Shulou(Shulou.com)06/01 Report--

The editor would like to share with you an example analysis of the Mini Program package capture process of the network security penetration test. I believe most people don't know much about it, so share this article for your reference. I hope you will learn a lot after reading this article. Let's take a look at it!

Mini Program testing process

It is divided into two aspects, unpacking can mine information leakage problems and hidden interfaces, and grabbing packages can test some logic vulnerabilities and API security problems. The combination of the two can be tested while debugging, which is more convenient for security testing.

Search for target Mini Program

Target search can not be limited to the main unit, support units, suppliers, wholly-owned subsidiaries and so on may be the entry point, so Mini Program certainly can not let them go.

Mini Program subject information confirmation

Check the Mini Program account subject information, otherwise missed took time not to say, there may be legal risks.

Click on Mini Program

If you click more, you can see the information about Mini Program.

Obtain the PC side of Mini Program package

First of all, search for Mini Program in Wechat and open simple browsing

Then find the Wechat package under applet under the path where you save the Mini Program file. You can quickly locate the target package by time or Mini Program's appid.

The Mini Program package on Wechat computer is encrypted. You need to use tools to decrypt it.

Process of obtaining Mini Program package on windows

Open the decryption tool, create a wxpack folder in the tool directory (the decrypted Mini Program package will be placed in this place), and run the tool to decrypt the Mini Program package you need to operate.

Mobile terminal

Find the corresponding directory and pull the bag out.

Android save path: / data/data/com.tencent.mm/MicroMsg/ {subscriber ID} / appbrand/pkg/

IOS save path: / var/mobile/Containers/Data/Application/ {Program UUID} / Library/WechatPrivate/ {subscriber ID} / WeApp/LocalCache/release/ {Program ID} /)

Because the Android data directory requires root access, a mobile phone or emulator root is required.

The process of obtaining Mini Program package by android Simulator

What I use here is the Night God simulator. Log in to Wechat and find Mini Program.

The method is to put the copied content under mnt- > shared- > orther, and it will be automatically synchronized to the PC, which is the shared directory of the simulator.

Unpack

Tool address: https://www.yisu.com/softs/603120.html

Environmental installation

Npm install uglify-es-savenpm install esprima-savenpm install css-tree-savenpm install cssbeautify-savenpm install vm2-savenpm install js-beautify-savenpm install escodegen-savenpm install cheerio-save

Execute node wuWxapkg.js xxxxxx.wxapkg

There should be no problem if there are no accidents, but there are often many accidents. Node version problems, dependency problems and so on may lead to unpacking failure. At this time, I hope students who understand nodejs will have an in-depth understanding of Mini Program's packaging and compression logic, and then start the second project. What if you don't understand and don't plan to do in-depth research in this area? then change your goal.

Debug

Open the Wechat developer tool and select Import Project

After importing the project, there may be some code errors, which need to be modified manually. After there are no errors, you can compile them, and then debug happily.

Remember to check the "do not verify legitimate domain name" function in the "Local Settings" module.

Some Mini Program contains third-party plug-ins, and the plug-ins are found directly in the Wechat client. However, we can search for plug-ins in Settings-> third-party Settings-> add plug-ins in the Wechat open platform by logging in to the Wechat open platform of the app.

Grab the bag

To put it simply, it is to configure the global agent to let Wechat take the global agent. First open the package grabbing tool, configure the agent, and then modify the windows agent configuration

You can grab the bag and analyze it.

The above is all the contents of the article "sample Analysis of the Mini Program package capture process of Network Security Penetration Test". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.