实战fiddler劫持高德地图api伪装位置

发表于 分类于 阅读次数:
本文字数: 11k 阅读时长 ≈ 10 分钟

工具及用途

  1. fiddler抓包,分析网络流量,劫持请求和响应
  2. 一个好用的文本编辑器或者IDE,比如notepad++或者vs code
  3. nodejs或者python或者java或者其他,选一种你喜欢的编程语言来写服务器端应用

准备

  1. 先去高德地图开放平台申请一个Web端应用,得到key

  2. 然后参考文档快速的写一个简单的定位的网页,为了节约时间,我这里给出一个简单的示例demo,使用时将下面的代码保存到本地,可以命名为a.html或者其他,然后将自己申请好的key,填入源代码对应位置

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    <html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
        <h1 id="showLocation">获取定位中。。。</h1>
    </body>
    </html>
    <script src="https://webapi.amap.com/loader.js"></script>
    <script type="text/javascript">
        AMapLoader.load({
            "key": "申请好的Web端开发者Key",              // 申请好的Web端开发者Key,首次调用 load 时必填
            "version": "1.4.15",   // 指定要加载的 JSAPI 的版本,缺省时默认为 1.4.15
            "plugins": [],           // 需要使用的的插件列表,如比例尺'AMap.Scale'等
            "AMapUI": {             // 是否加载 AMapUI,缺省不加载
                "version": '1.1',   // AMapUI 缺省 1.1
                "plugins": ['overlay/SimpleMarker'],       // 需要加载的 AMapUI ui插件
            },
            "Loca": {                // 是否加载 Loca, 缺省不加载
                "version": '1.3.2'  // Loca 版本,缺省 1.3.2
            },
        }).then((AMap) => {
            AMap.plugin('AMap.Geolocation', function () {
                var geolocation = new AMap.Geolocation({
                    // 是否使用高精度定位,默认:true
                    enableHighAccuracy: true,
                    // 定位按钮的停靠位置的偏移量,默认:Pixel(10, 20)
                    buttonOffset: new AMap.Pixel(10, 20),
                    //  定位成功后调整地图视野范围使定位位置及精度范围视野内可见,默认:false
                    zoomToAccuracy: true,
                    //  定位按钮的排放位置,  RB表示右下
                    buttonPosition: 'RB'
                })

                geolocation.getCurrentPosition(function (status, result) {
                    if (status == 'complete') {
                        onComplete(result)
                    } else {
                        onError(result)
                    }
                });

                function onComplete(data) {
                    // data是具体的定位信息
                    console.log('定位成功')
                    document.getElementById('showLocation').innerText = data.formattedAddress
                    console.log(JSON.stringify(data))
                }

                function onError(data) {
                    // 定位出错
                    console.log('定位出错')
                    console.log(data)
                }
            })
        }).catch((e) => {
            console.log(e);  //加载错误提示
        });
    </script>

  3. 然后双击使用浏览器打开该html文件,推荐chorme浏览器,不出意外的话(定位是个耗时操作,可能需要等一下),你应该可以看到类似下面这样的网页,没什么特别的,就是定位到了你的当前位置(小声bb:当然,我这是伪装过的)
    a.html获取到的当前位置

开始

配置fiddler

打开fiddler,菜单栏选择Tools->Options->Connections,如下图配置就行,然后重启fiddler
fiddler配置

抓包分析定位报文

浏览器打开a.html,定位成功后查看fiddler中抓到的报文,如下:

1
2
3
4
5
6
7
8
9
10
11
12
# 请求
GET https://restapi.amap.com/v3/geocode/regeo?key=你申请的key&s=rsv3&language=zh_cn&location=116.333374,40.009645&extensions=base&callback=jsonp_98368_&platform=JS&logversion=2.0&appname=file%3A%2F%2F%2FC%3A%2FUsers%2Fzimo%2FDesktop%2Fa.html&csid=45AD182B-2FF2-45B1-A74B-134A116B1242&sdkversion=1.4.15 HTTP/1.1
Host: restapi.amap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: cna=wO0GGESg9wICAd4SfkOgapRy; xlly_s=1; passport_login=MjA0ODYxODA4LGFtYXBCR1hNUkx0NmIsbWZremZ1eWVpc2Z1NWNndzNpcmhqc2ptNXp4c3JmdHosMTYwMzI5MDUzMixOMlF5TkRFME5USTJNbVExTXpBeU16Smtaab15TjJObU1EUmpORGc1T0RjPQ%3D%3D
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 响应
HTTP/1.1 200 OK
Server: Tengine
Date: Thu, 22 Oct 2020 03:14:11 GMT
Content-Type: application/json;charset=utf-8
Connection: close
Content-Length: 702
gsid: 033015141109160333645149200012074647900
sc: 0.004
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,key,x-biz,x-info,platinfo,encr,enginever,gzipped,poiid

jsonp_98368_({'status': '1', 'regeocode': {'addressComponent': {'city': [], 'province': '北京市', 'adcode': '110108', 'district': '海淀区', 'towncode': '110108014000', 'streetNumber': {'number': '7号', 'location': '116.330383,40.008245', 'direction': '西南', 'distance': '298.527', 'street': '荷清路'}, 'country': '中国', 'township': '清华园街道', 'businessAreas': [{'location': '116.341578,39.991180', 'name': '五道口', 'id': '110108'}], 'building': {'name': [], 'type': []}, 'neighborhood': {'name': '清华大学', 'type': '科教文化服务;科研机构;科研机构'}, 'citycode': '010'}, 'formatted_address': '北京市海淀区清华园街道清华大学'}, 'info': 'OK', 'infocode': '10000'}
)

编写服务器端应用模拟响应报文

我使用的是IDEIntelliJ IDEA 2019.3.3,编程语言是java,另外使用了springboot框架快速构建服务器端应用,当然,你可以选择你熟悉的其他方式,不再赘述相关内容,在此直接贴出controller类的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package wiki.zimo.demo.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;

@Controller
public class TestController {
    @RequestMapping("/v3/geocode/regeo")
    public void locate(
            @RequestParam("key") String key,
            @RequestParam("s") String s,
            @RequestParam("language") String language,
            @RequestParam("location") String location,
            @RequestParam("extensions") String extensions,
            @RequestParam("callback") String callback,
            @RequestParam("platform") String platform,
            @RequestParam("logversion") String logversion,
            @RequestParam("appname") String appname,
            @RequestParam("csid") String csid,
            @RequestParam("sdkversion") String sdkversion,
            HttpServletResponse response) throws IOException {

        response.addHeader("Date", new Date().toGMTString());
        response.addHeader("Content-Type", "application/json;charset=utf-8");
        response.addHeader("Connection", "close");
        response.addHeader("gsid", "011018245168159885414704300017308414815");
        response.addHeader("sc", "0.004");
        response.addHeader("Access-Control-Allow-Origin", "*");
        response.addHeader("Access-Control-Allow-Methods", "*");
        response.addHeader("Access-Control-Allow-Headers", "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,key,x-biz,x-info,platinfo,encr,enginever,gzipped,poiid");
        response.addHeader("Server", "Tengine");
        // 下面的json就是你想要伪装的位置
        String json = "{'status': '1', 'regeocode': {'addressComponent': {'city': [], 'province': '北京市', 'adcode': '110108', 'district': '海淀区', 'towncode': '110108014000', 'streetNumber': {'number': '7号', 'location': '116.330383,40.008245', 'direction': '西南', 'distance': '298.527', 'street': '荷清路'}, 'country': '中国', 'township': '清华园街道', 'businessAreas': [{'location': '116.341578,39.991180', 'name': '五道口', 'id': '110108'}], 'building': {'name': [], 'type': []}, 'neighborhood': {'name': '清华大学', 'type': '科教文化服务;科研机构;科研机构'}, 'citycode': '010'}, 'formatted_address': '北京市海淀区清华园街道清华大学'}, 'info': 'OK', 'infocode': '10000'}";
        response.getWriter().write(callback + String.format("(%s)", json));
    }
}

修改fiddler自定义规则

修改fiddler的自定义规则(快捷键 Ctrl + R),使之劫持请求定位的接口https://restapi.amap.com/v3/geocode/regeo将它定向到请求我们自己编写的模拟响应报文的服务器端应用,从而实现伪装定位的目的,脚本如下(此处我是在OnBeforeRequest方法的最后插入了下面这段脚本,当然,也可以处理其他的,比如处理响应之前的):

1
2
3
4
5
var origin_host="https://restapi.amap.com/v3/geocode/regeo";
var replace_host="http://localhost:8080/v3/geocode/regeo";
if(oSession.uriContains(origin_host)){
    oSession.fullUrl = oSession.fullUrl.Replace(origin_host,replace_host);
}

下面定位到天安门试试

修改服务器端应用,将json替换为你想定位到的地方,并且需要保证是合法的高德地图定位接口所返回的内容,我这里提供一段python脚本,主要功能是利用高德地图的地理/逆地理编码api得到合法的json位置,使用前需要安装pythonrequests库,参考命令pip install requests,并申请高德地图Web服务应用,获取到相应的key(注意:这个key和上面的Web端key并不相同)

1
2
3
# location 就是你想定位到的经纬度坐标,可以使用坐标拾取系统得到
res = requests.get('https://restapi.amap.com/v3/geocode/regeo?key=你的key&location=116.403963,39.915119')
print(res.json())

浏览器console输出如下:

1
{"type":"complete","info":"SUCCESS","status":1,"ZDa":"jsonp_590192_","position":{"Q":30.58052,"R":103.9923,"lng":103.9923,"lat":30.58052},"message":"Get ipLocation success.Get address success.","location_type":"ip","accuracy":null,"isConverted":true,"addressComponent":{"citycode":"010","adcode":"110101","businessAreas":[{"name":"东单","id":"110101","location":{"Q":39.913479,"R":116.41680400000001,"lng":116.416804,"lat":39.913479}},{"name":"王府井","id":"110101","location":{"Q":39.913505,"R":116.41203100000001,"lng":116.412031,"lat":39.913505}},{"name":"东四","id":"110101","location":{"Q":39.929561,"R":116.42517099999998,"lng":116.425171,"lat":39.929561}}],"neighborhoodType":"","neighborhood":"","building":"","buildingType":"","street":"东华门大街","streetNumber":"60号","country":"中国","province":"北京市","city":"","district":"东城区","township":"东华门街道"},"formattedAddress":"北京市东城区东华门街道东华门大街东华门大街小区","roads":[],"crosses":[],"pois":[]}

详细地址如下:

enjoy it

百度地图同理,不再过多赘述

enjoy it!!!

觉得不错,打赏一下
0%