break the fucking new protection made by faggots of Banque Populaire

2014-12-14 16:57:36 +01:00 · 2014-12-14 16:57:36 +01:00 · 7660666d23
commit 7660666d23
parent b5dcc25841
2 changed files with 31 additions and 0 deletions
--- a/modules/banquepopulaire/browser.py
+++ b/modules/banquepopulaire/browser.py
@ -97,6 +97,7 @@ class BanquePopulaire(Browser):
            self.select_form(nr=0)
            self.set_all_readonly(False)
            self['dialogActionPerformed'] = 'EQUIPEMENT_COMPLET'
+            self['token'] = self.page.build_token(self['token'])
            self.submit()

    def get_accounts_list(self):
@ -112,6 +113,7 @@ class BanquePopulaire(Browser):
            if not self.is_on_page(AccountsPage):
                self.go_on_accounts_list()

+            next_page['token'] = self.page.build_token(self.page.get_token())
            self.location('/cyber/internet/ContinueTask.do', urllib.urlencode(next_page))

            for a in self.page.iter_accounts():
@ -137,6 +139,8 @@ class BanquePopulaire(Browser):
        if params is None:
            return

+        params['token'] = self.page.build_token(params['token'])
+
        self.location('/cyber/internet/ContinueTask.do', urllib.urlencode(params))
        self.token = self.page.get_token()

@ -147,6 +151,7 @@ class BanquePopulaire(Browser):
        if len(self.page.document.xpath('//a[@id="tcl4_srt"]')) > 0:
            self.select_form(predicate=lambda form: form.attrs.get('id', '') == 'myForm')
            self.form.action = self.absurl('/cyber/internet/Sort.do?property=tbl1&sortBlocId=blc2&columnName=dateValeur')
+            params['token'] = self.page.build_token(params['token'])
            self.submit()

        while True:
--- a/modules/banquepopulaire/pages.py
+++ b/modules/banquepopulaire/pages.py
@ -60,6 +60,32 @@ class BasePage(_BasePage):
    def get_token(self):
        return self.parser.select(self.document.getroot(), '//form//input[@name="token"]', 1, 'xpath').attrib['value']

+    def build_token(self, token):
+        """
+        These fucking faggots have introduced a new protection on the token.
+
+        Each time there is a call to SAB (selectActionButton), the token
+        available in the form is modified with a key available in JS:
+
+        ipsff(function(){TW().ipthk([12, 25, 17, 5, 23, 26, 15, 30, 6]);});
+
+        Each value of the array is an index for the current token to append the
+        char at this position at the end of the token.
+        """
+        table = None
+        for script in self.document.xpath('//script'):
+            if script.text is None:
+                continue
+            m = re.search(r'ipthk\(([^\)]+)\)', script.text, flags=re.MULTILINE)
+            if m:
+                table = json.loads(m.group(1))
+        if table is None:
+            return token
+
+        for i in table:
+            token += token[i]
+        return token
+

 class RedirectPage(BasePage):
    """