突破SSL Pinning,关闭SSL证书校验

最新推荐文章于 2024-06-17 09:45:06 发布
最新推荐文章于 2024-06-17 09:45:06 发布
阅读量3.3k 收藏 2
点赞数 1
分类专栏: Android
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ALakers/article/details/107642166
版权

Xposed+JustTrustMe

JustTrustMe传送门:https://github.com/Fuzion24/JustTrustMe/releases/tag/v.2
Xposed框架可以去酷安里面找
部分app会检测运行环境,导致进不去主界面,详情请戳 https://github.com/lamster2018/EasyProtector

Frida 突破SSL Pinning

Java.perform(function() {
/*
hook list:
1.SSLcontext
2.okhttp
3.webview
4.XUtils
5.httpclientandroidlib
6.JSSE
7.network\_security\_config (android 7.0+)
8.Apache Http client (support partly)
9.OpenSSLSocketImpl
10.TrustKit
11.Cronet
*/
    // Attempts to bypass SSL pinning implementations in a number of
    // ways. These include implementing a new TrustManager that will
    // accept any SSL certificate, overriding OkHTTP v3 check()
    // method etc.
    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var HostnameVerifier = Java.use('javax.net.ssl.HostnameVerifier');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    var quiet_output = false;
    // Helper method to honor the quiet flag.
    function quiet_send(data) {
        if (quiet_output) {
            return;
        }
        send(data)
    }
    // Implement a new TrustManager
    // ref: https://gist.github.com/oleavr/3ca67a173ff7d207c6b8c3b0ca65a9d8
    // Java.registerClass() is only supported on ART for now(201803). 所以android 4.4以下不兼容,4.4要切换成ART使用.
    /*
06-07 16:15:38.541 27021-27073/mi.sslpinningdemo W/System.err: java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
06-07 16:15:38.542 27021-27073/mi.sslpinningdemo W/System.err:     at android.net.http.X509TrustManagerExtensions.<init>(X509TrustManagerExtensions.java:73)
        at mi.ssl.MiPinningTrustManger.<init>(MiPinningTrustManger.java:61)
06-07 16:15:38.543 27021-27073/mi.sslpinningdemo W/System.err:     at mi.sslpinningdemo.OkHttpUtil.getSecPinningClient(OkHttpUtil.java:112)
        at mi.sslpinningdemo.OkHttpUtil.get(OkHttpUtil.java:62)
        at mi.sslpinningdemo.MainActivity$1$1.run(MainActivity.java:36)
*/
    var X509Certificate = Java.use("java.security.cert.X509Certificate");
    var TrustManager;
    try {
        TrustManager = Java.registerClass({
            name: 'org.wooyun.TrustManager',
            implements: [X509TrustManager],
            methods: {
                checkClientTrusted: function(chain, authType) {},
                checkServerTrusted: function(chain, authType) {},
                getAcceptedIssuers: function() {
                    // var certs = [X509Certificate.$new()];
                    // return certs;
                    return [];
                }
            }
        });
    } catch (e) {
        quiet_send("registerClass from X509TrustManager >>>>>>>> " + e.message);
    }
    // Prepare the TrustManagers array to pass to SSLContext.init()
    var TrustManagers = [TrustManager.$new()];
    try {
        // Prepare a Empty SSLFactory
        var TLS_SSLContext = SSLContext.getInstance("TLS");
        TLS_SSLContext.init(null, TrustManagers, null);
        var EmptySSLFactory = TLS_SSLContext.getSocketFactory();
    } catch (e) {
        quiet_send(e.message);
    }
    send('Custom, Empty TrustManager ready');
    // Get a handle on the init() on the SSLContext class
    var SSLContext_init = SSLContext.init.overload(
        '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
    // Override the init method, specifying our new TrustManager
    SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
        quiet_send('Overriding SSLContext.init() with the custom TrustManager');
        SSLContext_init.call(this, null, TrustManagers, null);
    };
    /*** okhttp3.x unpinning ***/
    // Wrap the logic in a try/catch as not all applications will have
    // okhttp as part of the app.
    try {
        var CertificatePinner = Java.use('okhttp3.CertificatePinner');
        quiet_send('OkHTTP 3.x Found');
        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
            quiet_send('OkHTTP 3.x check() called. Not throwing an exception.');
        }
    } catch (err) {
        // If we dont have a ClassNotFoundException exception, raise the
        // problem encountered.
        if (err.message.indexOf('ClassNotFoundException') === 0) {
            throw new Error(err);
        }
    }
    // Appcelerator Titanium PinningTrustManager
    // Wrap the logic in a try/catch as not all applications will have
    // appcelerator as part of the app.
    try {
        var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
        send('Appcelerator Titanium Found');
        PinningTrustManager.checkServerTrusted.implementation = function() {
            quiet_send('Appcelerator checkServerTrusted() called. Not throwing an exception.');
        }
    } catch (err) {
        // If we dont have a ClassNotFoundException exception, raise the
        // problem encountered.
        if (err.message.indexOf('ClassNotFoundException') === 0) {
            throw new Error(err);
        }
    }
    /*** okhttp unpinning ***/
    try {
        var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
        OkHttpClient.setCertificatePinner.implementation = function(certificatePinner) {
            // do nothing
            quiet_send("OkHttpClient.setCertificatePinner Called!");
            return this;
        };
        // Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
        var CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner");
        CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1) {
            // do nothing
            quiet_send("okhttp Called! [Certificate]");
            return;
        };
        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1) {
            // do nothing
            quiet_send("okhttp Called! [List]");
            return;
        };
    } catch (e) {
        quiet_send("com.squareup.okhttp not found");
    }
    /*** WebView Hooks ***/
    /* frameworks/base/core/java/android/webkit/WebViewClient.java */
    /* public void onReceivedSslError(Webview, SslErrorHandler, SslError) */
    var WebViewClient = Java.use("android.webkit.WebViewClient");
    WebViewClient.onReceivedSslError.implementation = function(webView, sslErrorHandler, sslError) {
        quiet_send("WebViewClient onReceivedSslError invoke");
        //执行proceed方法
        sslErrorHandler.proceed();
        return;
    };
    WebViewClient.onReceivedError.overload('android.webkit.WebView', 'int', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c, d) {
        quiet_send("WebViewClient onReceivedError invoked");
        return;
    };
    WebViewClient.onReceivedError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function() {
        quiet_send("WebViewClient onReceivedError invoked");
        return;
    };
    /*** JSSE Hooks ***/
    /* libcore/luni/src/main/java/javax/net/ssl/TrustManagerFactory.java */
    /* public final TrustManager[] getTrustManager() */
    /* TrustManagerFactory.getTrustManagers maybe cause X509TrustManagerExtensions error  */
    // var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
    // TrustManagerFactory.getTrustManagers.implementation = function(){
    //     quiet_send("TrustManagerFactory getTrustManagers invoked");
    //     return TrustManagers;
    // }
    var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
    /* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
    /* public void setDefaultHostnameVerifier(HostnameVerifier) */
    HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) {
        quiet_send("HttpsURLConnection.setDefaultHostnameVerifier invoked");
        return null;
    };
    /* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
    /* public void setSSLSocketFactory(SSLSocketFactory) */
    HttpsURLConnection.setSSLSocketFactory.implementation = function(SSLSocketFactory) {
        quiet_send("HttpsURLConnection.setSSLSocketFactory invoked");
        return null;
    };
    /* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
    /* public void setHostnameVerifier(HostnameVerifier) */
    HttpsURLConnection.setHostnameVerifier.implementation = function(hostnameVerifier) {
        quiet_send("HttpsURLConnection.setHostnameVerifier invoked");
        return null;
    };
    /*** Xutils3.x hooks ***/
    //Implement a new HostnameVerifier
    var TrustHostnameVerifier;
    try {
        TrustHostnameVerifier = Java.registerClass({
            name: 'org.wooyun.TrustHostnameVerifier',
            implements: [HostnameVerifier],
            method: {
                verify: function(hostname, session) {
                    return true;
                }
            }
        });
    } catch (e) {
        //java.lang.ClassNotFoundException: Didn't find class "org.wooyun.TrustHostnameVerifier"
        quiet_send("registerClass from hostnameVerifier >>>>>>>> " + e.message);
    }
    try {
        var RequestParams = Java.use('org.xutils.http.RequestParams');
        RequestParams.setSslSocketFactory.implementation = function(sslSocketFactory) {
            sslSocketFactory = EmptySSLFactory;
            return null;
        }
        RequestParams.setHostnameVerifier.implementation = function(hostnameVerifier) {
            hostnameVerifier = TrustHostnameVerifier.$new();
            return null;
        }
    } catch (e) {
        quiet_send("Xutils hooks not Found");
    }
    /*** httpclientandroidlib Hooks ***/
    try {
        var AbstractVerifier = Java.use("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier");
        AbstractVerifier.verify.overload('java.lang.String', '[Ljava.lang.String', '[Ljava.lang.String', 'boolean').implementation = function() {
            quiet_send("httpclientandroidlib Hooks");
            return null;
        }
    } catch (e) {
        quiet_send("httpclientandroidlib Hooks not found");
    }
    /***
android 7.0+ network_security_config TrustManagerImpl hook
apache httpclient partly
***/
    var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
    // try {
    //     var Arrays = Java.use("java.util.Arrays");
    //     //apache http client pinning maybe baypass
    //     //https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#471
    //     TrustManagerImpl.checkTrusted.implementation = function (chain, authType, session, parameters, authType) {
    //         quiet_send("TrustManagerImpl checkTrusted called");
    //         //Generics currently result in java.lang.Object
    //         return Arrays.asList(chain);
    //     }
    //
    // } catch (e) {
    //     quiet_send("TrustManagerImpl checkTrusted nout found");
    // }
    try {
        // Android 7+ TrustManagerImpl
        TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
            quiet_send("TrustManagerImpl verifyChain called");
            // Skip all the logic and just return the chain again :P
            //https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/
            // https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#L650
            return untrustedChain;
        }
    } catch (e) {
        quiet_send("TrustManagerImpl verifyChain nout found below 7.0");
    }
    // OpenSSLSocketImpl
    try {
        var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
        OpenSSLSocketImpl.verifyCertificateChain.implementation = function(certRefs, authMethod) {
            quiet_send('OpenSSLSocketImpl.verifyCertificateChain');
        }
        quiet_send('OpenSSLSocketImpl pinning')
    } catch (err) {
        quiet_send('OpenSSLSocketImpl pinner not found');
    }
    // Trustkit
    try {
        var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
        Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(str) {
            quiet_send('Trustkit.verify1: ' + str);
            return true;
        };
        Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function(str) {
            quiet_send('Trustkit.verify2: ' + str);
            return true;
        };
        quiet_send('Trustkit pinning')
    } catch (err) {
        quiet_send('Trustkit pinner not found')
    }
    try {
        //cronet pinner hook
        //weibo don't invoke
        var netBuilder = Java.use("org.chromium.net.CronetEngine$Builder");
        //https://developer.android.com/guide/topics/connectivity/cronet/reference/org/chromium/net/CronetEngine.Builder.html#enablePublicKeyPinningBypassForLocalTrustAnchors(boolean)
        netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.implementation = function(arg) {
            //weibo not invoke
            console.log("Enables or disables public key pinning bypass for local trust anchors = " + arg);
            //true to enable the bypass, false to disable.
            var ret = netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.call(this, true);
            return ret;
        };
        netBuilder.addPublicKeyPins.implementation = function(hostName, pinsSha256, includeSubdomains, expirationDate) {
            console.log("cronet addPublicKeyPins hostName = " + hostName);
            //var ret = netBuilder.addPublicKeyPins.call(this,hostName, pinsSha256,includeSubdomains, expirationDate);
            //this 是调用 addPublicKeyPins 前的对象吗? Yes,CronetEngine.Builder
            return this;
        };
    } catch (err) {
        console.log('[-] Cronet pinner not found')
    }
});

获取包名

aapt.exe dump badging apk的路径

执行

frida.exe -U -f package_name -l  js_path  --no-pause

如果得到process termimated,可以尝试用python的方式去执行

执行前:需要使用启动frida-server以及转发端口 27042,27043
frida-server地址:https://github.com/frida/frida/releases
Windows平台上的模拟器一般是x86架构,真机上一般是arm64的,需要下载对应的server

adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043

贴出代码:

import frida
import sys


def on_message(message,data):

    if message['type']=='send':
        res=message['payload']
        print('res is {}'.format(res))



def start():

    print(frida.__version__)

    device = frida.get_remote_device()
    # jscode=''
    # with open('test.js','r') as f:
    #     jscode=f.read()

    jscode='''
        Java.perform(function() {
/*
hook list:
1.SSLcontext
2.okhttp
3.webview
4.XUtils
5.httpclientandroidlib
6.JSSE
7.network\_security\_config (android 7.0+)
8.Apache Http client (support partly)
9.OpenSSLSocketImpl
10.TrustKit
11.Cronet
*/
    // Attempts to bypass SSL pinning implementations in a number of
    // ways. These include implementing a new TrustManager that will
    // accept any SSL certificate, overriding OkHTTP v3 check()
    // method etc.
    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var HostnameVerifier = Java.use('javax.net.ssl.HostnameVerifier');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    var quiet_output = false;
    // Helper method to honor the quiet flag.
    function quiet_send(data) {
        if (quiet_output) {
            return;
        }
        send(data)
    }
    // Implement a new TrustManager
    // ref: https://gist.github.com/oleavr/3ca67a173ff7d207c6b8c3b0ca65a9d8
    // Java.registerClass() is only supported on ART for now(201803). 所以android 4.4以下不兼容,4.4要切换成ART使用.
    /*
06-07 16:15:38.541 27021-27073/mi.sslpinningdemo W/System.err: java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
06-07 16:15:38.542 27021-27073/mi.sslpinningdemo W/System.err:     at android.net.http.X509TrustManagerExtensions.<init>(X509TrustManagerExtensions.java:73)
        at mi.ssl.MiPinningTrustManger.<init>(MiPinningTrustManger.java:61)
06-07 16:15:38.543 27021-27073/mi.sslpinningdemo W/System.err:     at mi.sslpinningdemo.OkHttpUtil.getSecPinningClient(OkHttpUtil.java:112)
        at mi.sslpinningdemo.OkHttpUtil.get(OkHttpUtil.java:62)
        at mi.sslpinningdemo.MainActivity$1$1.run(MainActivity.java:36)
*/
    var X509Certificate = Java.use("java.security.cert.X509Certificate");
    var TrustManager;
    try {
        TrustManager = Java.registerClass({
            name: 'org.wooyun.TrustManager',
            implements: [X509TrustManager],
            methods: {
                checkClientTrusted: function(chain, authType) {},
                checkServerTrusted: function(chain, authType) {},
                getAcceptedIssuers: function() {
                    // var certs = [X509Certificate.$new()];
                    // return certs;
                    return [];
                }
            }
        });
    } catch (e) {
        quiet_send("registerClass from X509TrustManager >>>>>>>> " + e.message);
    }
    // Prepare the TrustManagers array to pass to SSLContext.init()
    var TrustManagers = [TrustManager.$new()];
    try {
        // Prepare a Empty SSLFactory
        var TLS_SSLContext = SSLContext.getInstance("TLS");
        TLS_SSLContext.init(null, TrustManagers, null);
        var EmptySSLFactory = TLS_SSLContext.getSocketFactory();
    } catch (e) {
        quiet_send(e.message);
    }
    send('Custom, Empty TrustManager ready');
    // Get a handle on the init() on the SSLContext class
    var SSLContext_init = SSLContext.init.overload(
        '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
    // Override the init method, specifying our new TrustManager
    SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
        quiet_send('Overriding SSLContext.init() with the custom TrustManager');
        SSLContext_init.call(this, null, TrustManagers, null);
    };
    /*** okhttp3.x unpinning ***/
    // Wrap the logic in a try/catch as not all applications will have
    // okhttp as part of the app.
    try {
        var CertificatePinner = Java.use('okhttp3.CertificatePinner');
        quiet_send('OkHTTP 3.x Found');
        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
            quiet_send('OkHTTP 3.x check() called. Not throwing an exception.');
        }
    } catch (err) {
        // If we dont have a ClassNotFoundException exception, raise the
        // problem encountered.
        if (err.message.indexOf('ClassNotFoundException') === 0) {
            throw new Error(err);
        }
    }
    // Appcelerator Titanium PinningTrustManager
    // Wrap the logic in a try/catch as not all applications will have
    // appcelerator as part of the app.
    try {
        var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
        send('Appcelerator Titanium Found');
        PinningTrustManager.checkServerTrusted.implementation = function() {
            quiet_send('Appcelerator checkServerTrusted() called. Not throwing an exception.');
        }
    } catch (err) {
        // If we dont have a ClassNotFoundException exception, raise the
        // problem encountered.
        if (err.message.indexOf('ClassNotFoundException') === 0) {
            throw new Error(err);
        }
    }
    /*** okhttp unpinning ***/
    try {
        var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
        OkHttpClient.setCertificatePinner.implementation = function(certificatePinner) {
            // do nothing
            quiet_send("OkHttpClient.setCertificatePinner Called!");
            return this;
        };
        // Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
        var CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner");
        CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1) {
            // do nothing
            quiet_send("okhttp Called! [Certificate]");
            return;
        };
        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1) {
            // do nothing
            quiet_send("okhttp Called! [List]");
            return;
        };
    } catch (e) {
        quiet_send("com.squareup.okhttp not found");
    }
    /*** WebView Hooks ***/
    /* frameworks/base/core/java/android/webkit/WebViewClient.java */
    /* public void onReceivedSslError(Webview, SslErrorHandler, SslError) */
    var WebViewClient = Java.use("android.webkit.WebViewClient");
    WebViewClient.onReceivedSslError.implementation = function(webView, sslErrorHandler, sslError) {
        quiet_send("WebViewClient onReceivedSslError invoke");
        //执行proceed方法
        sslErrorHandler.proceed();
        return;
    };
    WebViewClient.onReceivedError.overload('android.webkit.WebView', 'int', 'java.lang.String', 'java.lang.String').implementation = function(a, b, c, d) {
        quiet_send("WebViewClient onReceivedError invoked");
        return;
    };
    WebViewClient.onReceivedError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function() {
        quiet_send("WebViewClient onReceivedError invoked");
        return;
    };
    /*** JSSE Hooks ***/
    /* libcore/luni/src/main/java/javax/net/ssl/TrustManagerFactory.java */
    /* public final TrustManager[] getTrustManager() */
    /* TrustManagerFactory.getTrustManagers maybe cause X509TrustManagerExtensions error  */
    // var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
    // TrustManagerFactory.getTrustManagers.implementation = function(){
    //     quiet_send("TrustManagerFactory getTrustManagers invoked");
    //     return TrustManagers;
    // }
    var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
    /* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
    /* public void setDefaultHostnameVerifier(HostnameVerifier) */
    HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) {
        quiet_send("HttpsURLConnection.setDefaultHostnameVerifier invoked");
        return null;
    };
    /* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
    /* public void setSSLSocketFactory(SSLSocketFactory) */
    HttpsURLConnection.setSSLSocketFactory.implementation = function(SSLSocketFactory) {
        quiet_send("HttpsURLConnection.setSSLSocketFactory invoked");
        return null;
    };
    /* libcore/luni/src/main/java/javax/net/ssl/HttpsURLConnection.java */
    /* public void setHostnameVerifier(HostnameVerifier) */
    HttpsURLConnection.setHostnameVerifier.implementation = function(hostnameVerifier) {
        quiet_send("HttpsURLConnection.setHostnameVerifier invoked");
        return null;
    };
    /*** Xutils3.x hooks ***/
    //Implement a new HostnameVerifier
    var TrustHostnameVerifier;
    try {
        TrustHostnameVerifier = Java.registerClass({
            name: 'org.wooyun.TrustHostnameVerifier',
            implements: [HostnameVerifier],
            method: {
                verify: function(hostname, session) {
                    return true;
                }
            }
        });
    } catch (e) {
        //java.lang.ClassNotFoundException: Didn't find class "org.wooyun.TrustHostnameVerifier"
        quiet_send("registerClass from hostnameVerifier >>>>>>>> " + e.message);
    }
    try {
        var RequestParams = Java.use('org.xutils.http.RequestParams');
        RequestParams.setSslSocketFactory.implementation = function(sslSocketFactory) {
            sslSocketFactory = EmptySSLFactory;
            return null;
        }
        RequestParams.setHostnameVerifier.implementation = function(hostnameVerifier) {
            hostnameVerifier = TrustHostnameVerifier.$new();
            return null;
        }
    } catch (e) {
        quiet_send("Xutils hooks not Found");
    }
    /*** httpclientandroidlib Hooks ***/
    try {
        var AbstractVerifier = Java.use("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier");
        AbstractVerifier.verify.overload('java.lang.String', '[Ljava.lang.String', '[Ljava.lang.String', 'boolean').implementation = function() {
            quiet_send("httpclientandroidlib Hooks");
            return null;
        }
    } catch (e) {
        quiet_send("httpclientandroidlib Hooks not found");
    }
    /***
android 7.0+ network_security_config TrustManagerImpl hook
apache httpclient partly
***/
    var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
    // try {
    //     var Arrays = Java.use("java.util.Arrays");
    //     //apache http client pinning maybe baypass
    //     //https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#471
    //     TrustManagerImpl.checkTrusted.implementation = function (chain, authType, session, parameters, authType) {
    //         quiet_send("TrustManagerImpl checkTrusted called");
    //         //Generics currently result in java.lang.Object
    //         return Arrays.asList(chain);
    //     }
    //
    // } catch (e) {
    //     quiet_send("TrustManagerImpl checkTrusted nout found");
    // }
    try {
        // Android 7+ TrustManagerImpl
        TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
            quiet_send("TrustManagerImpl verifyChain called");
            // Skip all the logic and just return the chain again :P
            //https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/
            // https://github.com/google/conscrypt/blob/c88f9f55a523f128f0e4dace76a34724bfa1e88c/platform/src/main/java/org/conscrypt/TrustManagerImpl.java#L650
            return untrustedChain;
        }
    } catch (e) {
        quiet_send("TrustManagerImpl verifyChain nout found below 7.0");
    }
    // OpenSSLSocketImpl
    try {
        var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
        OpenSSLSocketImpl.verifyCertificateChain.implementation = function(certRefs, authMethod) {
            quiet_send('OpenSSLSocketImpl.verifyCertificateChain');
        }
        quiet_send('OpenSSLSocketImpl pinning')
    } catch (err) {
        quiet_send('OpenSSLSocketImpl pinner not found');
    }
    // Trustkit
    try {
        var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
        Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(str) {
            quiet_send('Trustkit.verify1: ' + str);
            return true;
        };
        Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function(str) {
            quiet_send('Trustkit.verify2: ' + str);
            return true;
        };
        quiet_send('Trustkit pinning')
    } catch (err) {
        quiet_send('Trustkit pinner not found')
    }
    try {
        //cronet pinner hook
        //weibo don't invoke
        var netBuilder = Java.use("org.chromium.net.CronetEngine$Builder");
        //https://developer.android.com/guide/topics/connectivity/cronet/reference/org/chromium/net/CronetEngine.Builder.html#enablePublicKeyPinningBypassForLocalTrustAnchors(boolean)
        netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.implementation = function(arg) {
            //weibo not invoke
            console.log("Enables or disables public key pinning bypass for local trust anchors = " + arg);
            //true to enable the bypass, false to disable.
            var ret = netBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors.call(this, true);
            return ret;
        };
        netBuilder.addPublicKeyPins.implementation = function(hostName, pinsSha256, includeSubdomains, expirationDate) {
            console.log("cronet addPublicKeyPins hostName = " + hostName);
            //var ret = netBuilder.addPublicKeyPins.call(this,hostName, pinsSha256,includeSubdomains, expirationDate);
            //this 是调用 addPublicKeyPins 前的对象吗? Yes,CronetEngine.Builder
            return this;
        };
    } catch (err) {
        console.log('[-] Cronet pinner not found')
    }
});

    '''
    
   
    process = device.attach('xxxxxxxxxxxxxxxx')# 应用程序包名或者手机上运行进程的pid
    script=process.create_script(jscode)

    script.on('message',on_message)
    script.load()
    sys.stdin.read()


if __name__ == "__main__":
    start()
Time-Traveler
关注
  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
使用openSSL制作SSL证书
u013630932的专栏
08-07 1万+
1.将openSSL的bin目录设置为环境变量 2.set OPENSSL_CONF=E:\OpenSSL-Win32\bin\openssl.cfg 3.以管理员身份运行命令窗口 4.参考文章 https://blog.csdn.net/zhanggnol/article/details/24292507 以下内容均截取于这篇文章 新建文件夹用于存放证书,如“D:\keystore...
详解SSL证书中的SSL握手协议
蔚可云的博客
12-16 2586
是一种数字证书,利用了SSL安全套接字协议,保证上层应用数据传输的保密性、完整性以及传输双发身份的合法性。今天来具体说说SSL握手协议的工作流程。   第一阶段:建立安全能力   客户端-client_hello:   客户端可以支持的SSL最高版本号;   客户端生成的32字节的随机数;   会话标识符ID;   客户端可以支持的密码套件列表;   客户端可以支持的压缩方法列表。   服务端-server_hello:   SSL版本号,取收到的客户端SSL版本和服务端支持的最高版本中的
Android-SSL-Pinning-WebViews:一个简单的演示应用程序,演示了Android WebViews中的证书固定和schemedomain白名单
05-13
Android WebView中的证书固定和方案/域白名单 一个简单的演示应用程序,演示: Android WebViews中的证书固定 Android WebView中的方案和域白名单 使用OkHttp在网络级别实现固定和白名单。 然后,通过扩展WebViewClient并使用OkHttp进行请求来保护WebView。 该解决方案具有性能缺陷:通过扩展WebViewClient并覆盖shouldInterceptRequest ,所有请求将按顺序执行,这会缩短加载时间。 请让我知道是否有解决方案。
基于Android10的忽略HTTPS证书校验
小小小石头的专栏
03-31 8239
为什么要忽略证书校验 从Android 9 开始 APP默认访问的URL 必须是HTTPS协议的,虽然可以配置回支持HTTP,但这种做法不建议使用,已经0202年了,HTTPS早已经是主流。既然要使用HTTPS协议,就少不了CA证书,这个证书是收费的,也有些平台可以什么一年有效期的免费证书,但作为个人开发者,自己建个项目,开发用,完全没必要,我们使用JDK下的keytool生成 https证书。...
探索安全边界:解锁Android应用的HTTPS流量检验——android-ssl-pinning-bypass工具评测
最新发布
gitblog_00036的博客
06-17 689
探索安全边界:解锁Android应用的HTTPS流量检验——android-ssl-pinning-bypass工具评测 项目地址:https://gitcode.com/ilya-kozyr/android-ssl-pinning-bypass 在移动应用开发的世界里,SSL钉住(pinning)是保护用户数据的重要手段之一,但对安全研究人员和测试人员来说,它有时成为了难以逾越的障碍。今天,我们...
Android 7.0+抓包https突破ssl-pinning方案
u014644574的博客
03-17 6005
一、背景 Android 7.0 之后增加了对第三方证书的限制,抓包工具(charles、fiddler等)提供的证书都无法通过校验,也就无法抓取HTTPS请求了。 解决该问题一般思路: 将设备root,将证书安装到system分区。 利用Xposed框架,利用justTrustme/SSL-killer等模块绕过第三方ssl校验。 二、virtualXposed简介 经常折腾 And...
Fiddler+夜神模拟器对安卓app进行抓包,安卓9,安装Magisk和LSPosed
m0_61634551的博客
01-30 3841
现在的app会有一种叫做SSL Pinning的技术,能够确定连接的合法性,防止中间人攻击。注意:安卓手机安装Xposed框架需要Root,可能会导致手机变砖,建议使用模拟器。浏览器 【设置】- 【隐私与安全】- 【显示安全警告】 ,取消勾选就行。安装完证书后,浏览器可能会一直弹窗报错“该网站的完全证书有问题”安装时会提示设置锁屏PIN密码,随便设置一个密码即可。优点:兼容性好,支持大多数手机,Android 8+缺点:需要ROOT,步骤比较多,多开则需要其他应用。双击下载好的证书文件 安装证书
跳过ssl认证
weixin_56404022的博客
06-16 306
【代码】跳过ssl认证。
Android-SSl.zip_WebView_android_sentencevpr_sslpinning_todayrxi
09-15
SSL Pinning,或者称为证书固定,是一种强化网络通信安全性的技术,特别是对于移动应用来说。它通过在应用中硬编码特定的信任证书或公共密钥,确保与服务器的通信只能发生在预期的、安全的证书之间。这防止了攻击者...
android ssl证书验证
11-15
6. **SSL Pinning**:为了进一步增强安全性,开发者还可以实施SSL Pinning。这是一种防止中间人攻击的技术,通过在应用中硬编码服务器证书或其公钥,确保应用只接受预期的证书,从而防止伪造证书。 7. **处理证书链...
ssl-kill-switch2:黑盒工具可在iOS和OS X Apps中禁用SSL证书验证-包括证书固定
02-03
SSL Pinning是一种额外的安全措施,它使得应用程序只接受特定的证书或者公钥,即使该证书没有被广泛认可的CA签名。这种技术可以防止中间人攻击,因为攻击者无法伪造一个已被固定的应用程序所信任的证书。然而,SSL ...
ssl_android.zip_TLS_android_android ssl_application_ssl/tls
09-20
3. **处理证书 Pinning**:为了防止中间人攻击,某些应用可能选择实施证书Pinning技术。这意味着应用会存储服务器预期的证书或公钥,然后在连接时进行校验,只允许与预期证书匹配的服务器进行通信。 4. **处理SSL/...
Xposed.apk + VirtualXposed.apk(Xposed 虚拟环境) + JustTrustMe.apk
06-05
SSL Pinning 是一种防止中间人攻击(MITM)的技术,主要机制是在客户端发起请求,收到服务器发来的证书进行校验,判断证书是否开启了代理,如果开启了代理,APP 中的数据流量就不会通过代理端口,我们就抓取不到...
【Android】OkHttp3网络请求SSL证书验证问题绕过解决方案(包括Android 10及以上适配)
BigUncle
11-19 8418
随着SSL越来越普及,目前很多项目后台接口逐渐由过去的IP+PORT转变成了域名+SSL证书,尤其项目设计微信系类、银行类等等,对于这方便都是最基础的强硬要求条件。
Postman 报错SSL Error: Self signed certificate Disable SSL Verification
lixiaomei0623的专栏
09-17 8910
Postman使用的时候报错:SSL Error: Self signed certificate Disable SSL Verification 解决方案 选择setting菜单: 默认的SSL certificate verification是打开的,把它关掉之后,就没有这个certificate错误了: ...
SSL双向认证绕过,HTTPS证书导出
qq_46723500的博客
02-03 1725
​ 利用r0ysue大佬的r0Capture工具进行Hook抓包自动导出了App内的p12证书
绕过 Android SSL Pinning
A_991128a的博客
12-28 1322
转载请注明出处。请前往 Tiga on Tech以及更多有趣的技术文章。SSL Pinning 指的是,对于 target sdk version > 23 的 Android App,App 默认指信任系统的根证书或 App 内指定的证书,而不信任用户添加的第三方证书
Android证书绑定绕过研究(一)
Tasfa的博客
08-12 1357
背景 随着App安全技术快速发展,越来越多的App使用SSL Pinning(证书绑定),因此需要有方案来绕过该防御措施。 可能网上有很多脚本,适用于大部分情况,但是一遇到脚本无法使用的时候,我们便需要有逆向分析的思路。 本文将从两方面入手,一方面是分析公开脚本的原理,一方面是当脚本失效时的逆向思路分享。 SSL-Pining-Bypass 逆向思路 ...
Spring Cloud Gateway 使用说明(5)-- TLS 和 SSL
xgw的专栏
08-14 2917
9. TLS 和 SSL 网关可以通过常规的 Spring server configuration 来侦听HTTPS上的请求。例子: Example 61. application.yml server: ssl: enabled: true key-alias: scg key-store-password: scg1234 key-store: classpath:scg-keystore.p12 key-store-type: PKCS12 网关路由可以
so层修改sslpinning
07-27
SO层修改SSL pinning是指在操作系统的系统调用层面对SSL pinning进行修改。SSL pinning是一种安全机制,用于保护网络通信的安全性。 在SO层修改SSL pinning可以通过修改系统库或者Hook相关API来实现。一种常见的方法是通过Hook函数来修改SSL pinning的检查逻辑,绕过证书校验,从而绕过SSL pinning的保护。 具体实现的步骤如下: 1. 定位到SSL pinning相关的检查函数,常见的包括SSL_CTX_set_verify、SSL_get_verify_result等函数。 2. 使用Hook技术,在函数调用之前或之后注入自定义的代码逻辑。 3. 在Hook的代码逻辑中,可以修改函数的返回值或者控制流程,绕过SSL pinning的检查,实现信任任意证书。 4. 重新编译并替换系统库,或者使用LD_PRELOAD等机制加载修改后的共享库。 需要注意的是,修改SSL pinning可能会导致网络通信的不安全性,可能会使应用程序容易受到中间人攻击。因此,修改SSL pinning应该谨慎并且仅在合法的测试环境中使用。 总结来说,SO层修改SSL pinning是一种通过在系统调用层面修改相关API的实现方式,来绕过SSL pinning保护。但需要注意潜在的安全风险,并在合适的场景下使用。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值