Flutter框架App渗透测试实战指南<\/h1>

1. 背景介绍<\/h2>
本文记录了一个针对Flutter框架开发的移动应用程序的渗透测试过程。该App最初表现为无法正常抓包，经过一系列分析后发现其使用了深信服SDK进行内网通信。本文将详细讲解整个渗透测试流程，包括遇到的问题、解决方法和最终发现的安全隐患。<\/p>

2. 初始测试环境准备<\/h2>

2.1 代理设置尝试<\/h3>

使用Clash开启全局代理进行抓包测试<\/li>
发现验证码未加载，怀疑App检测代理软件<\/li>

尝试使用Clash透明代理将防火墙转发流量<\/li> <\/ul>

2.2 初步抓包结果<\/h3>

成功抓到数据包但无法正常通信<\/li>
数据包结构异常简单，不像典型App构造的请求<\/li>

关键特征：特殊的User-Agent标识<\/li> <\/ul>

3. Flutter框架识别与分析<\/h2>

3.1 Flutter特征识别<\/h3>

通过User-Agent信息确认是Flutter框架开发的App<\/li>

检查so库特征（如libflutter.so）进一步确认<\/li> <\/ul>

3.2 源码分析挑战<\/h3>

App源码进行了高强度混淆（未加壳但混淆效果显著）<\/li>
尝试关键词搜索（okhttp、libssl.so、JSON等）无果<\/li>

无法找到与Dart发出请求相关的信息<\/li> <\/ul>

4. Flutter抓包解决方案<\/h2>

4.1 SSL Bypass尝试<\/h3>

参考网上Flutter分析文章（如https:\/\/www.ctfiot.com\/217117.html）<\/li>
获取so的ssl bypass hook函数<\/li>

初始hook测试失败<\/li> <\/ul>

4.2 成功解决方案<\/h3>

使用GitHub项目frida-flutterproxy（https:\/\/github.com\/hackcatml\/frida-flutterproxy）<\/li>
该脚本通过SO文件内存解析获取导出地址进行操作<\/li>

成功实现抓包自由<\/li> <\/ul>

5. 内网地址发现与处理<\/h2>

5.1 内网通信发现<\/h3>

抓取的请求目标是内网地址<\/li>
使用mitm将内网地址替换为已知公网地址<\/li>

成功获取验证码并登录系统<\/li> <\/ul>

5.2 WebView请求分析<\/h3>

App核心业务使用内置H5应用<\/li>
WebView发起的请求无法通过Flutter hook捕获<\/li>

使用Frida hook WebView调试功能：<\/li> <\/ul>

Java<\/span>.perform<\/span>(function<\/span> () {
<\/span><\/span>    var<\/span> WebView<\/span> =<\/span> Java<\/span>.use<\/span>('android.webkit.WebView'<\/span>);
<\/span><\/span>    
<\/span><\/span>    WebView<\/span>.$init<\/span>.overload<\/span>('android.content.Context'<\/span>).implementation<\/span> =<\/span> function<\/span> (a<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("WebView.$init is called!1"<\/span>);
<\/span><\/span>        var<\/span> retval<\/span> =<\/span> this<\/span>.$init<\/span>(a<\/span>);
<\/span><\/span>        this<\/span>.setWebContentsDebuggingEnabled<\/span>(true<\/span>);
<\/span><\/span>        return<\/span> retval<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    WebView<\/span>.$init<\/span>.overload<\/span>('android.content.Context'<\/span>, 'android.util.AttributeSet'<\/span>).implementation<\/span> =<\/span> function<\/span> (a<\/span>, b<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("WebView.$init is called!2"<\/span>);
<\/span><\/span>        var<\/span> retval<\/span> =<\/span> this<\/span>.$init<\/span>(a<\/span>, b<\/span>);
<\/span><\/span>        this<\/span>.setWebContentsDebuggingEnabled<\/span>(true<\/span>);
<\/span><\/span>        return<\/span> retval<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    WebView<\/span>.$init<\/span>.overload<\/span>('android.content.Context'<\/span>, 'android.util.AttributeSet'<\/span>, 'int'<\/span>).implementation<\/span> =<\/span> function<\/span> (a<\/span>, b<\/span>, c<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("WebView.$init is called!3"<\/span>);
<\/span><\/span>        var<\/span> retval<\/span> =<\/span> this<\/span>.$init<\/span>(a<\/span>, b<\/span>, c<\/span>);
<\/span><\/span>        this<\/span>.setWebContentsDebuggingEnabled<\/span>(true<\/span>);
<\/span><\/span>        return<\/span> retval<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    WebView<\/span>.setWebContentsDebuggingEnabled<\/span>.implementation<\/span> =<\/span> function<\/span> () {
<\/span><\/span>        this<\/span>.setWebContentsDebuggingEnabled<\/span>(true<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("setWebContentsDebuggingEnabled is called!"<\/span>);
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>6. 深信服SDK分析<\/h2>
6.1 SDK特征识别<\/h3>

请求中存在"SanforidClient"标识<\/li>
App组件包含大量深信服SDK<\/li>
<\/ul>
6.2 认证信息获取<\/h3>

通过分析SDK源码找到认证方法<\/li>
成功获取VPN用户名、密码和服务器地址<\/li>
可成功拨入VPN<\/li>
<\/ul>
7. 技术总结<\/h2>
7.1 抓包失败原因<\/h3>

App使用深信服SDK进行通信<\/li>
流量通过socket或回环接口转发<\/li>
PC无法直接访问内网地址导致抓包后仍无法通信<\/li>
<\/ul>
7.2 Flutter渗透关键点<\/h3>

User-Agent和so库是识别Flutter应用的关键特征<\/li>
高强度源码混淆是常见防护手段<\/li>
需要特殊工具处理Flutter的SSL\/TLS通信<\/li>
<\/ol>
7.3 深信服SDK渗透经验<\/h3>

关注"SanforidClient"等特征字符串<\/li>
检查App中是否内置默认VPN凭证<\/li>
SDK可能提供直接的内网访问通道<\/li>
<\/ul>
8. 防御建议<\/h2>
8.1 对开发者的建议<\/h3>

避免在客户端硬编码内网地址<\/li>
不要内置默认VPN凭证<\/li>
对敏感信息进行有效保护<\/li>
<\/ul>
8.2 对安全人员的建议<\/h3>

收集Flutter应用特征库<\/li>
建立常见SDK的识别方法<\/li>
准备针对不同框架的专用测试工具链<\/li>
<\/ul>
9. 参考资源<\/h2>

Flutter抓包分析文章：https:\/\/www.ctfiot.com\/217117.html<\/li>
frida-flutterproxy项目：https:\/\/github.com\/hackcatml\/frida-flutterproxy<\/li>
Flutter逆向分析工具集<\/li>
<\/ol>

Flutter框架App渗透测试实战指南<\/h1>

2. 初始测试环境准备<\/h2>

3. Flutter框架识别与分析<\/h2>

4. Flutter抓包解决方案<\/h2>

5. 内网地址发现与处理<\/h2>

6. 深信服SDK分析<\/h2>

7. 技术总结<\/h2>

8. 防御建议<\/h2>

9. 参考资源<\/h2> Flutter抓包分析文章：https:\/\/www.ctfiot.com\/217117.html<\/li> frida-flutterproxy项目：https:\/\/github.com\/hackcatml\/frida-flutterproxy<\/li> Flutter逆向分析工具集<\/li> <\/ol>

9. 参考资源<\/h2>

Flutter抓包分析文章：https:\/\/www.ctfiot.com\/217117.html<\/li>
frida-flutterproxy项目：https:\/\/github.com\/hackcatml\/frida-flutterproxy<\/li>
Flutter逆向分析工具集<\/li> <\/ol>