渗透测试中的"幽灵模式"：针对全加密Web应用的透视技术详解<\/h1>

1. 背景与问题描述<\/h2>
本文档详细解析了一种针对请求和响应全加密Web应用的渗透测试解决方案。目标网站具有以下特征：<\/p>
所有请求参数都经过加密后赋值给data<\/code>字段<\/li>
每个请求都有sign<\/code>签名验证<\/li>
响应体res<\/code>字段同样经过加密<\/li>
使用国密SM4算法进行CBC模式的对称加密<\/li>
<\/ul>
这种全加密机制给渗透测试带来极大不便，需要开发一种"透视"技术，在不影响正常功能的前提下实现请求和响应的明文查看与修改。<\/p>
2. 加密机制分析<\/h2>
2.1 data字段加密分析<\/h3>


加密流程<\/strong>：<\/p>

原始参数被赋值给变量t<\/code><\/li>
调用v(t)<\/code>函数对t<\/code>进行加密<\/li>
加密结果赋值给请求的data<\/code>字段<\/li>
<\/ul>
<\/li>

加密函数分析<\/strong>：<\/p>

使用国密SM4算法<\/li>
CBC加密模式<\/li>
密钥：d6a785b93b6c0d4a<\/code><\/li>
IV向量：2d91d2be3ad9e42c<\/code><\/li>
<\/ul>
<\/li>

验证方法<\/strong>：<\/p>
from<\/span> gmssl import<\/span> sm4
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>def<\/span> encrypt_SM4<\/span>(value):
<\/span><\/span>    gmsm4 =<\/span> sm4.<\/span>CryptSM4()
<\/span><\/span>    gmsm4.<\/span>set_key(b<\/span>'d6a785b93b6c0d4a'<\/span>, sm4.<\/span>SM4_ENCRYPT)
<\/span><\/span>    encrypt_value =<\/span> gmsm4.<\/span>crypt_cbc(b<\/span>'2d91d2be3ad9e42c'<\/span>, value.<\/span>encode())
<\/span><\/span>    return<\/span> base64.<\/span>b64encode(encrypt_value).<\/span>decode('utf-8'<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2 sign签名分析<\/h3>


签名生成逻辑<\/strong>：<\/p>

固定值this.COMPID<\/code>为"CLYTB"<\/code><\/li>
对COMPID<\/code>进行MD5得到t<\/code>值：d4a4a210ed3d3d367049d4d331883485<\/code><\/li>
签名公式：sign = md5(t + 原始参数 + "VETRIP_B2C")<\/code><\/li>
<\/ul>
<\/li>

验证方法<\/strong>：<\/p>
import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>def<\/span> generate_sign<\/span>(text):
<\/span><\/span>    md5_hash =<\/span> hashlib.<\/span>md5()
<\/span><\/span>    md5_hash.<\/span>update(('d4a4a210ed3d3d367049d4d331883485'<\/span>+<\/span>text+<\/span>'VETRIP_B2C'<\/span>).<\/span>encode())
<\/span><\/span>    return<\/span> md5_hash.<\/span>hexdigest()
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 解决方案架构<\/h2>
整体解决方案分为三个关键部分：<\/p>

浏览器端修改<\/strong>：禁用请求加密<\/li>
中间代理层<\/strong>：负责请求加密和响应解密<\/li>
浏览器响应处理修改<\/strong>：适配解密后的响应<\/li>
<\/ol>
浏览器(明文) → Burp(明文) → 中间代理(加密) → 目标服务器
目标服务器(加密) → 中间代理(解密) → Burp(明文) → 浏览器(适配处理)
<\/code><\/pre>
4. 详细实施步骤<\/h2>
4.1 浏览器端请求加密禁用<\/h3>


启用Chrome本地覆盖<\/strong>：<\/p>

打开DevTools → Sources → Overrides<\/li>
选择一个空文件夹并允许<\/li>
刷新页面，找到加密JS文件<\/li>
<\/ul>
<\/li>

修改加密逻辑<\/strong>：<\/p>

定位到t = v(t)<\/code>这行代码<\/li>
删除或注释掉这行代码，防止请求参数被加密<\/li>
保存修改(Ctrl+S)<\/li>
<\/ul>
<\/li>

注意事项<\/strong>：<\/p>

不要随意格式化JS代码，可能破坏功能<\/li>
保持DevTools打开状态<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 中间代理层实现<\/h3>
使用mitmproxy作为Burp的上游代理，实现自动加解密：<\/p>
import<\/span> base64
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>import<\/span> json
<\/span><\/span>from<\/span> gmssl import<\/span> sm4
<\/span><\/span>from<\/span> mitmproxy import<\/span> ctx
<\/span><\/span>
<\/span><\/span># 加密配置<\/span>
<\/span><\/span>encrypt_key =<\/span> b<\/span>'d6a785b93b6c0d4a'<\/span>
<\/span><\/span>iv =<\/span> b<\/span>'2d91d2be3ad9e42c'<\/span>
<\/span><\/span>gmsm4 =<\/span> sm4.<\/span>CryptSM4()
<\/span><\/span>
<\/span><\/span>def<\/span> encryptSM4<\/span>(value):
<\/span><\/span>    gmsm4.<\/span>set_key(encrypt_key, sm4.<\/span>SM4_ENCRYPT)
<\/span><\/span>    data_str =<\/span> str(value)
<\/span><\/span>    encrypt_value =<\/span> gmsm4.<\/span>crypt_cbc(iv, data_str.<\/span>encode())
<\/span><\/span>    return<\/span> base64.<\/span>b64encode(encrypt_value).<\/span>decode('utf-8'<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> decryptSM4<\/span>(encrypt_value):
<\/span><\/span>    encrypt_value =<\/span> base64.<\/span>b64decode(encrypt_value).<\/span>hex()
<\/span><\/span>    gmsm4.<\/span>set_key(encrypt_key, sm4.<\/span>SM4_DECRYPT)
<\/span><\/span>    decrypt_value =<\/span> gmsm4.<\/span>crypt_cbc(iv, bytes.<\/span>fromhex(encrypt_value))
<\/span><\/span>    return<\/span> decrypt_value.<\/span>decode()
<\/span><\/span>
<\/span><\/span>def<\/span> sign<\/span>(text):
<\/span><\/span>    md5_hash =<\/span> hashlib.<\/span>md5()
<\/span><\/span>    md5_hash.<\/span>update(('d4a4a210ed3d3d367049d4d331883485'<\/span>+<\/span>text+<\/span>'VETRIP_B2C'<\/span>).<\/span>encode())
<\/span><\/span>    return<\/span> md5_hash.<\/span>hexdigest()
<\/span><\/span>
<\/span><\/span>def<\/span> request<\/span>(flow):
<\/span><\/span>    """处理请求：加密data并更新sign"""<\/span>
<\/span><\/span>    if<\/span> flow.<\/span>request.<\/span>urlencoded_form:
<\/span><\/span>        data_value =<\/span> flow.<\/span>request.<\/span>urlencoded_form['data'<\/span>]
<\/span><\/span>        flow.<\/span>request.<\/span>urlencoded_form['data'<\/span>] =<\/span> encryptSM4(data_value)
<\/span><\/span>        flow.<\/span>request.<\/span>urlencoded_form['sign'<\/span>] =<\/span> sign(data_value)
<\/span><\/span>
<\/span><\/span>def<\/span> response<\/span>(flow):
<\/span><\/span>    """处理响应：解密res字段"""<\/span>
<\/span><\/span>    content_type =<\/span> flow.<\/span>response.<\/span>headers.<\/span>get("Content-Type"<\/span>, ""<\/span>)
<\/span><\/span>    if<\/span> "application\/json"<\/span> in<\/span> content_type:
<\/span><\/span>        response_body =<\/span> flow.<\/span>response.<\/span>get_text()
<\/span><\/span>        json_data =<\/span> json.<\/span>loads(response_body)
<\/span><\/span>        json_data['res'<\/span>] =<\/span> decryptSM4(json_data['res'<\/span>])
<\/span><\/span>        flow.<\/span>response.<\/span>set_text(json_data['res'<\/span>])
<\/span><\/span><\/code><\/pre>启动命令：<\/p>
mitmproxy.exe -p 8081<\/span> -s .\/mit.py
<\/span><\/span><\/code><\/pre>4.3 浏览器响应处理修改<\/h3>


定位响应处理代码<\/strong>：<\/p>

在JS中搜索"res"<\/code>定位响应处理逻辑<\/li>
找到对res<\/code>字段的解密调用<\/li>
<\/ul>
<\/li>

修改解密逻辑<\/strong>：<\/p>

原始代码通常包含JSON.parse(b(i))<\/code>或类似结构<\/li>
修改为直接使用响应数据，因为代理已解密<\/li>
示例修改：
\/\/ 原代码
<\/span><\/span><\/span><\/span>var<\/span> i<\/span> =<\/span> t<\/span>.data<\/span>.res<\/span>;
<\/span><\/span>var<\/span> r<\/span> =<\/span> JSON<\/span>.parse<\/span>(b<\/span>(i<\/span>));
<\/span><\/span>
<\/span><\/span>\/\/ 修改为
<\/span><\/span><\/span><\/span>var<\/span> i<\/span> =<\/span> t<\/span>.data<\/span>.res<\/span>;
<\/span><\/span>var<\/span> r<\/span> =<\/span> i<\/span>;  \/\/ 直接使用已解密的数据
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

异常处理<\/strong>：<\/p>

注意避免对已经是JavaScript对象的变量再次调用JSON.parse()<\/code><\/li>
确保修改后的代码不会破坏原有业务逻辑<\/li>
<\/ul>
<\/li>
<\/ol>
5. 验证与测试<\/h2>


请求验证<\/strong>：<\/p>

在Burp中查看请求，确认data<\/code>字段为明文<\/li>
确认sign<\/code>值正确生成<\/li>
<\/ul>
<\/li>

响应验证<\/strong>：<\/p>

在Burp中查看响应，确认res<\/code>字段已解密<\/li>
浏览器功能正常，无报错<\/li>
<\/ul>
<\/li>

渗透测试<\/strong>：<\/p>

可以自由修改请求参数进行测试<\/li>
能够直接查看响应内容分析漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
6. 技术要点总结<\/h2>


关键加密算法<\/strong>：<\/p>

国密SM4对称加密<\/li>
CBC模式<\/li>
固定密钥和IV<\/li>
<\/ul>
<\/li>

签名机制<\/strong>：<\/p>

基于固定值和参数的MD5哈希<\/li>
包含特定业务字符串VETRIP_B2C<\/code><\/li>
<\/ul>
<\/li>

解决方案核心<\/strong>：<\/p>

浏览器本地覆盖禁用加密<\/li>
中间代理透明加解密<\/li>
浏览器响应处理适配<\/li>
<\/ul>
<\/li>

工具链<\/strong>：<\/p>

Chrome DevTools本地覆盖<\/li>
mitmproxy中间代理<\/li>
Burp Suite作为主测试工具<\/li>
<\/ul>
<\/li>
<\/ol>
7. 潜在问题与解决方案<\/h2>


JS格式化问题<\/strong>：<\/p>

某些JS文件格式化后可能无法正常工作<\/li>
解决方案：先保存原始文件再格式化，或部分格式化<\/li>
<\/ul>
<\/li>

加密算法变更<\/strong>：<\/p>

目标网站可能更新加密方式<\/li>
解决方案：定期检查加密逻辑，更新代理脚本<\/li>
<\/ul>
<\/li>

签名机制更新<\/strong>：<\/p>

签名公式可能加入动态元素<\/li>
解决方案：重新分析签名生成逻辑<\/li>
<\/ul>
<\/li>

HTTPS证书问题<\/strong>：<\/p>

mitmproxy需要安装CA证书<\/li>
解决方案：正确配置mitmproxy证书<\/li>
<\/ul>
<\/li>
<\/ol>
8. 扩展应用<\/h2>
本技术方案可应用于以下场景：<\/p>

对全加密API接口的安全测试<\/li>
黑盒测试中的协议分析<\/li>
移动应用与加密后端通信的分析<\/li>
其他需要"透视"加密通信的场景<\/li>
<\/ol>
只需根据具体加密算法和签名机制调整代理脚本即可。<\/p>