绕过原理
-
从安卓手机中加载我们自己的CA证书
-
创建包含我们信任CA证书的KeyStore
-
创建TurstManger,让它信任我们KeyStore中的CA证书
使用工具
- Frida
pip3 install Frida -i https://mirrors.aliyun.com/pypi/simple/
pip3 install frida-tools -i https://mirrors.aliyun.com/pypi/simple/
- root设备
- ADB
下载链接:https://developer.android.com/studio/releases/platform-tools?hl=zh-cn
- 注入脚本
/*
Android SSL Re-pinning frida script v0.2 030417-pier
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
*/
setTimeout(function(){
Java.perform(function (){
console.log("");
console.log("[.] Cert Pinning Bypass/Re-Pinning");
var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
var FileInputStream = Java.use("java.io.FileInputStream");
var BufferedInputStream = Java.use("java.io.BufferedInputStream");
var X509Certificate = Java.use("java.security.cert.X509Certificate");
var KeyStore = Java.use("java.security.KeyStore");
var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
var SSLContext = Java.use("javax.net.ssl.SSLContext");
// Load CAs from an InputStream
console.log("[+] Loading our CA...")
var cf = CertificateFactory.getInstance("X.509");
try {
var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
}
catch(err) {
console.log("[o] " + err);
}
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
bufferedInputStream.close();
var certInfo = Java.cast(ca, X509Certificate);
console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
// Create a KeyStore containing our trusted CAs
console.log("[+] Creating a KeyStore for our CA...");
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
console.log("[+] Our TrustManager is ready...");
console.log("[+] Hijacking SSLContext methods now...")
console.log("[-] Waiting for the app to invoke SSLContext.init()...")
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
console.log("[+] SSLContext initialized with our custom TrustManager!");
}
});
},0);
手机装frida服务并上传burpsuite证书
1 adb shell getprop ro.product.cpu.abi //查看手机arch版本
2 https://github.com/frida/frida/releases //下载对应版本的服务端frida
3 //adb上传frida到安卓
4 adb push C:\xxx\frida-server /data/local/tmp
5 adb shell chmod 777 /data/local/tmp/frida-server
6 adb push C:\xxx\cert-der.crt /data/local/tmp //上传证书
运行frida服务端
1 adb shell
2 su
3 /data/local/tmp/frida-server
4 //手机打开app,adb查看包名
5 adb shell dumpsys window w |findstr \/ |findstr name=
6 //用`ps`或者`pm list packages`找到需要注入的APP package name
脚本注入
1 frida-ps -Ua //列出运行中的程序(查看包名很方便)
2 frida -U -l script.js -f package.name //通过 USB 连接到设备并在 package.name 应用程序上运行 script.js 脚本