ULecture/User/Login/login.jsp';
tform.target='ACTION_FRAME';
tform.submit();

POST http://course.wku.ac.kr/ULecture/User/Login/login.jsp

dummystring은 첨부된 login.py로 생성 가능

Body:

  • dummystring: 'I`' + iv + '`' + salt + '`' + id + '`' + pw + '`1707368498341`';

courseRegistration

POST http://course.wku.ac.kr/ULecture/Stud/Sugang/Insert/insertPre.jsp

Body:

  • studentNo: 학번
  • codeLesson: 학수번호
  • classNo: 학년
  • reloadTarget: "PRELECTURE"
  • course_stamp: "1660867644893" <maybe unix timestemp?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment