Exposed tokens #2
Comments
|
Hello. Since the token doesn't bind to the personal account I think there is no problem without using the env variable. I got the token from their web without needing to log in. |
|
After reversing the algorithm for jsToken it contains the user's ID. So the tokens you have exposed is bound to your personal account. |
|
Can you explain how to reverse jsToken? |
|
Not exactly reversing the From what I can see in the minified code, the You can see the logic of The decoded script looks like this function _0x1c83(){var _0x46299c=['substring','5yrkOAa','5315676UaLMvm','4570911tMfVaE','7561992ccLNCi','jsToken','37506SzEFew','TcWVr','<USERS KEY>','549728tDlcaJ','DKuia','ToUHt','nFAeQ','76jfDtft','8056111JVLUJd','hlevV','charAt','689016FUcXux','length','<BACKEND TOKEN>'];_0x1c83=function(){return _0x46299c;};return _0x1c83();}function _0x3ff6(_0x22b090,_0x460f0d){var _0x1c8321=_0x1c83();return _0x3ff6=function(_0x3ff6af,_0x268763){_0x3ff6af=_0x3ff6af-0x1c7;var _0x4faceb=_0x1c8321[_0x3ff6af];return _0x4faceb;},_0x3ff6(_0x22b090,_0x460f0d);}(function(_0x11f2b0,_0x3ac80b){var _0x2a8c08=_0x3ff6,_0x24a05c=_0x11f2b0();while(!![]){try{var _0x4811eb=parseInt(_0x2a8c08(0x1d1))/0x1+parseInt(_0x2a8c08(0x1cd))/0x2*(-parseInt(_0x2a8c08(0x1da))/0x3)+-parseInt(_0x2a8c08(0x1c9))/0x4+-parseInt(_0x2a8c08(0x1d5))/0x5*(-parseInt(_0x2a8c08(0x1d6))/0x6)+parseInt(_0x2a8c08(0x1ce))/0x7+-parseInt(_0x2a8c08(0x1d8))/0x8+-parseInt(_0x2a8c08(0x1d7))/0x9;if(_0x4811eb===_0x3ac80b)break;else _0x24a05c['push'](_0x24a05c['shift']());}catch(_0x3a51e8){_0x24a05c['push'](_0x24a05c['shift']());}}}(_0x1c83,0xa12e7),function(){var _0x2007ed=_0x3ff6,_0x175f98={'TcWVr':_0x2007ed(0x1c8),'nFAeQ':function(_0x13afff,_0xeaf297){return _0x13afff-_0xeaf297;},'DKuia':function(_0x444e70,_0x501f88){return _0x444e70+_0x501f88;},'ToUHt':function(_0x1db0d4,_0x528e01){return _0x1db0d4-_0x528e01;},'hlevV':function(_0x8ae3eb){return _0x8ae3eb();}};function _0x14da31(){var _0xb8a057=_0x2007ed,_0x28c750=_0xb8a057(0x1d3),_0x56e69c=_0x175f98[_0xb8a057(0x1c7)],_0x1053e4=_0x28c750[+_0x56e69c['charAt']()],_0x22e019=_0x28c750[+_0x56e69c['charAt'](_0x175f98[_0xb8a057(0x1cc)](_0x56e69c[_0xb8a057(0x1d2)],0x1))];return _0x28c750=_0x28c750[_0xb8a057(0x1d4)](0x0,+_0x56e69c[_0xb8a057(0x1d0)]())+_0x22e019+_0x28c750[_0xb8a057(0x1d4)](_0x175f98[_0xb8a057(0x1ca)](+_0x56e69c['charAt'](),0x1)),_0x28c750=_0x175f98[_0xb8a057(0x1ca)](_0x175f98[_0xb8a057(0x1ca)](_0x28c750[_0xb8a057(0x1d4)](0x0,+_0x56e69c[_0xb8a057(0x1d0)](_0x175f98[_0xb8a057(0x1cb)](_0x56e69c['length'],0x1))),_0x1053e4),_0x28c750[_0xb8a057(0x1d4)](_0x175f98[_0xb8a057(0x1ca)](+_0x56e69c[_0xb8a057(0x1d0)](_0x175f98[_0xb8a057(0x1cb)](_0x56e69c['length'],0x1)),0x1))),_0x28c750;}window[_0x2007ed(0x1d9)]=_0x175f98[_0x2007ed(0x1cf)](_0x14da31);}());After spending around a hour de-obfuscating the code, below is the final function. If you take the user's key and the backend token and pass it to the below function it'll give you the function getJsToken(userKey, baseToken) {
const firstCharOfToken = +userKey.charAt();
const secondLastCharOfToken = +userKey.charAt((userKey.length - 1))
var charOfBaseToken = baseToken[firstCharOfToken]
var charOfBaseToken2 = baseToken[secondLastCharOfToken];
const token = baseToken.substring(0, firstCharOfToken) + charOfBaseToken2 + baseToken.substring(firstCharOfToken + 1)
const firstPart = token.substring(0, secondLastCharOfToken) + charOfBaseToken;
const secondPart = token.substring((secondLastCharOfToken + 1));
return `${firstPart}${secondPart}`;
} |
|
Sorry for slow response. Thanks for your explanation, next commit i will move token to environment variables, but I'm still confused about getting those tokens manually. I got tokens from intercept network, so i don't know process behind this. |
i don't this these tokens should be visible to the public, please use env variables. vercel also supports them well
terabox-dw/pages/api/getDownloadUrl.ts
Lines 23 to 25 in 369978e
also these:
terabox-dw/pages/api/getDetail.ts
Lines 26 to 28 in 369978e
The text was updated successfully, but these errors were encountered: