- PS:项目中的插件并不是通用的,因为不同厂商针对自己业务的数据包加密算法、签名保护算法各种各样,需要先还原加密算法(或者签名保护算法),再对应的修改插件的加密算法(或者签名保护算法),笔者通过几个案例介绍这类业务的通用测试流程:常见加密算法分析流程、burp插件开发、联动Xray半自动化挖洞,主要是通过介绍这类业务的通用测试方法,降低安全测试的人力成本
- 案例:https://xz.aliyun.com/t/12295
- 项目中的两个插件源码即案例中介绍的自动加解密数据包密文、自动绕过签名保护的插件源码
在金融银行类安全测试中,经常见到数据包加密、签名保护,这种业务不能直接进行有效的安全测试,修改数据包参数会重放失败,爬虫见到密文也是懵逼
对于这种业务,不管是手工还是借助工具,需要先还原加密算法(或者签名保护算法)。知道了加密逻辑后,就可以开发burp插件完成明文状态下的安全测试,最后借助密文数据天然过waf的优势结合Xray等漏扫工具完成半自动的安全测试(逻辑漏洞还得需要手工测)。 笔者通过几个案例介绍这类业务的通用测试流程:常见加密算法分析流程、burp插件开发、联动Xray半自动化挖洞。
所以案例只是案例,读者不要纠结于这些案例中的加密算法,因为加密有很多组合形式。主要是通过本文介绍这类业务的通用测试方法,降低安全测试的人力成本
常见签名的生成算法:sign = MD5( sort( 业务参数+时间戳+其他参数) ),拼接业务参数+时间戳+其他参数,对字符串排序,计算字符串MD5作为sign。客户端和服务端使用相同的算法生成sign,服务端接收到请求后,先计算一次sign,如果业务参数、时间戳、其他参数中有一个被修改过,得到的sign就与客户端发送过来sign不一致,签名校验就会失败,不再处理请求
1、不修改数据包,重放请求,此时可以正常响应
![image](https://private-user-images.githubusercontent.com/94107024/246642600-be90cd56-ed80-4752-b03e-d63834f92b33.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI2MDAtYmU5MGNkNTYtZWQ4MC00NzUyLWIwM2UtZDYzODM0ZjkyYjMzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWM3MGY5NjM4MGZkNTFlY2Y4ZTZlZDZjZDQzYmM5ZmM3NmQwZTQ2MGJjYzFiNTFkYjg1YTkzMDVhYmM2N2NhNGYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.sp3Q45dYIOorEg7pKc3HHO3LnGk8XqgrajMdePILNz0)
2、然后修改参数icon_type的值为11,再次重放,此时会提示"message":"sign invalid",请求中的api_sign是签名的值,需要知道api_sign是怎么计算出来的
![image](https://private-user-images.githubusercontent.com/94107024/246642610-e67dd6bd-8d95-4c5e-9ccd-6d754e9b5d2d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI2MTAtZTY3ZGQ2YmQtOGQ5NS00YzVlLTljY2QtNmQ3NTRlOWI1ZDJkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQxNTExMmZjOWY3NGIwZTQ4ODI5NzlkNzhiYzkyYzA2NWQ0N2ViOGFmMTA4NjYzMTNiYzkyMDZlZWYyYjY2ZjUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.SiyJWPeQMytQvb0UnwVN8G-gsiMs4wmoDN0OL34DDQQ)
3、用url参数作为关键字搜索,在js中定位api_sign,设置断点
![image](https://private-user-images.githubusercontent.com/94107024/246642625-5ab08ba2-d061-49fb-a485-eb29c5fedaa0.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI2MjUtNWFiMDhiYTItZDA2MS00OWZiLWE0ODUtZWIyOWM1ZmVkYWEwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTUwMTJhYmE5OWRkZmNhODU3YjYwMzI3Y2JlMTY4MDlhNDg2ZTU3NGExNGQxYzlhMDg1Y2I4MDNhOTBlNzZhYWQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.1YSkxVAWuknLx8vLhMmF9aKSaVPNUWaGGvofpKTH8W8)
4、刷新网页,停在了断点位置,单步步入进入函数内部,可以看到加入了两个参数app_key、app_pwd,然后单步往下走,参数c的值此时为device_id=069c8db0-af49-11ed-9a08-3b99f11ff116×tamp=1676725825997&session_token=G2de7f3ab78910b46ad8c07d6e25c627&app_key=f6aefd6691f04573bdf9e044137372bc,也就是所有url参数
![image](https://private-user-images.githubusercontent.com/94107024/246642630-b60b7446-756d-4606-bc58-b488ea20c6e7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI2MzAtYjYwYjc0NDYtNzU2ZC00NjA2LWJjNTgtYjQ4OGVhMjBjNmU3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTZlNTU2NjNhZTczYTUwZDViM2JhZmQyMGQ4MzRmYzM4ZDJhNjdiNzI0MDJlNTA3MDg0MDc5NGQ1ZmY3NGY3YTMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Guo5-sI3Ln9X1FCzYtKs4kQUQe3KjFSBbNoCTpTBcKQ)
5、继续单步走,进行了一次排序,c的值为app_key=f6aefd6691f04573bdf9e044137372bc&device_id=069c8db0-af49-11ed-9a08-3b99f11ff116&session_token=G2de7f3ab78910b46ad8c07d6e25c627×tamp=1676725825997
![image](https://private-user-images.githubusercontent.com/94107024/246642642-461d1074-6882-4b76-bc57-bfcc567d4fcd.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI2NDItNDYxZDEwNzQtNjg4Mi00Yjc2LWJjNTctYmZjYzU2N2Q0ZmNkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTgwN2Y3NDQ5YTBjM2ZkNjE4MjliNTdjZjU2MjMxMmE3ZDNlZjAxYzZiMDZlMGZlYWEyZWUxZTQ4ZGZjMmQxNDEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.jCT3FR0x5MUOqjzC4YOsyxnSelEmWxyb-pqOmqoBycs)
6、之后就是拼接字符串,app_key+"Oic"+app_pwd+"QeeeS99u3d"+c+app_key+app_pwd
![image](https://private-user-images.githubusercontent.com/94107024/246642650-90e0e7ef-8ca3-4686-a240-9aef0c645627.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI2NTAtOTBlMGU3ZWYtOGNhMy00Njg2LWEyNDAtOWFlZjBjNjQ1NjI3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ5NzhiZmVlMmQ4NjkwMzc5MDNhMTZkNWNlOTQzMTgyYTc4NjYyOTM5NWYwMjMxZTY0Njc1ODYwNzcxNmFhMTYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.i4zGtV3L012IiymZHVg2acevovgM3JiA1WvoAmK1S24)
7、得到的字符串为:
f6aefd6691f04573bdf9e044137372bcOic72e78efefe6b4577a1f7afbca56b6e28993c06ea4bb84cde8dd70e582dbc76cbQeeeS99u3dapp_key=f6aefd6691f04573bdf9e044137372bc&device_id=069c8db0-af49-11ed-9a08-3b99f11ff116&session_token=G2de7f3ab78910b46ad8c07d6e25c627×tamp=1676725825997f6aefd6691f04573bdf9e044137372bc72e78efefe6b4577a1f7afbca56b6e28993c06ea4bb84cde8dd70e582dbc76cb
8、最后获取这个字符串的MD5,就是签名api_sign的值
![image](https://private-user-images.githubusercontent.com/94107024/246642654-732f2008-16ca-4677-9dcd-1708b4e7eaea.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI2NTQtNzMyZjIwMDgtMTZjYS00Njc3LTlkY2QtMTcwOGI0ZTdlYWVhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTkyOTRjNDAyZGM2ZDI3OThmNzI3MjhlYjA4YTJkNmM5OGIyMDQyNmZkMDViZjVlNWE0YzJhNDI1YzZkNTc1NDImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.6SOv4bl6hvMYPH4d-_BHdMarNwb9rHl93wA0diRWqeo)
9、还原了api_sign的计算方式,就可以开发burp插件自动更新签名校验的参数api_sign
burp插件的接口开发可以参考官方文档和官方的代码demo,https://portswigger.net/burp/extender/api/index.html
使用maven获取burp开发的接口依赖文件,插件开发规范:包名为burp,类名为BurpExtender
首先在processHttpMessage中,检查uri参数,移除原来参数api_sign
![image](https://private-user-images.githubusercontent.com/94107024/246642703-06abeb8a-1ee3-4d3f-85c4-39f70fe70745.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI3MDMtMDZhYmViOGEtMWVlMy00ZDNmLTg1YzQtMzlmNzBmZTcwNzQ1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTE0ZmY4YzZlYmU4MGFjMGRkNGExNDA3ZDYwMDlmMzI3ZjVhNTA5MmRjNjRlNWFiYTVmMzRhNThlNmQ4YTU5NDEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.MNNNq3mcGMaiutWTMvjYAvl6R1JxyeG4NOi0OCG71hY)
根据修改后的uri参数,使用已还原的api_sign生成算法得到新的api_sign
![image](https://private-user-images.githubusercontent.com/94107024/246642712-44a01abc-9a11-42f9-b466-be072d55eeef.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI3MTItNDRhMDFhYmMtOWExMS00MmY5LWI0NjYtYmUwNzJkNTVlZWVmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTIwYWY4NDEyMjQzNWVkNWMzODZjZDMzMjhmNmZkOWVmOTdlMDY4YmE0MjNhYjgyNDIxZTc1Nzk4ZDRiZjQ1NDQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.vlEUunmSYUQtxzoNot5KYwNVUjSpGR0yKjLlPu1IH60)
此时修改参数,重放请求后,插件会自动更新url中api_sign的值(ps:下面这两个截图是笔者随意找的测试站点,url参数也是自己加的,读者根据上下文理解意思即可)
![image](https://private-user-images.githubusercontent.com/94107024/246642716-ede969c6-ac07-426c-afd1-477174c1e6df.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI3MTYtZWRlOTY5YzYtYWMwNy00MjZjLWFmZDEtNDc3MTc0YzFlNmRmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWUyMzM2YTI1MTI2ODFkYjhmNDBmMDRmOTBlMTFlNGFjNjAyNGUyZmZmYmQyMjFjMmIzMzk2YTgyNDI4ODliNDYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.kzf-vYTG3Rb37sL9Sr36ngdVtw0t9xR2peMYowq625M)
![image](https://private-user-images.githubusercontent.com/94107024/246642718-0b75562a-b0a7-48fc-8b25-e96c6fba137c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI3MTgtMGI3NTU2MmEtYjBhNy00OGZjLThiMjUtZTk2YzZmYmExMzdjLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTIzYjFhZjcyZGUzNGU1NGFhMTFhMjMwMGRjODhlMTlkY2NiMzA0ZTIxNjEyYjhhYzk0YTA2MWE0MjI5ODA1NmQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.qRNR75Rz_fD1s6GW9-JPbjISxFFY80Ouseq7XNv32Uw)
在控制台查看更新的api_sign,此时修改请求参数做安全测试就不再受签名保护限制了
![image](https://private-user-images.githubusercontent.com/94107024/246642723-2ca9a834-cb2c-4674-b1a6-def813608aaf.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDI3MjMtMmNhOWE4MzQtY2IyYy00Njc0LWIxYTYtZGVmODEzNjA4YWFmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTIwNzZjMzcwZGFhNTY0OWEzNmI0OGU3NGIyNzUwODYxZDA2MWMxNTA5NmI4ZmU5ZDMyMDQzOTA0MWQ3ZWIzMTcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.AZws4CjG8uXNPnp8zQRlOFsD62B72GuMeoPrC0qNoZw)
一个H5应用,在微信可以正常访问,放到浏览器访问限制
修改一下User-Agent,修改为安卓或ios手机的UserAgent,再刷新页面后能正常访问
随便输入一个卡号后先抓个包看看
数据包都做了加密
任意修改一个密文字符,把第一个字符c改成1,服务端不能正常处理密文
使用数据包的参数encryptData定位加密代码位置,展开js文件,搜索关键字;单击{}格式化js,方便阅读
可以看到第一部分MD5的构造是原始参数json+DES密钥e,拼接后做MD5
setDES这部分是ECB模式,Pkcs7填充的DES加密,密钥是e
参数n是rsa加密DES密钥得到的密文,是一个固定值。最后返回MD5+splitStr+DES加密后参数+splitStr+rsa加密的DES密钥
splitStr是一个分割字符,用于将不同加密加密方式得到的密文分割开,服务端收到密文后,按splitStr分割密文,再逐段解密
ptde函数用于解密返回包的密文
单步步入getDESModeEBC函数,使用密钥e进行DES解密,没有其他处理
得到结论:
请求包的加密:MD5(原始参数+DES密钥)+”\u001d”+DES(原始参数) +”\u001d”+RSA(DES密钥)
返回包的解密:直接用DES密钥解密即可
用正则获取两个\u001d中间的密文,
使用IMessageEditorTab在burp中增加一个控件,用于获取解密后的完整请求包,在IMessageEditorTab中填入header和解密后的原始参数
点击“参数明文”控件,获取到了解密后的完整请求包,对明文参数进行安全测试,重放后插件会自动完成密文构造
对于变化的密钥,可以提供一个ui界面,在输入框设置密钥,rsa等动态变化的值
最后需要把返回包的密文也处理掉,由于在burp插件开发中返回包没有参数的概念,只能通过偏移获取body,解密后,用明文替换密文,再用IMessageEditorTab展示解密后的数据包
此时原始响应还是密文,因为客户端需要解密这个密文,IMessageEditorTab中明文只是展示作用,辅助安全测试,不会返回给客户端
encryptData中的密文被替换为明文展示,之后的安全测试就完全是明文了
这也是数据包加密给安全测试人员的彩蛋吧,数据包加密有一个好处:天然对waf等态势感知设备免疫,自带绕过属性:
明文的payload会被waf识别
加密后waf没法再识别,如果还原了加密算法,也就间接的绕过了waf(但是,除了前置的waf,应用程序自身也会对参数做合法性校验)
于是可以结合漏扫工具做半自动的安全测试(逻辑漏洞还是需要手工测试),示意图如下
3、这个开关用于控制是否对明文请求包做加密,在联动Xray时,需要给Xray明文包,所以开启后从burpA重放的明文请求包不做加密,直接给Xray去做payload构造
6、将插件代码拷贝一份,打包为另一个插件,作为联动Xray的专用插件。其他代码不用动,只修改BurpExtender.java中processHttpMessage方法代码:只处理经过Proxy的http流量,做两件事:加密请求body,解密响应body
7、启动Xray监听127.0.0.1:7777, 在burpA的Repeater中重放明文请求包
8、Xrays收到burpA的明文请求,在明文包构造payload,开始扫描,从Xray日志可以看到,未触发WAF
如果直接扫描原始请求,会触发WAF拦截
![image](https://private-user-images.githubusercontent.com/94107024/246643140-0c5434cb-9dcb-4d4b-94b1-dfc24fc5ed07.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAxOTE3NzgsIm5iZiI6MTcyMDE5MTQ3OCwicGF0aCI6Ii85NDEwNzAyNC8yNDY2NDMxNDAtMGM1NDM0Y2ItOWRjYi00ZDRiLTk0YjEtZGZjMjRmYzVlZDA3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzA1VDE0NTc1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWUwMDEyZWM2YjE5ZWJjMTE1NjkxYjY4MGY0MmVkMjAzNWNkNDVjMmUwMjk5YTE5Nzc5MDMwNjVjODkxODM2ZGUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.E9eWoYtp50FZsfmbm5LK5ux1Qz-uYkrke-0wANnPtMk)
9、burpB收到Xray的明文请求,加密请求中明文中包含payload的body再发给服务端,扫描器能正常工
11、burpB解密响应的密文body后返回给Xray,从状态码和返回包可以看到未触发WAF拦截,Xray再根据明文响应包内容判断是否存在漏洞