iNTHU App Reverse Engineering #441

ImJustChew · 2024-08-23T06:32:00Z

ImJustChew
Aug 23, 2024
Maintainer

https://osa.nthu.edu.tw/app/app_privacypolicy.aspx?lang=en
https://oauth.ccxp.nthu.edu.tw/v1.1/authorize.php?client_id=saweb&response_type=code&redirect_uri=https%3A%2F%2Fosa.nthu.edu.tw%2Fapi%2Fcallback.aspx&scope=uuid+inschool+userid+name+email&ui_locales=en-US&state=mobile,en
Attendance: https://osa.nthu.edu.tw/app/acsystem.aspx
Home Page: https://osa.nthu.edu.tw/App/Default.aspx?lang=cht
Door QR code: https://osa.nthu.edu.tw/app/pkmrec.aspx

08-23 14:27:41.398 25416 25416 E NTHU    : https://osa.nthu.edu.tw/api/VersionCheck.ashx
08-23 14:27:41.398 25416 25416 E NTHU    :  {"StateCode":0,"Message":"Success","Data":{"LoginURL":"https://osa.nthu.edu.tw/app/app_privacypolicy.aspx?lang=en","AppURL":"","HomeURL":"https://osa.nthu.edu.tw/App/SSO.aspx?lang=en","NotifyURL":"https://osa.nthu.edu.tw/App/Default.aspx?lang=en","IntentUrls":["https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/","https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/index.php?lang=english","https://oauth.ccxp.nthu.edu.tw/v1.1/NTHU-OTP_Setting.pdf","https://oauth.ccxp.nthu.edu.tw/v1.1//NTHU-OTP_Setting.pdf"]}}
08-23 14:27:41.398 25416 25416 E NTHU    : get Data : tw.edu.nthu.affairs.app.object.VersionCheckModel@9106ff2
08-23 14:27:41.409 25416 25416 E NTHU    : had google play service
08-23 14:27:41.420 25416 29872 E NTHU    : Start FCM Registration Token
08-23 14:27:41.424 25416 25416 E NTHU    : FCM Registration Token: <fcm_token>
08-23 14:27:44.575 25416 25416 E NTHU    : load url https://oauth.ccxp.nthu.edu.tw/v1.1/authorize.php?client_id=saweb&response_type=code&redirect_uri=https%3A%2F%2Fosa.nthu.edu.tw%2Fapi%2Fcallback.aspx&scope=uuid+inschool+userid+name+email&ui_locales=en-US&state=mobile,en
08-23 14:27:44.575 25416 25416 E NTHU    : check url https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/
08-23 14:27:44.575 25416 25416 E NTHU    : check url https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/index.php?lang=english
08-23 14:27:44.575 25416 25416 E NTHU    : check url https://oauth.ccxp.nthu.edu.tw/v1.1/NTHU-OTP_Setting.pdf
08-23 14:27:44.575 25416 25416 E NTHU    : check url https://oauth.ccxp.nthu.edu.tw/v1.1//NTHU-OTP_Setting.pdf
08-23 14:27:51.720 25416 25416 E NTHU    : iso3 eng , 1017
08-23 14:27:51.721 25416 25461 E NTHU    : set params :
08-23 14:27:51.721 25416 25461 E NTHU    : set Platform : Android
08-23 14:27:51.721 25416 25461 E NTHU    : set Version : 1017
08-23 14:27:51.721 25416 25461 E NTHU    : set Lang : en
08-23 14:27:51.737 25416 25416 E NTHU    : https://osa.nthu.edu.tw/api/VersionCheck.ashx
08-23 14:27:51.737 25416 25416 E NTHU    :  {"StateCode":0,"Message":"Success","Data":{"LoginURL":"https://osa.nthu.edu.tw/app/app_privacypolicy.aspx?lang=en","AppURL":"","HomeURL":"https://osa.nthu.edu.tw/App/SSO.aspx?lang=en","NotifyURL":"https://osa.nthu.edu.tw/App/Default.aspx?lang=en","IntentUrls":["https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/","https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/index.php?lang=english","https://oauth.ccxp.nthu.edu.tw/v1.1/NTHU-OTP_Setting.pdf","https://oauth.ccxp.nthu.edu.tw/v1.1//NTHU-OTP_Setting.pdf"]}}
08-23 14:27:51.737 25416 25416 E NTHU    : get Data : tw.edu.nthu.affairs.app.object.VersionCheckModel@51cd8ca
08-23 14:27:51.737 25416 25416 E NTHU    : had google play service
08-23 14:27:51.742 25416 30030 E NTHU    : Start FCM Registration Token
08-23 14:27:51.747 25416 25416 E NTHU    : FCM Registration Token: <fcm_token>
08-23 14:27:58.141 25416 25416 E NTHU    : load url https://oauth.ccxp.nthu.edu.tw/v1.1/authorize.php?client_id=saweb&response_type=code&redirect_uri=https%3A%2F%2Fosa.nthu.edu.tw%2Fapi%2Fcallback.aspx&scope=uuid+inschool+userid+name+email&ui_locales=en-US&state=mobile,en
08-23 14:27:58.141 25416 25416 E NTHU    : check url https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/
08-23 14:27:58.141 25416 25416 E NTHU    : check url https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/index.php?lang=english
08-23 14:27:58.141 25416 25416 E NTHU    : check url https://oauth.ccxp.nthu.edu.tw/v1.1/NTHU-OTP_Setting.pdf
08-23 14:27:58.141 25416 25416 E NTHU    : check url https://oauth.ccxp.nthu.edu.tw/v1.1//NTHU-OTP_Setting.pdf
08-23 14:28:14.204 25416 25416 E NTHU    : load url https://osa.nthu.edu.tw/api/callback.aspx?code=8f6dd6bc7081854ec8109524d01f7aa81d75a834&state=mobile%2Cen
08-23 14:28:14.204 25416 25416 E NTHU    : check url https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/
08-23 14:28:14.204 25416 25416 E NTHU    : check url https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/index.php?lang=english
08-23 14:28:14.204 25416 25416 E NTHU    : check url https://oauth.ccxp.nthu.edu.tw/v1.1/NTHU-OTP_Setting.pdf
08-23 14:28:14.204 25416 25416 E NTHU    : check url https://oauth.ccxp.nthu.edu.tw/v1.1//NTHU-OTP_Setting.pdf
08-23 14:28:14.330 25416 25531 E NTHU    : get Token <user-id> , <accessToken>
08-23 14:28:14.330 25416 25531 E NTHU    : iso3 eng , 1017
08-23 14:28:14.331 25416 25463 E NTHU    : set params :
08-23 14:28:14.331 25416 25463 E NTHU    : set Platform : Android
08-23 14:28:14.331 25416 25463 E NTHU    : set UserID : <user-id>
08-23 14:28:14.331 25416 25463 E NTHU    : set DeviceID : <device-id>
08-23 14:28:14.331 25416 25463 E NTHU    : set AccessToken : <accessToken>
08-23 14:28:14.331 25416 25463 E NTHU    : set Lang : en
08-23 14:28:14.331 25416 25463 E NTHU    : set PushToken : <fcm_token>
08-23 14:28:14.341 25416 25416 E NTHU    : https://osa.nthu.edu.tw/api/GetToken.ashx
08-23 14:28:14.341 25416 25416 E NTHU    :  {"StateCode":0,"Message":"","Data":{"AccessToken":"<token>"}}
08-23 14:28:14.342 25416 25416 E NTHU    : get Data : tw.edu.nthu.affairs.app.object.GetTokenModel@2cce9a1
08-23 14:28:14.384 25416 25494 E NTHU    : header Authorization Bearer <token>

ImJustChew · 2024-08-23T13:53:05Z

ImJustChew
Aug 23, 2024
Maintainer Author

It seems like https://www.ccxp.nthu.edu.tw/ccxp/INQUIRE/SSO_LINK/oauth_stuleave.php?ACIXSTORE=
leads to oauth.ccxp.nthu.edu.tw , this includes a custom parameter p that bypasses user login.

The resulting code ends up at osa.nthu.edu.tw, where the HTML contains

<input type="hidden" name="HF_UserID" id="HF_UserID" value="user_id">
<input type="hidden" name="HF_AccessToken" id="HF_AccessToken" value="access_token">

We can see that it is supposed to scoped to web only, but Im guessing someone fucked up, so we can use the mobile API
https://osa.nthu.edu.tw/api/GetToken.ashx, with Platform, UserID, DeviceID, AccessToken, Lang, PushToken, iso3 to get the actual access token that expires in 1hr.

Of course being National Tsing Hua Uni, we can't be bothered to follow conventions, so the JWT is another custom string

{
  "Type": 2,
  "UserID": "stu id",
  "DeviceID": "dev_id",
  "Exp": "2024-08-23 10:36:58"
}

taking about standards right :))

Taking this token as the Header in Authorization, with DeviceID, you can then access all of iNTHU.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

iNTHU App Reverse Engineering #441

{{title}}

Replies: 1 comment

{{title}}

Select a reply

iNTHU App Reverse Engineering #441

ImJustChew Aug 23, 2024 Maintainer

Replies: 1 comment

ImJustChew Aug 23, 2024 Maintainer Author

ImJustChew
Aug 23, 2024
Maintainer

ImJustChew
Aug 23, 2024
Maintainer Author