前端加解密对抗实战教学文档<\/h1>

1. 前言与工具准备<\/h2>

1.1 项目背景<\/h3>

项目地址<\/strong>: https:\/\/github.com\/SwagXz\/encrypt-labs<\/li>
作者<\/strong>: SwagXz<\/li>

目标<\/strong>: 提供8种常见前端加密方式的实战练习环境，包括AES、DES、RSA等加密方式以及签名、防重放等安全机制<\/li> <\/ul>
1.2 测试环境<\/h3>

混淆版地址<\/strong>: http:\/\/82.156.57.228:43899<\/li>
无混淆版地址<\/strong>: http:\/\/82.156.57.228:43899\/easy.php<\/li>
默认凭证<\/strong>: admin\/123456<\/li> <\/ul>
1.3 必备工具<\/h3>

Burp插件<\/strong>: autoDecoder (https:\/\/github.com\/f0ng\/autoDecoder)

支持AES、DES、SM4、SM2、RSA等加密方式<\/li> <\/ul> <\/li>
浏览器插件<\/strong>: Ctool (https:\/\/ctool.dev\/)

提供更全面的加解密功能验证<\/li> <\/ul> <\/li> <\/ol>
2. 加密方式分析与对抗技术<\/h2>
2.1 第一关: AES固定Key加密<\/h3>
加密分析<\/h4>

加密参数<\/strong>: encryptedData<\/code><\/li>
加密方式<\/strong>: AES-CBC模式，PKCS7填充<\/li>
Key<\/strong>: 1234567890123456<\/code><\/li>
IV<\/strong>: 1234567890123456<\/code><\/li> <\/ul> 对抗方法<\/h4> 定位加密函数<\/strong>:<\/li> <\/ol> function<\/span> sendDataAes<\/span>(url<\/span>) { <\/span><\/span> const<\/span> formData<\/span> =<\/span> { <\/span><\/span> username<\/span>:<\/span> document.getElementById<\/span>("username"<\/span>).value<\/span>, <\/span><\/span> password<\/span>:<\/span> document.getElementById<\/span>("password"<\/span>).value<\/span> <\/span><\/span> }; <\/span><\/span> const<\/span> jsonData<\/span> =<\/span> JSON<\/span>.stringify<\/span>(formData<\/span>); <\/span><\/span> const<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("1234567890123456"<\/span>); <\/span><\/span> const<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("1234567890123456"<\/span>); <\/span><\/span> const<\/span> encrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(jsonData<\/span>, key<\/span>, { <\/span><\/span> iv<\/span>:<\/span> iv<\/span>, <\/span><\/span> mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>, <\/span><\/span> padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> <\/span><\/span> }).toString<\/span>(); <\/span><\/span>} <\/span><\/span><\/code><\/pre> autoDecoder配置<\/strong>: Key: 1234567890123456<\/code><\/li> IV: 1234567890123456<\/code><\/li> 正则表达式: encryptedData=([^&]+)<\/code><\/li> <\/ul> <\/li> <\/ol> 2.2 第二关: AES服务端动态Key<\/h3> 加密分析<\/h4> 特点<\/strong>: 先请求获取Key\/IV，再发送加密数据<\/li> Key\/IV有效期<\/strong>: 客户端与服务端连接期间不变<\/li> <\/ul> 对抗方法<\/h4> 先获取服务端返回的Key\/IV<\/li> 使用获取的Key\/IV配置autoDecoder<\/li> 保持会话不中断可重复使用同一Key\/IV<\/li> <\/ol> 2.3 第三关: RSA加密<\/h3> 加密分析<\/h4> 加密参数<\/strong>: data<\/code><\/li> 公钥<\/strong>:<\/li> <\/ul> -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRvA7giwinEkaTYllDYCkzujvi NH+up0XAKXQot8RixKGpB7nr8AdidEvuo+wVCxZwDK3hlcRGrrqt0Gxqwc11btlM DSj92Mr3xSaJcshZU8kfj325L8DRh9jpruphHBfh955ihvbednGAvOHOrz3Qy3Cb ocDbsNeCwNpRxwjIdQIDAQAB -----END PUBLIC KEY----- <\/code><\/pre> 对抗方法<\/h4> 定位加密函数<\/strong>:<\/li> <\/ol> const<\/span> encrypted<\/span> =<\/span> jsEncrypt<\/span>.encrypt<\/span>(data<\/span>.toString<\/span>()); <\/span><\/span><\/code><\/pre> autoDecoder配置<\/strong>: 使用公钥进行加密<\/li> 无法解密(无私钥)<\/li> 可构造相同加密数据重放<\/li> <\/ul> <\/li> <\/ol> 2.4 第四关: AES+RSA混合加密<\/h3> 加密分析<\/h4> 流程<\/strong>: 生成随机16位AES Key和IV<\/li> 用AES加密表单数据<\/li> 用RSA加密AES Key和IV<\/li> 发送encryptedData<\/code>(AES加密数据)、encryptedKey<\/code>和encryptedIv<\/code><\/li> <\/ol> <\/li> <\/ul> 对抗方法<\/h4> 修改JS固定Key\/IV<\/strong>:<\/li> <\/ol> \/\/ 修改前 <\/span><\/span><\/span><\/span>const<\/span> key<\/span> =<\/span> CryptoJS<\/span>.lib<\/span>.WordArray<\/span>.random<\/span>(16<\/span>); <\/span><\/span>const<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.lib<\/span>.WordArray<\/span>.random<\/span>(16<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 修改后 <\/span><\/span><\/span><\/span>const<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("1234567890123456"<\/span>); <\/span><\/span>const<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("1234567890123456"<\/span>); <\/span><\/span><\/code><\/pre> 使用固定Key\/IV生成encryptedData<\/code><\/li> 可忽略encryptedKey<\/code>和encryptedIv<\/code>的修改<\/li> <\/ol> 2.5 第五关: DES规律Key<\/h3> 加密分析<\/h4> 加密参数<\/strong>: 仅password<\/code><\/li> Key规则<\/strong>: username补足8位(不足补6)<\/li> IV规则<\/strong>: "9999"+username前4位<\/li> 示例<\/strong>: username: admin<\/li> Key: admin666<\/li> IV: 9999admi<\/li> <\/ul> <\/li> <\/ul> 对抗方法<\/h4> 定位加密函数<\/strong>:<\/li> <\/ol> const<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(username<\/span>.padEnd<\/span>(8<\/span>, '6'<\/span>)); <\/span><\/span>const<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>('9999'<\/span> +<\/span> username<\/span>.slice<\/span>(0<\/span>, 4<\/span>)); <\/span><\/span><\/code><\/pre> autoDecoder配置<\/strong>: 根据username动态生成Key\/IV<\/li> <\/ul> <\/li> <\/ol> 2.6 第六关: 明文加签(HMAC-SHA256)<\/h3> 签名分析<\/h4> 参数<\/strong>: nonce<\/code>(随机10位), timestamp<\/code>, signature<\/code><\/li> 签名算法<\/strong>:<\/li> <\/ul> const<\/span> dataToSign<\/span> =<\/span> username<\/span> +<\/span> password<\/span> +<\/span> nonce<\/span> +<\/span> timestamp<\/span>; <\/span><\/span>const<\/span> signature<\/span> =<\/span> CryptoJS<\/span>.HmacSHA256<\/span>(dataToSign<\/span>, secretKey<\/span>).toString<\/span>(CryptoJS<\/span>.enc<\/span>.Hex<\/span>); <\/span><\/span><\/code><\/pre> secretKey<\/strong>: be56e057f20f883e<\/code><\/li> <\/ul> 对抗方法<\/h4> Python发包脚本<\/strong>:<\/li> <\/ol> import<\/span> hmac <\/span><\/span>import<\/span> hashlib <\/span><\/span> <\/span><\/span>def<\/span> generate_signature<\/span>(username, password, nonce, timestamp, secret_key): <\/span><\/span> data_to_sign =<\/span> username +<\/span> password +<\/span> nonce +<\/span> str(timestamp) <\/span><\/span> h =<\/span> hmac.<\/span>new(secret_key.<\/span>encode('utf-8'<\/span>), digestmod=<\/span>hashlib.<\/span>sha256) <\/span><\/span> h.<\/span>update(data_to_sign.<\/span>encode('utf-8'<\/span>)) <\/span><\/span> return<\/span> h.<\/span>hexdigest() <\/span><\/span><\/code><\/pre> 固定nonce<\/strong>可重复使用签名<\/li> <\/ol> 2.7 第七关: 服务端动态签名Key<\/h3> 特点<\/h4> 先请求获取签名Key<\/li> 使用获取的Key生成签名<\/li> 发送登录请求时携带签名<\/li> <\/ol> 对抗方法<\/h4> 实现两阶段请求: 第一阶段获取签名Key<\/li> 第二阶段使用Key生成签名并发送<\/li> <\/ul> <\/li> 爆破时需要每次获取新Key<\/li> <\/ol> 2.8 第八关: 防重放机制<\/h3> 加密分析<\/h4> 参数<\/strong>: random<\/code>(加密时间戳)<\/li> 加密方式<\/strong>: RSA加密当前时间戳<\/li> 防重放<\/strong>: 服务端检查时间戳唯一性<\/li> <\/ul> 对抗方法<\/h4> Python实现<\/strong>:<\/li> <\/ol> def<\/span> rsa_encrypt<\/span>(data, public_key): <\/span><\/span> key =<\/span> RSA.<\/span>import_key(public_key) <\/span><\/span> cipher =<\/span> PKCS1_v1_5.<\/span>new(key) <\/span><\/span> encrypted_data =<\/span> cipher.<\/span>encrypt(data.<\/span>encode('utf-8'<\/span>)) <\/span><\/span> return<\/span> b64encode(encrypted_data).<\/span>decode('utf-8'<\/span>) <\/span><\/span> <\/span><\/span>timestamp =<\/span> str(int(round(time.<\/span>time() *<\/span> 1000<\/span>))) <\/span><\/span>random =<\/span> rsa_encrypt(timestamp, public_key) <\/span><\/span><\/code><\/pre> 每次请求生成新的时间戳加密值<\/li> <\/ol> 3. 总结与实战建议<\/h2> 3.1 通用分析流程<\/h3> 抓包定位加密参数<\/li> 在JS中下断点分析加密逻辑<\/li> 确定加密算法和关键参数(Key\/IV等)<\/li> 选择对抗方法: 修改JS固定加密参数<\/li> 使用工具自动加解密<\/li> 编写自定义发包脚本<\/li> <\/ul> <\/li> <\/ol> 3.2 不同加密方式的对抗策略<\/h3> 加密类型<\/th> 关键特征<\/th> 对抗方法<\/th> <\/tr> <\/thead> AES固定Key<\/td> 硬编码Key\/IV<\/td> 直接使用固定Key解密<\/td> <\/tr> AES动态Key<\/td> 先获取Key再加密<\/td> 保持会话重用Key<\/td> <\/tr> RSA<\/td> 非对称加密，只有公钥<\/td> 构造相同加密数据重放<\/td> <\/tr> 混合加密<\/td> AES+RSA组合<\/td> 固定AES Key或Hook加密过程<\/td> <\/tr> 规律Key<\/td> 根据输入生成Key<\/td> 分析生成规则动态计算<\/td> <\/tr> 加签<\/td> 参数+签名<\/td> 重现签名算法<\/td> <\/tr> 防重放<\/td> 唯一性校验<\/td> 保证每次请求参数唯一<\/td> <\/tr> <\/tbody> <\/table> 3.3 进阶技巧<\/h3> JS Hook<\/strong>: 覆盖加密函数获取明文<\/li> 反混淆<\/strong>: 对于混淆代码使用AST解析<\/li> 自动化<\/strong>: 将分析过程整合到自动化测试工具<\/li> 动态调试<\/strong>: 结合浏览器开发者工具动态修改运行时代码<\/li> <\/ol> 通过系统掌握这些加密方式和对抗技术，可以有效提升在前端加密场景下的渗透测试能力。<\/p>

加密类型<\/th>	关键特征<\/th>	对抗方法<\/th> <\/tr> <\/thead>
AES固定Key<\/td>	硬编码Key\/IV<\/td>	直接使用固定Key解密<\/td> <\/tr>
AES动态Key<\/td>	先获取Key再加密<\/td>	保持会话重用Key<\/td> <\/tr>
RSA<\/td>	非对称加密，只有公钥<\/td>	构造相同加密数据重放<\/td> <\/tr>
混合加密<\/td>	AES+RSA组合<\/td>	固定AES Key或Hook加密过程<\/td> <\/tr>
规律Key<\/td>	根据输入生成Key<\/td>	分析生成规则动态计算<\/td> <\/tr>
加签<\/td>	参数+签名<\/td>	重现签名算法<\/td> <\/tr>
防重放<\/td>	唯一性校验<\/td>	保证每次请求参数唯一<\/td> <\/tr> <\/tbody> <\/table> 3.3 进阶技巧<\/h3> JS Hook<\/strong>: 覆盖加密函数获取明文<\/li> 反混淆<\/strong>: 对于混淆代码使用AST解析<\/li> 自动化<\/strong>: 将分析过程整合到自动化测试工具<\/li> 动态调试<\/strong>: 结合浏览器开发者工具动态修改运行时代码<\/li> <\/ol> 通过系统掌握这些加密方式和对抗技术，可以有效提升在前端加密场景下的渗透测试能力。<\/p>