JsRpc + Yakit 热加载解决请求响应体加解密问题<\/h1>

引言<\/h2>
本文介绍如何利用 JsRpc 与 Yakit 热加载技术解决 Web 应用测试中遇到的请求与响应双向加密问题。通过这种方法，测试人员可以彻底摆脱加解密的束缚，实现端到端的明文测试。<\/p>

工具准备<\/h2>

JsRpc 项目地址<\/strong>: https:\/\/github.com\/jxhczhl\/JsRpc<\/li>

Yakit 项目地址<\/strong>: https:\/\/yaklang.com\/products\/download_and_install\/<\/li> <\/ul>
操作步骤<\/h2>
1. 安装并启动 Yakit 靶场<\/h3>
首先需要准备测试环境，Yakit 自带靶场可用于模拟加密场景。<\/p>
2. JsRpc 使用<\/h3>
注入 JS，构建通信环境<\/h4>
将 JsRpc 的 JsEnv_Dev.js 代码(https:\/\/github.com\/jxhczhl\/JsRpc\/blob\/main\/resouces\/JsEnv_Dev.js)复制到浏览器控制台执行，建立 WebSocket 通信环境。<\/p>
远程调用加密函数<\/h4>

编写加密辅助函数<\/strong>:<\/li> <\/ol>
window.myEncrypt<\/span> =<\/span> function<\/span>(data<\/span>) { <\/span><\/span> const<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Hex<\/span>.parse<\/span>("6190987ec48f0394752f09a81ee869a2"<\/span>); <\/span><\/span> const<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Hex<\/span>.parse<\/span>("557784509b449b0d67287c1b53571e72"<\/span>); <\/span><\/span> const<\/span> message<\/span> =<\/span> typeof<\/span> data<\/span> ===<\/span> 'object'<\/span> ?<\/span> JSON<\/span>.stringify<\/span>(data<\/span>) :<\/span> data<\/span>; <\/span><\/span> <\/span><\/span> const<\/span> encryptedResultObject<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>( <\/span><\/span> message<\/span>, <\/span><\/span> key<\/span>, <\/span><\/span> { <\/span><\/span> iv<\/span>:<\/span> iv<\/span>, <\/span><\/span> mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>, <\/span><\/span> padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> <\/span><\/span> } <\/span><\/span> ); <\/span><\/span> <\/span><\/span> return<\/span> encryptedResultObject<\/span>.toString<\/span>(); <\/span><\/span>}; <\/span><\/span><\/code><\/pre> 注册加密接口<\/strong>:<\/li> <\/ol> var<\/span> demo<\/span> =<\/span> new<\/span> Hlclient<\/span>("ws:\/\/127.0.0.1:12080\/ws?group=encrypt"<\/span>); <\/span><\/span>demo<\/span>.regAction<\/span>("encrypt"<\/span>, function<\/span>(resolve<\/span>, param<\/span>) { <\/span><\/span> var<\/span> params<\/span> =<\/span> atob<\/span>(param<\/span>); <\/span><\/span> esultObject<\/span> =<\/span> eval('('<\/span> +<\/span> params<\/span> +<\/span> ')'<\/span>); <\/span><\/span> resolve<\/span>(myEncrypt<\/span>(esultObject<\/span>)); <\/span><\/span>}); <\/span><\/span><\/code><\/pre> 测试加密接口<\/strong>:<\/li> <\/ol> http:\/\/127.0.0.1:12080\/go?group=encrypt&action=encrypt&param=e3VzZXJuYW1lOiAnYWRtaW4nLCBwYXNzd29yZDonYWRhc2Rmc2RmJ30= <\/code><\/pre> 远程调用解密函数<\/h4> 编写解密辅助函数<\/strong>:<\/li> <\/ol> window.get_decrypt<\/span> =<\/span> function<\/span>(key<\/span>, iv<\/span>, message<\/span>) { <\/span><\/span> const<\/span> decrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.decrypt<\/span>( <\/span><\/span> message<\/span>, <\/span><\/span> CryptoJS<\/span>.enc<\/span>.Hex<\/span>.parse<\/span>(key<\/span>), <\/span><\/span> { <\/span><\/span> iv<\/span>:<\/span> CryptoJS<\/span>.enc<\/span>.Hex<\/span>.parse<\/span>(iv<\/span>), <\/span><\/span> mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>, <\/span><\/span> padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> <\/span><\/span> } <\/span><\/span> ); <\/span><\/span> decryptedData<\/span> =<\/span> JSON<\/span>.parse<\/span>(decrypted<\/span>.toString<\/span>(CryptoJS<\/span>.enc<\/span>.Utf8<\/span>)); <\/span><\/span> return<\/span> decryptedData<\/span>; <\/span><\/span>}; <\/span><\/span><\/code><\/pre> 注册解密接口<\/strong>:<\/li> <\/ol> var<\/span> demo<\/span> =<\/span> new<\/span> Hlclient<\/span>("ws:\/\/127.0.0.1:12080\/ws?group=get_decrypt"<\/span>); <\/span><\/span>demo<\/span>.regAction<\/span>("get_decrypt"<\/span>, function<\/span>(resolve<\/span>, param<\/span>) { <\/span><\/span> res<\/span> =<\/span> get_decrypt<\/span>(param<\/span>["key"<\/span>], param<\/span>["iv"<\/span>], param<\/span>["message"<\/span>]) <\/span><\/span> resolve<\/span>(res<\/span>); <\/span><\/span>}); <\/span><\/span><\/code><\/pre> 测试解密接口<\/strong>(Python示例):<\/li> <\/ol> import<\/span> requests <\/span><\/span>import<\/span> json <\/span><\/span> <\/span><\/span>url =<\/span> "http:\/\/127.0.0.1:12080\/go"<\/span> <\/span><\/span>data =<\/span> { <\/span><\/span> "group"<\/span>: "get_decrypt"<\/span>, <\/span><\/span> "action"<\/span>: "get_decrypt"<\/span>, <\/span><\/span> "param"<\/span>: json.<\/span>dumps({ <\/span><\/span> "key"<\/span>: "9ca83c435044b0750777c05dec8df6bd"<\/span>, <\/span><\/span> "iv"<\/span>: "fc973c1d2895d89b445989939381b18c"<\/span>, <\/span><\/span> "message"<\/span>: "gcCZ3CRVQa7C1ZSTH06+Rfjz7E8x63WKTexphNg9YKcBpcUhW7yRnpMw+115wDO8XEqM12ECpCiP+7vfQDjkj08osdjmZhBw0EDZOv2FEBo="<\/span> <\/span><\/span> }) <\/span><\/span>} <\/span><\/span>res =<\/span> requests.<\/span>post(url, data=<\/span>data) <\/span><\/span>print(res.<\/span>text) <\/span><\/span><\/code><\/pre>3. Yakit 热加载脚本实现<\/h3> 加密请求热加载脚本<\/h4> # port scan plugin yakit.AutoInitYakit() handleCheck = func(target, port, word) { addr = str.HostPort(target, port) isTls = str.IsTLSServer(addr) packet = ` GET \/go?group=encrypt&action=encrypt&param={{params(word)}} HTTP\/1.1 Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cache-Control: no-cache Connection: keep-alive Host: {{params(target)}} ` rsp, req, _ = poc.HTTP(packet, poc.params({"target": addr, "word": word}), poc.https(isTls), poc.redirectTimes(0), ) println(req) if len(rsp) > 0 { body = poc.GetHTTPPacketBody(rsp) printf("获取加密结果：\n" + string(body)) jsonObj = json.loads(string(body)) sign = jsonObj["data"] return sign } else { println("失败") } return } func base_word(name, passwd) { word = "{ username: '" + name + "', password: '" + passwd + "' }" println(word) return codec.EncodeBase64(word) } signRequest = result => { pairs := result.SplitN("|", 2) dump(pairs) word = base_word(pairs[0], pairs[1]) sign = handleCheck("127.0.0.1", 12080, word) return sign } <\/code><\/pre> 解密响应热加载脚本<\/h4> # port scan plugin yakit.AutoInitYakit() func get_decrypt(key, iv, message) { rsp, req = poc.HTTP("POST \/go HTTP\/1.1\r\nHost: 127.0.0.1:12080", poc.replaceAllPostParams({ "group": "get_decrypt", "action": "get_decrypt", "param": json.dumps({"key": key, "iv": iv, "message": message}) }))~ println(req) println(rsp) return rsp } func decrypt(rsp) { if len(rsp) > 0 { body = poc.GetHTTPPacketBody(rsp) printf("获取加密结果：\n" + string(body)) jsonObj = json.loads(string(body)) key = jsonObj["key"] iv = jsonObj["iv"] message = jsonObj["message"] println("\nkey: " + string(key) + "\niv: " + string(iv) + "\nmessage: " + string(message)) if key == nil && iv == nil && message == nil { return rsp } else { return key, iv, message } } else { return rsp } return } afterRequest = func(rsp) { key, iv, message = decrypt(rsp) println("\nkey: " + string(key) + "\niv: " + string(iv) + "\nmessage: " + string(message)) rsp = get_decrypt(key, iv, message) return rsp } <\/code><\/pre> 关键点总结<\/h2> JsRpc 核心功能<\/strong>:<\/p> 作为桥梁调用前端页面中的加解密函数<\/li> 通过 WebSocket 实现浏览器与测试工具的通信<\/li> <\/ul> <\/li> Yakit 热加载优势<\/strong>:<\/p> 无需重启即可实时修改脚本<\/li> 利用 afterRequest<\/code> 魔术方法实现响应自动解密<\/li> 支持请求自动加密<\/li> <\/ul> <\/li> 加解密处理<\/strong>:<\/p> 固定 key 和 iv 确保加密结果可复现<\/li> 支持多参数传递处理复杂解密场景<\/li> 自动处理 JSON 格式转换<\/li> <\/ul> <\/li> 调试技巧<\/strong>:<\/p> 所有调试信息输出到控制台<\/li> 分阶段验证各组件功能<\/li> 使用 Yakit 自带靶场快速验证<\/li> <\/ul> <\/li> <\/ol> 参考资料<\/h2> JsRpc 项目地址<\/a><\/li> Yakit 官方文档<\/a><\/li> JsRpc 技术详解<\/a><\/li> <\/ol> 通过这套方案，测试人员可以完全在明文环境下进行测试工作，所有加解密过程由工具自动完成，极大提高了测试效率和准确性。<\/p>

JsRpc + Yakit 热加载解决请求响应体加解密问题<\/h1>

引言<\/h2> 本文介绍如何利用 JsRpc 与 Yakit 热加载技术解决 Web 应用测试中遇到的请求与响应双向加密问题。通过这种方法，测试人员可以彻底摆脱加解密的束缚，实现端到端的明文测试。<\/p>

操作步骤<\/h2>

1. 安装并启动 Yakit 靶场<\/h3> 首先需要准备测试环境，Yakit 自带靶场可用于模拟加密场景。<\/p>

2. JsRpc 使用<\/h3>

注入 JS，构建通信环境<\/h4> 将 JsRpc 的 JsEnv_Dev.js 代码(https:\/\/github.com\/jxhczhl\/JsRpc\/blob\/main\/resouces\/JsEnv_Dev.js)复制到浏览器控制台执行，建立 WebSocket 通信环境。<\/p>

3. Yakit 热加载脚本实现<\/h3>

参考资料<\/h2> JsRpc 项目地址<\/a><\/li> Yakit 官方文档<\/a><\/li> JsRpc 技术详解<\/a><\/li> <\/ol> 通过这套方案，测试人员可以完全在明文环境下进行测试工作，所有加解密过程由工具自动完成，极大提高了测试效率和准确性。<\/p>

引言<\/h2>
本文介绍如何利用 JsRpc 与 Yakit 热加载技术解决 Web 应用测试中遇到的请求与响应双向加密问题。通过这种方法，测试人员可以彻底摆脱加解密的束缚，实现端到端的明文测试。<\/p>

1. 安装并启动 Yakit 靶场<\/h3>
首先需要准备测试环境，Yakit 自带靶场可用于模拟加密场景。<\/p>

注入 JS，构建通信环境<\/h4>
将 JsRpc 的 JsEnv_Dev.js 代码(https:\/\/github.com\/jxhczhl\/JsRpc\/blob\/main\/resouces\/JsEnv_Dev.js)复制到浏览器控制台执行，建立 WebSocket 通信环境。<\/p>

参考资料<\/h2>

JsRpc 项目地址<\/a><\/li>
Yakit 官方文档<\/a><\/li>
JsRpc 技术详解<\/a><\/li> <\/ol>
通过这套方案，测试人员可以完全在明文环境下进行测试工作，所有加解密过程由工具自动完成，极大提高了测试效率和准确性。<\/p>