Mitmproxy 数据包解密实战教程<\/h1>

1. Mitmproxy 简介<\/h2>

mitmproxy 是一组工具，提供用于 HTTP\/1、HTTP\/2 和 WebSocket 的交互式、支持 SSL\/TLS 的拦截代理。它包含三个主要组件：<\/p>

工具名称<\/th> 描述<\/th> <\/tr> <\/thead>

mitmproxy<\/td> 交互式控制台界面的拦截代理<\/td> <\/tr>

mitmweb<\/td> 基于网页界面的拦截代理<\/td> <\/tr>

mitmdump<\/td>

工具名称<\/th>	描述<\/th> <\/tr> <\/thead>
mitmproxy<\/td>	交互式控制台界面的拦截代理<\/td> <\/tr>
mitmweb<\/td>	基于网页界面的拦截代理<\/td> <\/tr>
mitmdump<\/td>	命令行版本，可理解为 HTTP 的 tcpdump<\/td> <\/tr> <\/tbody> <\/table> 2. 安装方法<\/h2> macOS 安装<\/h3> brew install mitmproxy <\/span><\/span><\/code><\/pre>其他系统<\/h3> 从mitmproxy官网<\/a>下载对应版本安装<\/p> 3. 基本使用<\/h2> 3.1 编写插件示例<\/h3> 以下是一个简单的插件示例，用于在每个响应中添加 HTTP 头：<\/p> class<\/span> AddHeader<\/span>: <\/span><\/span> def<\/span> __init__(self): <\/span><\/span> self.<\/span>num =<\/span> 0<\/span> <\/span><\/span> <\/span><\/span> def<\/span> response<\/span>(self, flow): <\/span><\/span> self.<\/span>num =<\/span> self.<\/span>num +<\/span> 1<\/span> <\/span><\/span> flow.<\/span>response.<\/span>headers["count"<\/span>] =<\/span> str(self.<\/span>num) <\/span><\/span> <\/span><\/span>addons =<\/span> [AddHeader()] <\/span><\/span><\/code><\/pre>3.2 启动 mitmdump<\/h3> mitmdump -s http-add-header.py -p 6666<\/span> <\/span><\/span><\/code><\/pre>然后配置浏览器代理为 127.0.0.1:6666<\/code><\/p> 4. 应用实战：数据包解密<\/h2> 4.1 加密\/解密分析<\/h3> 从 Java 代码分析加密逻辑：<\/p> public<\/span> static<\/span> String[]<\/span> decode<\/span>(<\/span>String data)<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> dataByte =<\/span> CodeHandler.<\/span>strToByteArrayByUTF8<\/span>(<\/span>data);<\/span> <\/span><\/span> dataByte =<\/span> CodeHandler.<\/span>deCode<\/span>(<\/span>dataByte);<\/span> <\/span><\/span> String decodedData =<\/span> CodeHandler.<\/span>byteArrayToStrByUTF8<\/span>(<\/span>dataByte);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> byte<\/span>[]<\/span> decode<\/span>(<\/span>byte<\/span>[]<\/span> dataByte)<\/span> {<\/span> <\/span><\/span> int<\/span> i =<\/span> 0<\/span>;<\/span> <\/span><\/span> for<\/span>(<\/span>int<\/span> j =<\/span> 0<\/span>;<\/span> j <<\/span> dataByte.<\/span>length<\/span>;<\/span> ++<\/span>j)<\/span> {<\/span> <\/span><\/span> byte<\/span> tmp =<\/span> dataByte[<\/span>i];<\/span> <\/span><\/span> if<\/span> (<\/span>tmp ><\/span> 0<\/span> &&<\/span> tmp <<\/span> decodeArray.<\/span>length<\/span>)<\/span> {<\/span> <\/span><\/span> byte<\/span> encodeChar =<\/span> decodeArray[<\/span>tmp];<\/span> <\/span><\/span> if<\/span> (<\/span>encodeChar !=<\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> dataByte[<\/span>i]<\/span> =<\/span> encodeChar;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> ++<\/span>i;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> dataByte;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4.2 Python 解密脚本实现<\/h3> import<\/span> logging <\/span><\/span>import<\/span> re <\/span><\/span> <\/span><\/span>class<\/span> Mimit<\/span>(): <\/span><\/span> decode_array =<\/span> [ <\/span><\/span> 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, <\/span><\/span> 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, <\/span><\/span> 32<\/span>, 87<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 47<\/span>, 0<\/span>, 56<\/span>, 97<\/span>, 89<\/span>, 84<\/span>, 43<\/span>, 0<\/span>, 103<\/span>, 106<\/span>, 37<\/span>, <\/span><\/span> 113<\/span>, 49<\/span>, 121<\/span>, 78<\/span>, 114<\/span>, 112<\/span>, 110<\/span>, 48<\/span>, 76<\/span>, 55<\/span>, 123<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, <\/span><\/span> 0<\/span>, 40<\/span>, 88<\/span>, 120<\/span>, 115<\/span>, 41<\/span>, 77<\/span>, 107<\/span>, 71<\/span>, 104<\/span>, 53<\/span>, 52<\/span>, 80<\/span>, 54<\/span>, 51<\/span>, 65<\/span>, <\/span><\/span> 33<\/span>, 117<\/span>, 105<\/span>, 108<\/span>, 68<\/span>, 90<\/span>, 66<\/span>, 83<\/span>, 122<\/span>, 81<\/span>, 86<\/span>, 93<\/span>, 0<\/span>, 91<\/span>, 0<\/span>, 102<\/span>, <\/span><\/span> 0<\/span>, 69<\/span>, 119<\/span>, 73<\/span>, 109<\/span>, 126<\/span>, 45<\/span>, 118<\/span>, 100<\/span>, 99<\/span>, 82<\/span>, 116<\/span>, 75<\/span>, 57<\/span>, 39<\/span>, 79<\/span>, <\/span><\/span> 101<\/span>, 46<\/span>, 72<\/span>, 42<\/span>, 67<\/span>, 50<\/span>, 74<\/span>, 111<\/span>, 70<\/span>, 95<\/span>, 85<\/span>, 58<\/span>, 0<\/span>, 0<\/span>, 98<\/span>, 0<\/span> <\/span><\/span> ] <\/span><\/span> <\/span><\/span> def<\/span> request<\/span>(self, flow): <\/span><\/span> if<\/span> flow.<\/span>request.<\/span>path.<\/span>endswith("\/RMIServlet"<\/span>) and<\/span> flow.<\/span>request.<\/span>method ==<\/span> "POST"<\/span>: <\/span><\/span> req =<\/span> flow.<\/span>request.<\/span>get_text() <\/span><\/span> logging.<\/span>info("requestData:"<\/span> +<\/span> req) <\/span><\/span> match =<\/span> re.<\/span>search(r<\/span>'encode=([^&]+)'<\/span>, req) <\/span><\/span> decoded_str =<\/span> ""<\/span> <\/span><\/span> if<\/span> match: <\/span><\/span> encode_value =<\/span> match.<\/span>group(1<\/span>) <\/span><\/span> data_byte =<\/span> bytearray(encode_value, "UTF-8"<\/span>) <\/span><\/span> decoded_byte =<\/span> self.<\/span>decode(data_byte) <\/span><\/span> decoded_str =<\/span> decoded_byte.<\/span>decode("UTF-8"<\/span>) <\/span><\/span> logging.<\/span>info(decoded_str) <\/span><\/span> else<\/span>: <\/span><\/span> logging.<\/span>info("Encode value not found"<\/span>) <\/span><\/span> array =<\/span> decoded_str.<\/span>split("+"<\/span>) <\/span><\/span> data =<\/span> f<\/span>'className=<\/span>{<\/span>array[0<\/span>]}<\/span>&methodName=<\/span>{<\/span>array[1<\/span>]}<\/span>&ampparams=<\/span>{<\/span>array[2<\/span>]}<\/span>'<\/span> <\/span><\/span> flow.<\/span>request.<\/span>set_text(data) <\/span><\/span> <\/span><\/span> def<\/span> response<\/span>(self, flow): <\/span><\/span> if<\/span> flow.<\/span>request.<\/span>path.<\/span>endswith("\/RMIServlet"<\/span>) and<\/span> flow.<\/span>request.<\/span>method ==<\/span> "POST"<\/span>: <\/span><\/span> response =<\/span> flow.<\/span>response.<\/span>get_text() <\/span><\/span> data_byte =<\/span> bytearray(response, "UTF-8"<\/span>) <\/span><\/span> encoded_byte =<\/span> self.<\/span>encode(data_byte) <\/span><\/span> encoded_str =<\/span> encoded_byte.<\/span>decode("UTF-8"<\/span>) <\/span><\/span> flow.<\/span>response.<\/span>set_text(encoded_str) <\/span><\/span> <\/span><\/span> def<\/span> decode<\/span>(self, data_byte): <\/span><\/span> for<\/span> i in<\/span> range(len(data_byte)): <\/span><\/span> tmp =<\/span> data_byte[i] <\/span><\/span> if<\/span> 0<\/span> <<\/span> tmp <<\/span> len(self.<\/span>decode_array): <\/span><\/span> encode_char =<\/span> self.<\/span>decode_array[tmp] <\/span><\/span> if<\/span> encode_char !=<\/span> 0<\/span>: <\/span><\/span> data_byte[i] =<\/span> encode_char <\/span><\/span> return<\/span> data_byte <\/span><\/span> <\/span><\/span> def<\/span> encode<\/span>(self, data_byte): <\/span><\/span> for<\/span> i in<\/span> range(len(data_byte)): <\/span><\/span> tmp =<\/span> data_byte[i] <\/span><\/span> if<\/span> 0<\/span> <<\/span> tmp <<\/span> len(self.<\/span>decode_array) and<\/span> tmp not<\/span> in<\/span> (37<\/span>, 47<\/span>): <\/span><\/span> encode_char =<\/span> self.<\/span>decode_array[tmp] <\/span><\/span> if<\/span> encode_char !=<\/span> 0<\/span>: <\/span><\/span> data_byte[i] =<\/span> encode_char <\/span><\/span> return<\/span> data_byte <\/span><\/span> <\/span><\/span>addons =<\/span> [Mimit(), ] <\/span><\/span><\/code><\/pre>4.3 代理配置<\/h3> 使用以下命令启动 mitmdump：<\/p> mitmdump -p 6666<\/span> -s main.py --mode upstream:http:\/\/127.0.0.1:6662 --ssl-insecure <\/span><\/span><\/code><\/pre>配置说明：<\/p> -p 6666<\/code>：设置监听端口<\/li> -s main.py<\/code>：指定插件脚本<\/li> --mode upstream:http:\/\/127.0.0.1:6662<\/code>：设置上游代理为 BurpSuite<\/li> --ssl-insecure<\/code>：忽略 SSL 证书验证<\/li> <\/ul> BurpSuite 配置：<\/p> 打开 Proxy → Options<\/li> 添加 Proxy listener，绑定 6662 端口<\/li> 确保 "Support invisible proxying" 选项启用<\/li> <\/ol> 5. 其他配置方式<\/h2> 5.1 双向加密\/解密流程<\/h3> 当服务器只识别密文时，可以配置两重代理：<\/p> 第一层 mitmdump（解密）：<\/li> <\/ol> mitmdump -p 6666<\/span> -s dec.py --mode upstream:http:\/\/127.0.0.1:6662 --ssl-insecure <\/span><\/span><\/code><\/pre> 第二层 mitmdump（加密）：<\/li> <\/ol> mitmdump -p 7777<\/span> -s enc.py <\/span><\/span><\/code><\/pre> BurpSuite 配置：在 Proxy → Options → Upstream Proxy Servers 中添加规则<\/li> 目标主机：应用服务器地址<\/li> 代理主机：127.0.0.1<\/li> 代理端口：7777<\/li> <\/ul> <\/li> <\/ol> 6. 关键点总结<\/h2> 插件开发<\/strong>：通过编写 Python 插件实现请求\/响应的修改<\/li> 代理链<\/strong>：使用 --mode upstream<\/code> 构建代理链<\/li> SSL 绕过<\/strong>：--ssl-insecure<\/code> 参数忽略证书验证<\/li> 双向处理<\/strong>：请求解密和响应加密需要分别处理<\/li> BurpSuite 集成<\/strong>：通过上游代理配置实现与 BurpSuite 的联动<\/li> <\/ol> 7. 参考链接<\/h2> mitmproxy 官方文档<\/a><\/li> mitmproxy 插件示例<\/a><\/li> <\/ol>

命令行版本，可理解为 HTTP 的 tcpdump<\/td> <\/tr> <\/tbody> <\/table>

2. 安装方法<\/h2>

macOS 安装<\/h3>

brew install mitmproxy
<\/span><\/span><\/code><\/pre>其他系统<\/h3>
从mitmproxy官网<\/a>下载对应版本安装<\/p>
3. 基本使用<\/h2>
3.1 编写插件示例<\/h3>
以下是一个简单的插件示例，用于在每个响应中添加 HTTP 头：<\/p>
class<\/span> AddHeader<\/span>:
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        self.<\/span>num =<\/span> 0<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> response<\/span>(self, flow):
<\/span><\/span>        self.<\/span>num =<\/span> self.<\/span>num +<\/span> 1<\/span>
<\/span><\/span>        flow.<\/span>response.<\/span>headers["count"<\/span>] =<\/span> str(self.<\/span>num)
<\/span><\/span>
<\/span><\/span>addons =<\/span> [AddHeader()]
<\/span><\/span><\/code><\/pre>3.2 启动 mitmdump<\/h3>
mitmdump -s http-add-header.py -p 6666<\/span>
<\/span><\/span><\/code><\/pre>然后配置浏览器代理为 127.0.0.1:6666<\/code><\/p>
4. 应用实战：数据包解密<\/h2>
4.1 加密\/解密分析<\/h3>
从 Java 代码分析加密逻辑：<\/p>
public<\/span> static<\/span> String[]<\/span> decode<\/span>(<\/span>String data)<\/span> {<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> dataByte =<\/span> CodeHandler.<\/span>strToByteArrayByUTF8<\/span>(<\/span>data);<\/span>
<\/span><\/span>    dataByte =<\/span> CodeHandler.<\/span>deCode<\/span>(<\/span>dataByte);<\/span>
<\/span><\/span>    String decodedData =<\/span> CodeHandler.<\/span>byteArrayToStrByUTF8<\/span>(<\/span>dataByte);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> byte<\/span>[]<\/span> decode<\/span>(<\/span>byte<\/span>[]<\/span> dataByte)<\/span> {<\/span>
<\/span><\/span>    int<\/span> i =<\/span> 0<\/span>;<\/span>
<\/span><\/span>    for<\/span>(<\/span>int<\/span> j =<\/span> 0<\/span>;<\/span> j <<\/span> dataByte.<\/span>length<\/span>;<\/span> ++<\/span>j)<\/span> {<\/span>
<\/span><\/span>        byte<\/span> tmp =<\/span> dataByte[<\/span>i];<\/span>
<\/span><\/span>        if<\/span> (<\/span>tmp ><\/span> 0<\/span> &&<\/span> tmp <<\/span> decodeArray.<\/span>length<\/span>)<\/span> {<\/span>
<\/span><\/span>            byte<\/span> encodeChar =<\/span> decodeArray[<\/span>tmp];<\/span>
<\/span><\/span>            if<\/span> (<\/span>encodeChar !=<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                dataByte[<\/span>i]<\/span> =<\/span> encodeChar;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        ++<\/span>i;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> dataByte;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 Python 解密脚本实现<\/h3>
import<\/span> logging
<\/span><\/span>import<\/span> re
<\/span><\/span>
<\/span><\/span>class<\/span> Mimit<\/span>():
<\/span><\/span>    decode_array =<\/span> [
<\/span><\/span>        0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>,
<\/span><\/span>        0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>,
<\/span><\/span>        32<\/span>, 87<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 47<\/span>, 0<\/span>, 56<\/span>, 97<\/span>, 89<\/span>, 84<\/span>, 43<\/span>, 0<\/span>, 103<\/span>, 106<\/span>, 37<\/span>,
<\/span><\/span>        113<\/span>, 49<\/span>, 121<\/span>, 78<\/span>, 114<\/span>, 112<\/span>, 110<\/span>, 48<\/span>, 76<\/span>, 55<\/span>, 123<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>,
<\/span><\/span>        0<\/span>, 40<\/span>, 88<\/span>, 120<\/span>, 115<\/span>, 41<\/span>, 77<\/span>, 107<\/span>, 71<\/span>, 104<\/span>, 53<\/span>, 52<\/span>, 80<\/span>, 54<\/span>, 51<\/span>, 65<\/span>,
<\/span><\/span>        33<\/span>, 117<\/span>, 105<\/span>, 108<\/span>, 68<\/span>, 90<\/span>, 66<\/span>, 83<\/span>, 122<\/span>, 81<\/span>, 86<\/span>, 93<\/span>, 0<\/span>, 91<\/span>, 0<\/span>, 102<\/span>,
<\/span><\/span>        0<\/span>, 69<\/span>, 119<\/span>, 73<\/span>, 109<\/span>, 126<\/span>, 45<\/span>, 118<\/span>, 100<\/span>, 99<\/span>, 82<\/span>, 116<\/span>, 75<\/span>, 57<\/span>, 39<\/span>, 79<\/span>,
<\/span><\/span>        101<\/span>, 46<\/span>, 72<\/span>, 42<\/span>, 67<\/span>, 50<\/span>, 74<\/span>, 111<\/span>, 70<\/span>, 95<\/span>, 85<\/span>, 58<\/span>, 0<\/span>, 0<\/span>, 98<\/span>, 0<\/span>
<\/span><\/span>    ]
<\/span><\/span>
<\/span><\/span>    def<\/span> request<\/span>(self, flow):
<\/span><\/span>        if<\/span> flow.<\/span>request.<\/span>path.<\/span>endswith("\/RMIServlet"<\/span>) and<\/span> flow.<\/span>request.<\/span>method ==<\/span> "POST"<\/span>:
<\/span><\/span>            req =<\/span> flow.<\/span>request.<\/span>get_text()
<\/span><\/span>            logging.<\/span>info("requestData:"<\/span> +<\/span> req)
<\/span><\/span>            match =<\/span> re.<\/span>search(r<\/span>'encode=([^&]+)'<\/span>, req)
<\/span><\/span>            decoded_str =<\/span> ""<\/span>
<\/span><\/span>            if<\/span> match:
<\/span><\/span>                encode_value =<\/span> match.<\/span>group(1<\/span>)
<\/span><\/span>                data_byte =<\/span> bytearray(encode_value, "UTF-8"<\/span>)
<\/span><\/span>                decoded_byte =<\/span> self.<\/span>decode(data_byte)
<\/span><\/span>                decoded_str =<\/span> decoded_byte.<\/span>decode("UTF-8"<\/span>)
<\/span><\/span>                logging.<\/span>info(decoded_str)
<\/span><\/span>            else<\/span>:
<\/span><\/span>                logging.<\/span>info("Encode value not found"<\/span>)
<\/span><\/span>            array =<\/span> decoded_str.<\/span>split("+"<\/span>)
<\/span><\/span>            data =<\/span> f<\/span>'className=<\/span>{<\/span>array[0<\/span>]}<\/span>&methodName=<\/span>{<\/span>array[1<\/span>]}<\/span>&ampparams=<\/span>{<\/span>array[2<\/span>]}<\/span>'<\/span>
<\/span><\/span>            flow.<\/span>request.<\/span>set_text(data)
<\/span><\/span>
<\/span><\/span>    def<\/span> response<\/span>(self, flow):
<\/span><\/span>        if<\/span> flow.<\/span>request.<\/span>path.<\/span>endswith("\/RMIServlet"<\/span>) and<\/span> flow.<\/span>request.<\/span>method ==<\/span> "POST"<\/span>:
<\/span><\/span>            response =<\/span> flow.<\/span>response.<\/span>get_text()
<\/span><\/span>            data_byte =<\/span> bytearray(response, "UTF-8"<\/span>)
<\/span><\/span>            encoded_byte =<\/span> self.<\/span>encode(data_byte)
<\/span><\/span>            encoded_str =<\/span> encoded_byte.<\/span>decode("UTF-8"<\/span>)
<\/span><\/span>            flow.<\/span>response.<\/span>set_text(encoded_str)
<\/span><\/span>
<\/span><\/span>    def<\/span> decode<\/span>(self, data_byte):
<\/span><\/span>        for<\/span> i in<\/span> range(len(data_byte)):
<\/span><\/span>            tmp =<\/span> data_byte[i]
<\/span><\/span>            if<\/span> 0<\/span> <<\/span> tmp <<\/span> len(self.<\/span>decode_array):
<\/span><\/span>                encode_char =<\/span> self.<\/span>decode_array[tmp]
<\/span><\/span>                if<\/span> encode_char !=<\/span> 0<\/span>:
<\/span><\/span>                    data_byte[i] =<\/span> encode_char
<\/span><\/span>        return<\/span> data_byte
<\/span><\/span>
<\/span><\/span>    def<\/span> encode<\/span>(self, data_byte):
<\/span><\/span>        for<\/span> i in<\/span> range(len(data_byte)):
<\/span><\/span>            tmp =<\/span> data_byte[i]
<\/span><\/span>            if<\/span> 0<\/span> <<\/span> tmp <<\/span> len(self.<\/span>decode_array) and<\/span> tmp not<\/span> in<\/span> (37<\/span>, 47<\/span>):
<\/span><\/span>                encode_char =<\/span> self.<\/span>decode_array[tmp]
<\/span><\/span>                if<\/span> encode_char !=<\/span> 0<\/span>:
<\/span><\/span>                    data_byte[i] =<\/span> encode_char
<\/span><\/span>        return<\/span> data_byte
<\/span><\/span>
<\/span><\/span>addons =<\/span> [Mimit(), ]
<\/span><\/span><\/code><\/pre>4.3 代理配置<\/h3>
使用以下命令启动 mitmdump：<\/p>
mitmdump -p 6666<\/span> -s main.py --mode upstream:http:\/\/127.0.0.1:6662 --ssl-insecure
<\/span><\/span><\/code><\/pre>配置说明：<\/p>

-p 6666<\/code>：设置监听端口<\/li>
-s main.py<\/code>：指定插件脚本<\/li>
--mode upstream:http:\/\/127.0.0.1:6662<\/code>：设置上游代理为 BurpSuite<\/li>
--ssl-insecure<\/code>：忽略 SSL 证书验证<\/li>
<\/ul>
BurpSuite 配置：<\/p>

打开 Proxy → Options<\/li>
添加 Proxy listener，绑定 6662 端口<\/li>
确保 "Support invisible proxying" 选项启用<\/li>
<\/ol>
5. 其他配置方式<\/h2>
5.1 双向加密\/解密流程<\/h3>
当服务器只识别密文时，可以配置两重代理：<\/p>

第一层 mitmdump（解密）：<\/li>
<\/ol>
mitmdump -p 6666<\/span> -s dec.py --mode upstream:http:\/\/127.0.0.1:6662 --ssl-insecure
<\/span><\/span><\/code><\/pre>
第二层 mitmdump（加密）：<\/li>
<\/ol>
mitmdump -p 7777<\/span> -s enc.py
<\/span><\/span><\/code><\/pre>
BurpSuite 配置：

在 Proxy → Options → Upstream Proxy Servers 中添加规则<\/li>
目标主机：应用服务器地址<\/li>
代理主机：127.0.0.1<\/li>
代理端口：7777<\/li>
<\/ul>
<\/li>
<\/ol>
6. 关键点总结<\/h2>

插件开发<\/strong>：通过编写 Python 插件实现请求\/响应的修改<\/li>
代理链<\/strong>：使用 --mode upstream<\/code> 构建代理链<\/li>
SSL 绕过<\/strong>：--ssl-insecure<\/code> 参数忽略证书验证<\/li>
双向处理<\/strong>：请求解密和响应加密需要分别处理<\/li>
BurpSuite 集成<\/strong>：通过上游代理配置实现与 BurpSuite 的联动<\/li>
<\/ol>
7. 参考链接<\/h2>

mitmproxy 官方文档<\/a><\/li>
mitmproxy 插件示例<\/a><\/li>
<\/ol>

Mitmproxy 数据包解密实战教程<\/h1>

2. 安装方法<\/h2>

macOS 安装<\/h3> brew install mitmproxy <\/span><\/span><\/code><\/pre>其他系统<\/h3> 从mitmproxy官网<\/a>下载对应版本安装<\/p> 3. 基本使用<\/h2> 3.1 编写插件示例<\/h3> 以下是一个简单的插件示例，用于在每个响应中添加 HTTP 头：<\/p>

其他系统<\/h3> 从mitmproxy官网<\/a>下载对应版本安装<\/p>

3. 基本使用<\/h2> 3.1 编写插件示例<\/h3> 以下是一个简单的插件示例，用于在每个响应中添加 HTTP 头：<\/p>

3.1 编写插件示例<\/h3> 以下是一个简单的插件示例，用于在每个响应中添加 HTTP 头：<\/p>

3.2 启动 mitmdump<\/h3> mitmdump -s http-add-header.py -p 6666<\/span> <\/span><\/span><\/code><\/pre>然后配置浏览器代理为 127.0.0.1:6666<\/code><\/p> 4. 应用实战：数据包解密<\/h2> 4.1 加密\/解密分析<\/h3> 从 Java 代码分析加密逻辑：<\/p>

4. 应用实战：数据包解密<\/h2> 4.1 加密\/解密分析<\/h3> 从 Java 代码分析加密逻辑：<\/p>

4.1 加密\/解密分析<\/h3> 从 Java 代码分析加密逻辑：<\/p>

5. 其他配置方式<\/h2>

7. 参考链接<\/h2> mitmproxy 官方文档<\/a><\/li> mitmproxy 插件示例<\/a><\/li> <\/ol>

其他系统<\/h3>
从mitmproxy官网<\/a>下载对应版本安装<\/p>

7. 参考链接<\/h2>

mitmproxy 官方文档<\/a><\/li>
mitmproxy 插件示例<\/a><\/li> <\/ol>