前端加密分析与验证码爆破实战教学<\/h1>

1. 加密分析基础<\/h2>

1.1 加密流量识别<\/h3>
全流量加密特征：无法直接判断传输的具体参数<\/li>
关键搜索词：
encrypt<\/code>、decrypt<\/code>、cipher<\/code>等加密相关术语<\/li>
<\/ul>
1.2 加密算法识别方法<\/h3>

全局搜索加密参数名称<\/li>
逆向调试查找加密逻辑<\/li>
分析前端JavaScript代码<\/li>
<\/ol>
2. 加密算法分析<\/h2>
2.1 AES-ECB加密<\/h3>
function<\/span> i<\/span>(e<\/span>) {
<\/span><\/span>  if<\/span> (""<\/span> ===<\/span> e<\/span>) return<\/span> e<\/span>;
<\/span><\/span>  var<\/span> t<\/span> =<\/span> a<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(e<\/span>),
<\/span><\/span>  n<\/span> =<\/span> a<\/span>.AES<\/span>.encrypt<\/span>(t<\/span>, a<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("19RMSFORECAST123"<\/span>), {
<\/span><\/span>    mode<\/span>:<\/span> a<\/span>.mode<\/span>.ECB<\/span>,
<\/span><\/span>    padding<\/span>:<\/span> a<\/span>.pad<\/span>.Pkcs7<\/span>
<\/span><\/span>  });
<\/span><\/span>  return<\/span> n<\/span>.ciphertext<\/span>.toString<\/span>()
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键参数：<\/strong><\/p>

密钥："19RMSFORECAST123"<\/code>（硬编码）<\/li>
模式：ECB（电子密码本模式）<\/li>
填充：PKCS7<\/li>
<\/ul>
2.2 AES-CBC加密<\/h3>
function<\/span> s<\/span>(e<\/span>) {
<\/span><\/span>  var<\/span> t<\/span> =<\/span> a<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(a<\/span>.MD5<\/span>("jQaTs$K6Vnb9#nNp"<\/span>).toString<\/span>()),
<\/span><\/span>  n<\/span> =<\/span> a<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(a<\/span>.MD5<\/span>("QIBlGu3dwO#7geJm"<\/span>).toString<\/span>().substr<\/span>(0<\/span>, 16<\/span>));
<\/span><\/span>  if<\/span> (""<\/span> ===<\/span> e<\/span>) return<\/span> e<\/span>;
<\/span><\/span>  var<\/span> i<\/span> =<\/span> a<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(e<\/span>),
<\/span><\/span>  s<\/span> =<\/span> a<\/span>.AES<\/span>.encrypt<\/span>(i<\/span>, t<\/span>, {
<\/span><\/span>    iv<\/span>:<\/span> n<\/span>,
<\/span><\/span>    mode<\/span>:<\/span> a<\/span>.mode<\/span>.CBC<\/span>,
<\/span><\/span>    padding<\/span>:<\/span> a<\/span>.pad<\/span>.Pkcs7<\/span>
<\/span><\/span>  });
<\/span><\/span>  return<\/span> s<\/span>.ciphertext<\/span>.toString<\/span>().toUpperCase<\/span>()
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键参数：<\/strong><\/p>

密钥："jQaTs$K6Vnb9#nNp"<\/code>的MD5哈希值<\/li>
IV（初始化向量）："QIBlGu3dwO#7geJm"<\/code>的MD5哈希值前16字节<\/li>
模式：CBC（密码分组链接模式）<\/li>
填充：PKCS7<\/li>
<\/ul>
3. 加解密脚本实现<\/h2>
3.1 使用CryptoJS库<\/h3>
const<\/span> CryptoJS<\/span> =<\/span> require<\/span>("crypto-js"<\/span>);
<\/span><\/span><\/code><\/pre>3.2 ECB模式加解密<\/h3>
\/\/ 加密函数(ECB模式)
<\/span><\/span><\/span><\/span>function<\/span> encryptECB<\/span>(plaintext<\/span>) {
<\/span><\/span>  if<\/span> (!<\/span>plaintext<\/span>) return<\/span> plaintext<\/span>;
<\/span><\/span>  var<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("19RMSFORECAST123"<\/span>);
<\/span><\/span>  var<\/span> encrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(
<\/span><\/span>    CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(plaintext<\/span>),
<\/span><\/span>    key<\/span>,
<\/span><\/span>    { mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.ECB<\/span>, padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> }
<\/span><\/span>  );
<\/span><\/span>  return<\/span> encrypted<\/span>.ciphertext<\/span>.toString<\/span>(); \/\/ 返回十六进制密文
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 解密函数(ECB模式)
<\/span><\/span><\/span><\/span>function<\/span> decryptECB<\/span>(ciphertext<\/span>) {
<\/span><\/span>  if<\/span> (!<\/span>ciphertext<\/span>) return<\/span> ciphertext<\/span>;
<\/span><\/span>  var<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("19RMSFORECAST123"<\/span>);
<\/span><\/span>  var<\/span> decrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.decrypt<\/span>(
<\/span><\/span>    { ciphertext<\/span>:<\/span> CryptoJS<\/span>.enc<\/span>.Hex<\/span>.parse<\/span>(ciphertext<\/span>) },
<\/span><\/span>    key<\/span>,
<\/span><\/span>    { mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.ECB<\/span>, padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> }
<\/span><\/span>  );
<\/span><\/span>  return<\/span> decrypted<\/span>.toString<\/span>(CryptoJS<\/span>.enc<\/span>.Utf8<\/span>); \/\/ 返回解密后的明文
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 CBC模式加解密<\/h3>
\/\/ 加密函数(CBC模式)
<\/span><\/span><\/span><\/span>function<\/span> encryptCBC<\/span>(plaintext<\/span>) {
<\/span><\/span>  if<\/span> (!<\/span>plaintext<\/span>) return<\/span> plaintext<\/span>;
<\/span><\/span>  var<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(
<\/span><\/span>    CryptoJS<\/span>.MD5<\/span>("jQaTs$K6Vnb9#nNp"<\/span>).toString<\/span>()
<\/span><\/span>  );
<\/span><\/span>  var<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(
<\/span><\/span>    CryptoJS<\/span>.MD5<\/span>("QIBlGu3dwO#7geJm"<\/span>).toString<\/span>().substr<\/span>(0<\/span>, 16<\/span>)
<\/span><\/span>  );
<\/span><\/span>  var<\/span> encrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(
<\/span><\/span>    CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(plaintext<\/span>),
<\/span><\/span>    key<\/span>,
<\/span><\/span>    { iv<\/span>:<\/span> iv<\/span>, mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>, padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> }
<\/span><\/span>  );
<\/span><\/span>  return<\/span> encrypted<\/span>.ciphertext<\/span>.toString<\/span>().toUpperCase<\/span>();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 解密函数(CBC模式)
<\/span><\/span><\/span><\/span>function<\/span> decryptCBC<\/span>(ciphertext<\/span>) {
<\/span><\/span>  if<\/span> (!<\/span>ciphertext<\/span>) return<\/span> ciphertext<\/span>;
<\/span><\/span>  var<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(
<\/span><\/span>    CryptoJS<\/span>.MD5<\/span>("jQaTs$K6Vnb9#nNp"<\/span>).toString<\/span>()
<\/span><\/span>  );
<\/span><\/span>  var<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(
<\/span><\/span>    CryptoJS<\/span>.MD5<\/span>("QIBlGu3dwO#7geJm"<\/span>).toString<\/span>().substr<\/span>(0<\/span>, 16<\/span>)
<\/span><\/span>  );
<\/span><\/span>  var<\/span> decrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.decrypt<\/span>(
<\/span><\/span>    { ciphertext<\/span>:<\/span> CryptoJS<\/span>.enc<\/span>.Hex<\/span>.parse<\/span>(ciphertext<\/span>) },
<\/span><\/span>    key<\/span>,
<\/span><\/span>    { iv<\/span>:<\/span> iv<\/span>, mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>, padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> }
<\/span><\/span>  );
<\/span><\/span>  return<\/span> decrypted<\/span>.toString<\/span>(CryptoJS<\/span>.enc<\/span>.Utf8<\/span>); \/\/ 返回解密后的明文
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 登录参数分析<\/h2>
4.1 解密后参数<\/h3>

userid<\/code> - 用户名\/用户ID<\/li>
password<\/code> - 密码<\/li>
mfacode<\/code> - 多因素认证码（爆破目标）<\/li>
type<\/code> - 用户权限类型（可能的越权测试点）<\/li>
<\/ol>
4.2 三重验证机制<\/h3>

用户名密码验证<\/li>
图形验证码<\/li>
登录验证码（mfacode）<\/li>
<\/ol>
5. 验证码爆破实战<\/h2>
5.1 爆破准备<\/h3>

使用脚本生成加密后的密码本<\/li>
准备Burp Suite工具<\/li>
<\/ol>
5.2 爆破步骤<\/h3>

拦截登录请求<\/li>
对mfacode<\/code>参数进行爆破<\/li>
分析响应判断成功登录<\/li>
<\/ol>
5.3 安全风险升级<\/h3>

如果系统仅使用用户名+登录验证码（无密码验证），风险将升级为任意用户登录<\/li>
<\/ul>
6. 防御建议<\/h2>
6.1 开发者防护措施<\/h3>

避免硬编码密钥和IV<\/li>
使用动态生成的密钥<\/li>
实现服务端加密<\/li>
增加请求频率限制<\/li>
使用更复杂的多因素认证机制<\/li>
<\/ol>
6.2 渗透测试要点<\/h3>

检查加密参数是否可预测<\/li>
验证密钥是否可逆向获取<\/li>
测试验证码是否可爆破<\/li>
检查权限参数是否可越权修改<\/li>
<\/ol>
7. 总结<\/h2>
本案例展示了如何通过分析前端加密算法、实现加解密脚本，并利用已知加密机制对验证码进行爆破的全过程。关键在于：<\/p>

准确识别加密算法和参数<\/li>
正确实现加解密过程<\/li>
针对薄弱环节（如mfacode）进行定向爆破<\/li>
理解系统安全机制的整体设计缺陷<\/li>
<\/ol>