Zing MP3 – How did I exploit the API?

Tram Ho

Hello everyone, long time no see, tonight I’m going to talk to you about a tutorial “slightly” not a little bit of programming, but more about “reverse” array. This afternoon is a bit of a mess, this afternoon he was sent to the bar to enjoy the rare cold of Da Nang, accidentally drank a bottle of sting so I couldn’t sleep at night, normally I slept at 10 o’clock, today sitting Searching for Facebook forever Suddenly, reading a share of a second year “student” on the topic, she explores and processes Zing’s API very well! Details you read here: https://vovanhoangtuan4-2.medium.com/ti-have-letters-api-zingmp3-nhu-thế-nào-55f5fa555eda

I suddenly felt ashamed. Think “Mum, in year 2, people exploited MP3 ZING’s API, while I only knew how to play cards in 2nd year” I’m so sad, bro. But my curious nature also emerged, if she can do it, we can do it too, there’s nothing to be afraid of. After discovering what he did, I asked the system for a little more clarity on the mining and debugging techniques, since her medium was already fine, I showed the system how to exploit it. for you to understand and execute, as well as firmly believe that “Nothing is difficult – Just afraid of not looking” – Slogin of big brother Cuonglee (anyone who installed MU Server in 2007 knows this guy hehe)

Okay! So long, on the main thing, first to explore the API of Zing MP3, ask you to use Chrome, turn on DEV MODE and run into Web Zing.

Note: Must go to desktop mode, the big brother to leave mobile mode is unable to continue

Next, open the Network tab and play a song, I choose a Vozer song that is “Why are you shutting down” Then look at what it fetched, and pay attention to its XHRs, I set especially like the keyword “get-streaming” hehe (it sounds close to our purpose)

Okay, let’s explore some API

Here we see, this API has 4 query params that are

  • id (song id, don’t try to learn it, we never get it =)))
  • ctime (which is the timestamp the moment we fuck the API)
  • sig = 1 something string, temporarily call it “signature” ie signature, I analyze it later later
  • key = API key hehehe (this guy in other XHRs also uses the same y key, so it’s const, let’s take it)

Okay, so 4 above parameters only have “sig” guy is problematic, why? Because if we bring the same url to request, the info will appear, but instead of the sig guy, the bad request will be eaten right away! So our main purpose is to find a way to create this sig. Analyze it, I see it contains 128 characters, so beautiful, the characters are all friends in the ASCII charset, all the lowercase brothers, hehe sometimes SHA512 already, note again Now, figuring out how it processes this sig, we see in the query params there are “id” and “ctime”, but the word “id”, if searching in the source, is broken because the resulting noise, so we’ll use “ctime” for the trace

This is the time why I explain you have to use the desktop interface here, so that we can get the file “main.min.js” in the folder ” zjs.zadn.vn * zmp3-desktop * release vx.xx static js ”

Okay, press Pretty to reformat the code for readability, press Ctrl + F and search “ctime”

Look at line 501, see “t.sig”, put break point here and click to choose another song

Break-point is freeze, the data is pushed to show us roughly, function T will take 2 parameters e and t in it.

  • e contains the API path
  • t contains an object with id and ctime content
  • t.sig will call the function S (e, t), hover your mouse over the S function and see it declared at line 486
  • Set break-point on line 489 (the result of the function S) then press F9
  • We will be freeze at 489 and see the result shown above
  • variable n will be re-modified, to “ctime = xxxxid = yyyy”
  • variable r will contain the value of 1 function h (), this function takes the argument of the string n
  • We see the variable r has a sig bytes of 32, earlier we have the complete sig note is SHA512, SHA512 returns 64bytes, here receive 32 bytes which means it can be SHA256
  • If there is a variable r then this function will call the m function with the parameter (e + r, b.Oc), e then we have an API path, r we also have SHA256 (n), b.0c then hover mouse click will see
  • So, we draw, this function m is SHA512 (note above), its parameters are API path + SHA256 (n) and SECRET KEY (b.Oc)

Try it, I’m lazy so I run complier in my browser, open https://repl.it/languages/nodejs and declare

Then press run

Okay, now we will proceed to get the SHA256 of (n), I will get the parameter fetched at first.

Next, we call SHA512 (e + r, secret)

Remember that the chain is SECRET KEY 10a01dcf33762d3a204cb96429918ff6 we take a moment ago I got you now have sig then, provides the following APIs replace the link to see why https://zingmp3.vn/api/song/get-streamings-beat?id=ZOW0OBU8&ctime = 1607185070 & sig = 716b083eea082f38c8eb2ad5aa1023120199bd906a30a6dd533c4987ba473a7eeb0e2b58c5a8d7c69a563bffb4648ad1762fff78298d1c043f999b994d

Sorry ??? Calm down, look at the timestamp, just now we generated a signature with another timestamp ^^, correct the url on this

https://zingmp3.vn/api/song/get-streamings-beat?id=ZOW0OBU8&ctime= 160 718 421 & sig = 716b083eea082f38c8eb2ad5aa1023120199bd906a30a6dd533c4987ba473a7eeb0e2b58c5a8d7c69a563bffb4648ad1762fff78298d1c043f0c542d3c92ee68 & api_key = 38e8643fb0dc04e8d65b99994d3dafff

Replace correctly with the ctime we have encrypted in variable ‘r’ and rerun the link

Already changed but still error =)), the thighs are serious now! Hehe, calm down, remember that sig is the result of e and r, e here is API path, now we generate a signature for api / get-song-info but now I dare to use api / get-streamings-beat to call, yet the correct url https://zingmp3.vn/api/song/get-song-info?id=ZOW0OBU8&ctime=160718421&sig=716b083eea082f38c8eb2ad5aa1023120199bd906a30a6dd533c4987ba473a7eeb0e2b58c5a8d7c69a563bffb4648ad1762fff78298d1c043f0c542d3c92ee68&api_key=38e8643fb0dc04e8d65b99994d3dafff

We can

So, we draw that, sig is the string containing the API request authentication information including (song id, ctime and api path). So now if we want to use the / get-stream-beats, we just repeat the previous steps to generate sig for this API! But what’s wrong, in the earlier json of get-song-info, the url stream was returned in it ^^ there are only 320kbs, if you want to have it then explore the get-streams API to see how.

Okay! My post is also quite long, and now it’s 12:10 PM, I should stop writing and go to sleep, wish you success

Share the news now

Source : Viblo