Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[漏洞] 未登录情况下获取用户视频列表 #699

Closed
niu541412 opened this issue Mar 4, 2024 · 5 comments
Closed

[漏洞] 未登录情况下获取用户视频列表 #699

niu541412 opened this issue Mar 4, 2024 · 5 comments
Labels
anti-spider 反爬相关 need debug info 需要 DEBUG 信息

Comments

@niu541412
Copy link
Contributor

niu541412 commented Mar 4, 2024

问题类似于 #691

async def get_videos(

目前的版本的user.get_videos()当未传入credential类时,仍会触发-352风控。
但的确未登录情况下是可以获取用户视频列表的。

测试发现,未登录情况下,query的参数里必须要有 order_avoided 参数。如果登录了,那这个参数就不是必须的。
默认值是'true',但似乎改成任意字符串都可以。网上没找到这个参数用处的说明,可能就是和风控相关的。

举例子就是当未登录情况下,cookies有buvid3,headers有UA时,下面是个最小版的成功请求的链接
https://api.bilibili.com/x/space/wbi/arc/search?dm_cover_img_str=QU5HTEUgKEludGVsIEluYy4sIEludGVsIElyaXMgUHJvIE9wZW5HTCBFbmdpbmUsIE9wZW5HTCA0LjEpR29vZ2xlIEluYy4gKEludGVsIEluYy&dm_img_inter=%7B%22ds%22%3A%5B%5D%2C%22wh%22%3A%5B0%2C0%2C0%5D%2C%22of%22%3A%5B0%2C0%2C0%5D%7D&dm_img_list=%5B%5D&dm_img_str=V2ViR0wgMS4wIChPcGVuR0wgRVMgMi4wIENocm9taXVtKQ&mid=7773004&order_avoided=true&web_location=1550101&wts=1709535813&w_rid=3edc96577b50f4d7db2432e750a83058

@niu541412 niu541412 added the bug 漏洞 label Mar 4, 2024
@lb-chc
Copy link

lb-chc commented Mar 4, 2024

将此合并的全部代码照搬即可使用https://github.com/Nemo2011/bilibili-api/pull/680

@niu541412
Copy link
Contributor Author

niu541412 commented Mar 5, 2024

将此合并的全部代码照搬即可使用https://github.com/Nemo2011/bilibili-api/pull/680

这个 #680 PR里没有加order_avoided这个参数,在未登录情况下会-352。

@z0z0r4
Copy link
Collaborator

z0z0r4 commented Mar 5, 2024

不清楚,我去BAC提下看看

@lb-chc
Copy link

lb-chc commented Apr 1, 2024

pi.bilibili.com/x/space/wbi/arc/search

还真是,只要一直填写true就行

z0z0r4 added a commit to Nickszy/bilibili-api that referenced this issue Apr 5, 2024
@z0z0r4
Copy link
Collaborator

z0z0r4 commented Apr 5, 2024

已添加

@z0z0r4 z0z0r4 closed this as completed Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
anti-spider 反爬相关 need debug info 需要 DEBUG 信息
Projects
None yet
Development

No branches or pull requests

3 participants