小程序渗透测试：反编译、数据解密与sign绕过技术详解<\/h1>

一、前言<\/h2>
本文详细记录了一次针对微信小程序的渗透测试过程，涵盖小程序反编译、AES数据解密和sign值绕过等关键技术点。通过本教程，您将学习到如何对加密的小程序进行安全测试。<\/p>

二、小程序反编译技术<\/h2>

2.1 获取小程序包文件<\/h3>

定位小程序存储目录<\/strong>：<\/p>

路径：C:\Users\xxx\Documents\WeChat Files\Applet<\/code><\/li>
建议测试时只保留目标小程序相关目录，避免混淆<\/li> <\/ul> <\/li>
获取__APP__.wxapkg文件<\/strong>：<\/p> 在小程序目录下查找此文件，这是小程序的包文件<\/li> <\/ul> <\/li> <\/ol> 2.2 解密与反编译工具链<\/h3> 使用UnpackMiniApp.exe解密<\/strong>：<\/p> 输入：原始__APP__.wxapkg文件<\/li> 输出：解密后的wxapkg文件<\/li> <\/ul> <\/li> 使用wxapkgconvertor.exe反编译<\/strong>：<\/p> 将解密后的wxapkg文件拖入此工具<\/li> 输出：生成包含源码的文件夹<\/li> <\/ul> <\/li> 使用微信开发者工具查看源码<\/strong>：<\/p> 打开生成的文件夹，分析小程序逻辑<\/li> <\/ul> <\/li> <\/ol> 三、AES数据解密分析<\/h2> 3.1 定位加密函数<\/h3> 全局搜索"AES"关键字<\/li> 查找解密函数（通常命名为decryptByAes等）<\/li> <\/ol> 3.2 解密函数分析<\/h3> 典型的AES解密函数特征：<\/p> 使用CBC模式<\/li> PKCS7填充<\/li> 需要三个参数：密文(encryptedData)<\/li> 密钥(sessionKey)<\/li> 初始化向量(iv)<\/li> <\/ul> <\/li> <\/ul> 3.3 密钥获取方式<\/h3> 硬编码密钥<\/strong>：直接在源码中查找<\/li> 动态生成密钥<\/strong>：分析密钥生成逻辑<\/li> <\/ol> 3.4 Python解密脚本示例<\/h3> from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> unpad <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> decrypt_aes<\/span>(encrypted_data, session_key, iv): <\/span><\/span> # Base64解码<\/span> <\/span><\/span> encrypted_data =<\/span> base64.<\/span>b64decode(encrypted_data) <\/span><\/span> session_key =<\/span> base64.<\/span>b64decode(session_key) <\/span><\/span> iv =<\/span> base64.<\/span>b64decode(iv) <\/span><\/span> <\/span><\/span> # 创建AES解密器<\/span> <\/span><\/span> cipher =<\/span> AES.<\/span>new(session_key, AES.<\/span>MODE_CBC, iv) <\/span><\/span> <\/span><\/span> # 解密并去除填充<\/span> <\/span><\/span> decrypted =<\/span> unpad(cipher.<\/span>decrypt(encrypted_data), AES.<\/span>block_size) <\/span><\/span> <\/span><\/span> return<\/span> decrypted.<\/span>decode('utf-8'<\/span>) <\/span><\/span> <\/span><\/span># 示例使用<\/span> <\/span><\/span>encrypted_data =<\/span> "..."<\/span> # 抓取的加密数据<\/span> <\/span><\/span>session_key =<\/span> "..."<\/span> # 获取的session_key<\/span> <\/span><\/span>iv =<\/span> "..."<\/span> # 获取的iv值<\/span> <\/span><\/span> <\/span><\/span>plaintext =<\/span> decrypt_aes(encrypted_data, session_key, iv) <\/span><\/span>print(plaintext) <\/span><\/span><\/code><\/pre>四、sign值绕过技术<\/h2> 4.1 sign值校验原理<\/h3> 通常为MD5哈希值<\/li> 由请求参数按特定规则组合后哈希生成<\/li> 用于防止参数篡改<\/li> <\/ol> 4.2 分析sign生成逻辑<\/h3> 定位sign生成函数<\/strong>：<\/p> 全局搜索"sign"或"setsigntrue"等关键字<\/li> 常见函数特征：接收多个参数，返回MD5值<\/li> <\/ul> <\/li> 典型sign生成流程<\/strong>：<\/p> function<\/span> setsigntrue<\/span>(t<\/span>, n<\/span> =<\/span> {}, r<\/span> =<\/span> ""<\/span>, a<\/span> =<\/span> ""<\/span>) { <\/span><\/span> \/\/ 1. 合并参数 <\/span><\/span><\/span><\/span> let<\/span> s<\/span> =<\/span> Object.assign<\/span>({}, t<\/span>, n<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 2. 按键名排序 <\/span><\/span><\/span><\/span> s<\/span> =<\/span> objKeySort<\/span>(s<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 3. 拼接键值对 <\/span><\/span><\/span><\/span> let<\/span> i<\/span> =<\/span> ""<\/span>; <\/span><\/span> for<\/span>(let<\/span> key<\/span> in<\/span> s<\/span>) { <\/span><\/span> i<\/span> +=<\/span> `<\/span>${<\/span>key<\/span>}<\/span>=<\/span>${<\/span>s<\/span>[key<\/span>]}<\/span>`<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 4. 添加额外字符串 <\/span><\/span><\/span><\/span> i<\/span> +=<\/span> r<\/span> +<\/span> a<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 5. MD5哈希并转大写 <\/span><\/span><\/span><\/span> return<\/span> md5<\/span>(i<\/span>).toUpperCase<\/span>(); <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.3 构造sign绕过步骤<\/h3> 修改目标参数（如手机号）<\/li> 按照原始sign生成规则重新计算sign<\/li> 替换请求中的sign值<\/li> <\/ol> 4.4 Python sign生成脚本示例<\/h3> import<\/span> hashlib <\/span><\/span> <\/span><\/span>def<\/span> generate_sign<\/span>(params, extra_params=<\/span>{}, r=<\/span>""<\/span>, a=<\/span>""<\/span>): <\/span><\/span> # 合并参数<\/span> <\/span><\/span> merged =<\/span> {**<\/span>params, **<\/span>extra_params} <\/span><\/span> <\/span><\/span> # 按键名排序<\/span> <\/span><\/span> sorted_keys =<\/span> sorted(merged.<\/span>keys()) <\/span><\/span> sorted_params =<\/span> {k: merged[k] for<\/span> k in<\/span> sorted_keys} <\/span><\/span> <\/span><\/span> # 拼接键值对<\/span> <\/span><\/span> sign_str =<\/span> ""<\/span> <\/span><\/span> for<\/span> k, v in<\/span> sorted_params.<\/span>items(): <\/span><\/span> sign_str +=<\/span> f<\/span>"<\/span>{<\/span>k}<\/span>=<\/span>{<\/span>v}<\/span>"<\/span> <\/span><\/span> <\/span><\/span> # 添加额外字符串<\/span> <\/span><\/span> sign_str +=<\/span> r +<\/span> a <\/span><\/span> <\/span><\/span> # MD5哈希并转大写<\/span> <\/span><\/span> return<\/span> hashlib.<\/span>md5(sign_str.<\/span>encode()).<\/span>hexdigest().<\/span>upper() <\/span><\/span> <\/span><\/span># 示例使用<\/span> <\/span><\/span>original_params =<\/span> { <\/span><\/span> "phone"<\/span>: "13800138000"<\/span>, <\/span><\/span> "timestamp"<\/span>: "1234567890"<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span># 修改手机号<\/span> <\/span><\/span>modified_params =<\/span> original_params.<\/span>copy() <\/span><\/span>modified_params["phone"<\/span>] =<\/span> "任意手机号"<\/span> <\/span><\/span> <\/span><\/span># 生成新sign<\/span> <\/span><\/span>new_sign =<\/span> generate_sign(modified_params, r=<\/span>"固定值"<\/span>, a=<\/span>"固定值"<\/span>) <\/span><\/span>print(new_sign) <\/span><\/span><\/code><\/pre>五、完整渗透测试流程<\/h2> 抓取登录数据包<\/strong><\/p> 使用抓包工具获取加密的登录请求<\/li> 记录所有参数，特别是encryptedData、sessionKey、iv和sign<\/li> <\/ul> <\/li> 解密数据<\/strong><\/p> 使用获取的sessionKey和iv解密encryptedData<\/li> 验证解密结果是否包含敏感信息（如手机号）<\/li> <\/ul> <\/li> 修改参数<\/strong><\/p> 修改目标参数（如改为任意手机号）<\/li> 重新加密修改后的数据（如果需要）<\/li> <\/ul> <\/li> 重新计算sign<\/strong><\/p> 分析原始sign生成规则<\/li> 按照相同规则计算新sign值<\/li> <\/ul> <\/li> 构造并发送恶意请求<\/strong><\/p> 替换原始请求中的参数和sign值<\/li> 验证是否绕过校验<\/li> <\/ul> <\/li> <\/ol> 六、防御建议<\/h2> 针对反编译<\/strong>：<\/p> 使用代码混淆技术<\/li> 核心逻辑放在服务端<\/li> 定期更新包结构<\/li> <\/ul> <\/li> 针对数据加密<\/strong>：<\/p> 避免硬编码密钥<\/li> 使用动态密钥生成方案<\/li> 定期更换密钥<\/li> <\/ul> <\/li> 针对sign绕过<\/strong>：<\/p> 增加时效性校验（timestamp+nonce）<\/li> 使用更复杂的签名算法（如HMAC-SHA256）<\/li> 关键操作增加二次验证<\/li> <\/ul> <\/li> <\/ol> 七、总结<\/h2> 本教程详细介绍了微信小程序渗透测试的三个关键技术点：反编译获取源码、分析解密加密数据、绕过sign校验。掌握这些技术有助于全面评估小程序的安全性，同时也提醒开发者加强安全防护措施。<\/p>

小程序渗透测试：反编译、数据解密与sign绕过技术详解<\/h1>

一、前言<\/h2> 本文详细记录了一次针对微信小程序的渗透测试过程，涵盖小程序反编译、AES数据解密和sign值绕过等关键技术点。通过本教程，您将学习到如何对加密的小程序进行安全测试。<\/p>

二、小程序反编译技术<\/h2>

三、AES数据解密分析<\/h2>

四、sign值绕过技术<\/h2>

七、总结<\/h2> 本教程详细介绍了微信小程序渗透测试的三个关键技术点：反编译获取源码、分析解密加密数据、绕过sign校验。掌握这些技术有助于全面评估小程序的安全性，同时也提醒开发者加强安全防护措施。<\/p>

一、前言<\/h2>
本文详细记录了一次针对微信小程序的渗透测试过程，涵盖小程序反编译、AES数据解密和sign值绕过等关键技术点。通过本教程，您将学习到如何对加密的小程序进行安全测试。<\/p>

七、总结<\/h2>
本教程详细介绍了微信小程序渗透测试的三个关键技术点：反编译获取源码、分析解密加密数据、绕过sign校验。掌握这些技术有助于全面评估小程序的安全性，同时也提醒开发者加强安全防护措施。<\/p>