JsRpc + Yakit 热加载实现明文编辑加密发包技术文档<\/h1>

一、技术背景<\/h2>

在渗透测试过程中，前端请求数据加密已成为常见的安全防护措施，这给安全测试带来了以下挑战：<\/p>

需要逆向JavaScript代码分析加密逻辑<\/li>
传统方法需搭建复杂运行环境<\/li>
加密算法提取困难<\/li>

动态调试效率低下<\/li> <\/ul>

JsRpc + Yakit热加载技术组合解决了这些问题，实现了：<\/p>

明文编辑加密请求<\/li>
实时修改并重新加密<\/li>
无需完整逆向加密算法<\/li>

高效动态调试<\/li> <\/ul>

二、核心组件<\/h2>

1. JsRpc<\/h3>

基于WebSocket的JavaScript远程调用框架<\/li>

核心功能：

浏览器环境与外部工具通信<\/li>
拦截和修改加密函数<\/li>

提供加密\/解密服务接口<\/li> <\/ul> <\/li> <\/ul>

2. Yakit<\/h3>

集成化安全测试平台<\/li>

热加载特性：

实时修改请求内容<\/li>
自动重新加密<\/li>

可视化编辑界面<\/li> <\/ul> <\/li> <\/ul>

三、技术实现步骤<\/h2>

1. 环境准备<\/h3>

# 安装Yakit<\/span>
<\/span><\/span>wget https:\/\/yakit.xxx.com\/latest\/yakit -O \/usr\/local\/bin\/yakit
<\/span><\/span>chmod +x \/usr\/local\/bin\/yakit
<\/span><\/span>
<\/span><\/span># 启动Yakit<\/span>
<\/span><\/span>yakit start
<\/span><\/span><\/code><\/pre>2. JsRpc注入<\/h3>
\/\/ 示例注入代码
<\/span><\/span><\/span><\/span>(function<\/span>() {
<\/span><\/span>    const<\/span> ws<\/span> =<\/span> new<\/span> WebSocket<\/span>("ws:\/\/localhost:8080\/jsrpc"<\/span>);
<\/span><\/span>    ws<\/span>.onmessage<\/span> =<\/span> function<\/span>(event<\/span>) {
<\/span><\/span>        const<\/span> data<\/span> =<\/span> JSON<\/span>.parse<\/span>(event<\/span>.data<\/span>);
<\/span><\/span>        if<\/span>(data<\/span>.method<\/span> ===<\/span> "encrypt"<\/span>) {
<\/span><\/span>            const<\/span> result<\/span> =<\/span> window.targetEncryptFunction<\/span>(data<\/span>.params<\/span>);
<\/span><\/span>            ws<\/span>.send<\/span>(JSON<\/span>.stringify<\/span>({id<\/span>:<\/span> data<\/span>.id<\/span>, result<\/span>:<\/span> result<\/span>}));
<\/span><\/span>        }
<\/span><\/span>    };
<\/span><\/span>    
<\/span><\/span>    \/\/ 替换原加密函数
<\/span><\/span><\/span><\/span>    window.originalEncrypt<\/span> =<\/span> window.targetEncryptFunction<\/span>;
<\/span><\/span>    window.targetEncryptFunction<\/span> =<\/span> function<\/span>(params<\/span>) {
<\/span><\/span>        return<\/span> window.originalEncrypt<\/span>(params<\/span>);
<\/span><\/span>    };
<\/span><\/span>})();
<\/span><\/span><\/code><\/pre>3. 热加载配置流程<\/h3>

在Yakit中创建新项目<\/li>
配置WebSocket连接地址(ws:\/\/localhost:8080\/jsrpc)<\/li>
设置拦截规则：

目标URL匹配模式<\/li>
加密函数名称<\/li>
请求\/响应处理钩子<\/li>
<\/ul>
<\/li>
<\/ol>
4. 请求拦截与修改<\/h3>
# Yakit热加载处理脚本示例<\/span>
<\/span><\/span>def<\/span> on_request<\/span>(request):
<\/span><\/span>    if<\/span> request.<\/span>path ==<\/span> "\/api\/login"<\/span>:
<\/span><\/span>        # 获取明文数据<\/span>
<\/span><\/span>        plain_text =<\/span> jsrpc_call("decrypt"<\/span>, request.<\/span>body)
<\/span><\/span>        
<\/span><\/span>        # 修改明文<\/span>
<\/span><\/span>        modified =<\/span> plain_text.<\/span>replace("test"<\/span>, "admin"<\/span>)
<\/span><\/span>        
<\/span><\/span>        # 重新加密<\/span>
<\/span><\/span>        request.<\/span>body =<\/span> jsrpc_call("encrypt"<\/span>, modified)
<\/span><\/span>    
<\/span><\/span>    return<\/span> request
<\/span><\/span><\/code><\/pre>四、关键技术点<\/h2>
1. 加密函数定位<\/h3>


方法：<\/p>

搜索常见加密函数名(crypto, encrypt, AES等)<\/li>
XHR\/fetch请求断点<\/li>
调用栈分析<\/li>
<\/ul>
<\/li>

特征：<\/p>
\/\/ 典型加密函数结构
<\/span><\/span><\/span><\/span>function<\/span> encryptData<\/span>(data<\/span>) {
<\/span><\/span>    const<\/span> key<\/span> =<\/span> "xxxxxxxx"<\/span>;
<\/span><\/span>    const<\/span> iv<\/span> =<\/span> "xxxxxxxx"<\/span>;
<\/span><\/span>    return<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(JSON<\/span>.stringify<\/span>(data<\/span>), key<\/span>, {iv<\/span>:<\/span> iv<\/span>}).toString<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. WebSocket通信协议<\/h3>


请求格式：<\/p>
{
<\/span><\/span>  "id"<\/span>: "uuid"<\/span>,
<\/span><\/span>  "method"<\/span>: "encrypt|decrypt"<\/span>,
<\/span><\/span>  "params"<\/span>: "data_to_process"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

响应格式：<\/p>
{
<\/span><\/span>  "id"<\/span>: "uuid"<\/span>,
<\/span><\/span>  "result"<\/span>: "processed_data"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. 热加载处理流程<\/h3>

拦截加密请求<\/li>
通过WebSocket发送到外部工具<\/li>
在Yakit中编辑明文<\/li>
调用JsRpc重新加密<\/li>
发送修改后的请求<\/li>
<\/ol>
五、实战案例<\/h2>
案例：登录接口加密绕过<\/h3>

发现登录接口\/api\/v1\/login<\/code>使用AES加密<\/li>
注入JsRpc脚本拦截加密函数<\/li>
捕获加密请求：
{"username"<\/span>:"user1"<\/span>,"password"<\/span>:"123456"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>
修改为：
{"username"<\/span>:"admin"<\/span>,"password"<\/span>:"admin123"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>
自动重新加密并发送<\/li>
<\/ol>
调试技巧<\/h3>

使用console.log<\/code>输出中间值<\/li>
设置断点检查加密前后数据<\/li>
保存不同版本的修改记录<\/li>
<\/ul>
六、常见问题解决<\/h2>


连接失败<\/strong><\/p>

检查WebSocket地址是否正确<\/li>
验证CORS策略<\/li>
确保注入脚本执行顺序正确<\/li>
<\/ul>
<\/li>

加密函数不生效<\/strong><\/p>

确认函数名称和上下文正确<\/li>
检查原型链调用<\/li>
验证函数是否被二次封装<\/li>
<\/ul>
<\/li>

性能问题<\/strong><\/p>

优化WebSocket消息大小<\/li>
减少不必要的拦截<\/li>
使用批量处理模式<\/li>
<\/ul>
<\/li>
<\/ol>
七、高级应用<\/h2>
1. 自动化测试集成<\/h3>
import<\/span> yakit
<\/span><\/span>
<\/span><\/span>client =<\/span> yakit.<\/span>connect()
<\/span><\/span>test_cases =<\/span> [
<\/span><\/span>    {"input"<\/span>: "test1"<\/span>, "expected"<\/span>: "..."<\/span>},
<\/span><\/span>    {"input"<\/span>: "test2"<\/span>, "expected"<\/span>: "..."<\/span>}
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>for<\/span> case in<\/span> test_cases:
<\/span><\/span>    encrypted =<\/span> client.<\/span>jsrpc("encrypt"<\/span>, case["input"<\/span>])
<\/span><\/span>    response =<\/span> client.<\/span>request("\/api\/test"<\/span>, body=<\/span>encrypted)
<\/span><\/span>    decrypted =<\/span> client.<\/span>jsrpc("decrypt"<\/span>, response.<\/span>body)
<\/span><\/span>    assert<\/span> decrypted ==<\/span> case["expected"<\/span>]
<\/span><\/span><\/code><\/pre>2. 多加密算法支持<\/h3>
\/\/ 多算法路由处理
<\/span><\/span><\/span><\/span>ws<\/span>.onmessage<\/span> =<\/span> function<\/span>(event<\/span>) {
<\/span><\/span>    const<\/span> data<\/span> =<\/span> JSON<\/span>.parse<\/span>(event<\/span>.data<\/span>);
<\/span><\/span>    let<\/span> result<\/span>;
<\/span><\/span>    
<\/span><\/span>    switch<\/span>(data<\/span>.method<\/span>) {
<\/span><\/span>        case<\/span> "aes_encrypt"<\/span>:<\/span>
<\/span><\/span>            result<\/span> =<\/span> aesEncrypt<\/span>(data<\/span>.params<\/span>);
<\/span><\/span>            break<\/span>;
<\/span><\/span>        case<\/span> "rsa_encrypt"<\/span>:<\/span>
<\/span><\/span>            result<\/span> =<\/span> rsaEncrypt<\/span>(data<\/span>.params<\/span>);
<\/span><\/span>            break<\/span>;
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    ws<\/span>.send<\/span>(JSON<\/span>.stringify<\/span>({id<\/span>:<\/span> data<\/span>.id<\/span>, result<\/span>:<\/span> result<\/span>}));
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>八、安全注意事项<\/h2>

仅用于授权测试<\/li>
测试完成后移除注入脚本<\/li>
加密通信使用wss协议<\/li>
敏感信息处理需谨慎<\/li>
<\/ol>
九、总结<\/h2>
JsRpc + Yakit热加载技术提供了一种高效处理前端加密请求的方案，相比传统方法具有以下优势：<\/p>

无需完整逆向加密算法<\/li>
实时交互式调试<\/li>
支持复杂加密场景<\/li>
集成化工作流<\/li>
<\/ul>
该技术特别适用于：<\/p>

登录接口测试<\/li>
敏感操作验证<\/li>
加密协议分析<\/li>
自动化安全测试<\/li>
<\/ul>