我目前正试图从retailmenot.com上搜刮我的代码:
import requests
from collections import OrderedDict
s = requests.session()
s.headers = OrderedDict()
s.headers["Connection"] = "close"
s.headers["Upgrade-Insecure-Requests"] = "1"
s.headers["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"
s.headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
s.headers["Sec-Fetch-Site"] = "none"
s.headers["Sec-Fetch-Mode"] = "navigate"
s.headers["Sec-Fetch-Dest"] = "document"
s.headers["Accept-Encoding"] = "gzip, deflate"
s.headers["Accept-Language"] = "en-GB,en-US;q=0.9,en;q=0.8"
s.get("https://www.retailmenot.com/sitemap/A")
当我使用这段代码时,我立即被重定向到CloudFlare页面。也就是说,每当我通过Burpusuite传递流量时,用下面这行代码替换我的最后一行代码:
s.get("https://www.retailmenot.com/sitemap/A", proxies = {"https":"https://127.0.0.1:8080"}, verify ="/Users/Downloads/cacert (1).pem")
我直接进入网站。我觉得这有点奇怪,想知道是否有人可以向我解释为什么会发生这种情况,以及是否有一种方法可以通过使用不同的证书获得类似的结果(为了使用BurpSuite证书,我需要保持应用程序打开)。非常感谢
Tags:
代码httpsimageimportcomapplicationxmlsecfetchrequestsenheadersordereddictacceptretailmenot1条回答
网友
1楼 ·
发布于 2023-03-07 00:10:17
看起来问题在于底层客户端TLS行为
我有一个使用OpenSSL 1.1.1b的较旧版本的Python,还有一个使用OpenSSL 1.1.1f的较新版本。它在第一个版本中失败,但在第二个版本中有效。这也解释了为什么它与打嗝一起工作:它使用了稍微不同的TLS行为
我试图找出问题所在:让非工作版本使用工作版本的密码不会有帮助。另一个主要区别是受支持的签名算法。事实上,使用上述openssl 1.1.1b(但也使用Anaconda Python附带的较新版本),差异可以减少到sigalgs:
$ openssl s_client -connect www.retailmenot.com:443 -crlf
...[various output]...
<paste the expected HTTP request>
...
HTTP/1.1 403 Forbidden
$ openssl s_client -connect www.retailmenot.com:443 -crlf -sigalgs 'ECDSA+SHA256'
...[various output]...
<paste the expected HTTP request>
...
HTTP/1.1 200 OK
不幸的是,我无法在Python请求中直接在TLS堆栈中设置签名算法。API没有公开,它只是使用默认值,因此失败或成功取决于OpenSSL的构建方式
但似乎可以通过指定不同的安全级别间接设置该值:
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context
CIPHERS = ('DEFAULT:@SECLEVEL=2')
class CipherAdapter(HTTPAdapter):
def init_poolmanager(self, *args, **kwargs):
context = create_urllib3_context(ciphers=CIPHERS)
kwargs['ssl_context'] = context
return super(CipherAdapter, self).init_poolmanager(*args, **kwargs)
def proxy_manager_for(self, *args, **kwargs):
context = create_urllib3_context(ciphers=CIPHERS)
kwargs['ssl_context'] = context
return super(CipherAdapter, self).proxy_manager_for(*args, **kwargs)
s = requests.session()
s.mount('https://www.retailmenot.com/', CipherAdapter())
...
print(s.get("https://www.retailmenot.com/sitemap/A"))
这与特定的头设置一起,导致我在<Response [200]>中进行测试,而对于相同的Python版本,并且没有更改的安全级别,则导致<Response [403]>
I just like the helpful information you provide in your articles
My brother suggested I might like this blog He was totally right This post actually made my day You can not imagine simply how much time I had spent for this info Thanks
I just could not depart your web site prior to suggesting that I really loved the usual info an individual supply in your visitors Is gonna be back regularly to check up on new posts
of course like your website but you have to check the spelling on several of your posts A number of them are rife with spelling issues and I in finding it very troublesome to inform the reality on the other hand I will certainly come back again