Thread: [See Bugtracker] Host plugin for javhub.net
View Single Post
  #5  
Old 05.03.2021, 02:14
rocketfeller rocketfeller is offline
Baby Loader
 
Join Date: Feb 2021
Posts: 5
Default

I see, I meant when viewing the source code via "Inspect Element", I presume there's some Javascript that populates the page. Perhaps that's the formerly encrypted payload that I'm seeing, and since I'm looking through a browser the decryption has already happened. Here's an image:


If the above doesn't help (i'm not sure if JDownloader is able to "fake load" a page as part of the crawling) then that sucks, as I haven't been able to work out the encryption. I can just see that the request is sent with a JWT token in the javhubcookie
e.g.
Code:
eyJpdiI6IldkQ0VNOFlDNFwvT1NEWkpcL3pFRGhBQT09IiwidmFsdWUiOiJlaExGbXNMY2lIeWNGbE93aDg5M2N2TkdDdEhNVlwvVWVPdjlVTUk3RGw2NzVhbldJU3A5RUpGQWJHUXRqU0NJUVwvVmtKMzBxRDRNNUhFN0Fxb0lpYmExR3RncUtRZm9JY2RoV2o2UlVLZ242dWFMbVpQNTBtajNUb0cxakV3NjhVIiwibWFjIjoiODZjMDdjYzRlYTUyNGRmYTZhMTEwMDNhODU3ZDc3MGNhZDAzNjVhYWFlYmVjZjZhZGNiZGZhNDg2NTM2MmM5ZCJ9
that decrypted gives
Code:
{
  "iv": "WdCEM8YC4/OSDZJ/zEDhAA==",
  "value": "ehLFmsLciHycFlOwh893cvNGCtHMV/UeOv9UMI7Dl675anWISp9EJFAbGQtjSCIQ/VkJ30qD4M5HE7AqoIiba1GtgqKQfoIcdhWj6RUKgn6uaLmZP50mj3ToG1jEw68U",
  "mac": "86c07cc4ea524dfa6a11003a857d770cad0365aaaebecf6adcbdfa4865362c9d"
}
The response back comes with a different token but in a similar format.
Code:
eyJpdiI6Ik95QXNDbUl2ek9oU0NLVkM3QkhpbGc9PSIsInZhbHVlIjoiVk9xMkVKYXIwNFFLNXZGYW5FcmlIRCtudXBETHV1T3M3TUlmZTVFbFExUnZhRVY0T1ZwOFAybGJVV3VTOW1jY2RYdTR4RXRZaFZ6YjJoaEV0eGMxems4XC83YnhXOU9sTUloM3VxNEF3RjE4Y2xZSkRSZE14MmhuczdlOFVQQUlQIiwibWFjIjoiZGE2OGQ1YTRhYzJkMTQxNWJjYTA3MGRlZTE5MmU5ODBiODFmNDcwYzM0ZjBjYTVkZjhmMjg1YTI5MjBlNDQzYyJ9
that decrypted gives
Code:
{
  "iv": "OyAsCmIvzOhSCKVC7BHilg==",
  "value": "VOq2EJar04QK5vFanEriHD+nupDLuuOs7MIfe5ElQ1RvaEV4OVp8P2lbUWuS9mccdXu4xEtYhVzb2hhEtxc1zk8/7bxW9OlMIh3uq4AwF18clYJDRdMx2hns7e8UPAIP",
  "mac": "da68d5a4ac2d1415bca070dee192e980b81f470c34f0ca5df8f285a2920e443c"
}
Searching the key names brings up references to Laravel PHP framework, I presume iv refers to initialisation vector (which itself looks like it's base64 encoded but that doesn't seem to be the case), so it looks like proper server side encryption not some simple handrolled stuff.
Posting the above in case you have a eureka moment based off of past experiences (long shot, I know).

Last edited by rocketfeller; 05.03.2021 at 05:16.
Reply With Quote