记一个逆天的request

文章发布时间:

最后更新时间:

login
日常渗透ing…
场景加载中…


原始输入:username:admin123
password:admin123

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /contingency/xxx/login HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 445
sec-ch-ua-platform: "Windows"
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
sec-ch-ua-mobile: ?0
Origin: https://example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://example.com/contingency/xxx/index
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9

params=eyJhY2NvdW50IjoiVklXVFpiUkh2NjI4b3draUk5a0RMdz09IiwicGFzc3dvcmQiOiJWSVdUWmJSSHY2Mjhvd2tpSTlrREx3PT0iLCJrYXB0Y2hhIjoicHltYk85SXVOU0NaWUVFVDZaVjBEdz09IiwidXVpZCI6IjlGbzlpYkdKdlJxZXRCWXJ1WUVMbmkyNUNNakduc3N5aFRXT3dTVU1qSVFzRGpaNCtodWNVaWNMTmw2SmNMQysiLCJ2ZXJzaW9uIjoiYW5kcm9pZCIsInR5cGUiOjAsInZ0eXBlIjoiMSIsImVjYXRpZCI6IjBkQVhKV1N2eGJYM3V5aXpDQm1mSWc9PSIsImFjY3NtcyI6IjBkQVhKV1N2eGJYM3V5aXpDQm1mSWc9PSIsIlRpbWVzdGFtcCI6MTc0NTkxMDQ2NTEzNX0=

看起来是jwt,搞一下(得先转一次url)

?掐头去尾只留payload

1
2
3
4
5
6
7
8
9
10
11
12
{
  "account" : "VIWTZbRHv628owkiI9kDLw==",
  "password" : "VIWTZbRHv628owkiI9kDLw==",
  "kaptcha" : "pymbO9IuNSCZYEET6ZV0Dw==",
  "uuid" : "9Fo9ibGJvRqetBYruYELni25CMjGnssyhTWOwSUMjIQsDjZ4+hucUicLNl6JcLC+",
  "version" : "android",
  "type" : 0,
  "vtype" : "1",
  "ecatid" : "0dAXJWSvxbX3uyizCBmfIg==",
  "accsms" : "0dAXJWSvxbX3uyizCBmfIg==",
  "Timestamp" : 1745910465135
}

这里的base看着不大对劲,解码发现应该是二进制数据,考虑AES加密后的结果。观察到js里有个AES_util,去看看

1
2
var CryptoJS=document["\u0077\u0072\u0069\u0074\u0065"](">tpircs/<>'sj.sea/bil/sj/..'=crs tpircsavaj=egaugnal tpircs<".split("").reverse().join(""));var base64=document["\u0077\u0072\u0069\u0074\u0065"](">tpircs/<>'sj.46esab/bil/sj/..'=crs tpircsavaj=egaugnal tpircs<".split("").reverse().join(""));
(function(_0x2aea55,_0x2e748c){function _0x5d75a2(_0xfa7611,_0x826155,_0x142aa5,_0x2f38d2,_0x4f13a3){return _0x443f(_0x826155- -0x269,_0x2f38d2);}function _0x20b738(_0x43a86a,_0x236ea2,_0x4277db,_0x58fcc9,_0x455dc8){return _0x443f(_0x455dc8- -0x188,_0x58fcc9);}function _0x1e3d5b(_0x2f499a,_0xcf883d,_0x512890,_0x3bba1e,_0x740335){return _0x443f(_0x2f499a-0x14f,_0x3bba1e);}var _0x2ad42e=_0x2aea55();function _0x3d720e(_0x12ddf5,_0x587ddd,_0x38da58,_0x2a12bd,_0x4eeffd){return _0x443f(_0x38da58-0x161,_0x2a12bd);}function _0x2446fa(_0x5f3621,_0x1ae4e7,_0x38695c,_0x1cc263,_0x13bf6e){return _0x443f(_0x38695c-0x3cf,_0x1ae4e7);}while(!![]){try{var _0x122ced=parseInt(_0x5d75a2(-0x268,-0x264,-0x26e,-0x267,-0x267))/0x1*(parseInt(_0x5d75a2(-0x24a,-0x24e,-0x248,-0x249,-0x24e))/0x2)+-parseInt(_0x3d720e(0x181,0x17f,0x177,0x17f,0x179))/0x3*(-parseInt(_0x5d75a2(-0x24b,-0x259,-0x260,-0x267,-0x250))/0x4)+-parseInt(_0x20b738(-0x176,-0x172,-0x16c,-0x178,-0x167))/0x5*(parseInt(_0x2446fa(0x3fa,0x3db,0x3eb,0x3e3,0x3f9))/0x6)+parseInt(_0x5d75a2(-0x25c,-0x265,-0x26a,-0x26a,-0x25f))/0x7+parseInt(_0x5d75a2(-0x24c,-0x252,-0x248,-0x260,-0x240))/0x8+parseInt(_0x20b738(-0x194,-0x17d,-0x188,-0x178,-0x188))/0x9*(parseInt(_0x1e3d5b(0x150,0x151,0x148,0x161,0x157))/0xa)+-parseInt(_0x5d75a2(-0x253,-0x25d,-0x25e,-0x264,-0x25b))/0xb;if(_0x122ced===_0x2e748c){break;}else{_0x2ad42e["\u0070\u0075\u0073\u0068"](_0x2ad42e["\u0073\u0068\u0069\u0066\u0074"]());}}catch(_0x40a231){_0x2ad42e["\u0070\u0075\u0073\u0068"](_0x2ad42e["\u0073\u0068\u0069\u0066\u0074"]());}}})(_0x5154,0x37ac5);var _0x5f=0x6+0x9;function _0x4d1802(_0x5ec7f3,_0x5d6a04,_0x4eea62,_0x3948d7,_0x3e3f76){return _0x443f(_0x3e3f76- -0x1f5,_0x3948d7);}var aeskeyOriginal=_0x4d1802(-0x1cb,-0x1e3,-0x1dc,-0x1d6,-0x1dd);function _0x443f(_0x3c35be,_0x5154ce){var _0x443fce=_0x5154();_0x443f=function(_0x56e89c,_0x384a2){_0x56e89c=_0x56e89c-0x0;var _0x5089ac=_0x443fce[_0x56e89c];return _0x5089ac;};return _0x443f(_0x3c35be,_0x5154ce);}function _0x5154(){var _0x31fd54=["\u0065\u006e\u0063","KINoJq9212251".split("").reverse().join(""),"VwGnXp112".split("").reverse().join(""),"\u0070\u0061\u0072\u0073\u0065","kcolBtpyrced".split("").reverse().join(""),"gnirtsbus".split("").reverse().join(""),"htgnel".split("").reverse().join(""),'Pkcs7',"dap".split("").reverse().join(""),"bfkGlR4990788".split("").reverse().join(""),'lib',"dnetxe".split("").reverse().join(""),"\u0055\u0074\u0066\u0038","JZWyCW6922411".split("").reverse().join(""),"\u0045\u006e\u0063\u0072\u0079\u0070\u0074\u006f\u0072","\u0041\u0045\u0053","cdph".split("").reverse().join(""),"\u0044\u0065\u0063\u0072\u0079\u0070\u0074\u006f\u0072",'ehpe',"\u0033\u0073\u0056\u0041\u0042\u0046\u0062",'3260760oYubim','202306045YDZCWGZ',"rehpic_".split("").reverse().join(""),'FbKtv',"ClRYxq0501".split("").reverse().join(""),'4194meseVb',"gnirtSot".split("").reverse().join(""),'jrCCd',"\u0065\u006e\u0063\u0072\u0079\u0070\u0074","\u0042\u006c\u006f\u0063\u006b\u0043\u0069\u0070\u0068\u0065\u0072\u004d\u006f\u0064\u0065","TnZGlN55".split("").reverse().join(""),"rorre".split("").reverse().join(""),"\u0039\u006d\u0043\u0047\u004b\u004d\u0054",'207890VhBBQE',"\u0065\u006e\u0063\u0072\u0079\u0070\u0074\u0042\u006c\u006f\u0063\u006b"];_0x5154=function(){return _0x31fd54;};return _0x5154();}_0x5f=0x9;var aeskey=function(_0x3f2016){var _0x4a103f;function _0x1920ce(_0x59e125,_0x554a7d,_0x5133f6,_0x110b7f,_0x54a95f){return _0x443f(_0x5133f6- -0x187,_0x59e125);}var _0x435ae5=_0x3f2016["\u006c\u0065\u006e\u0067\u0074\u0068"];function _0x82f4cd(_0x2ae74f,_0x41daa4,_0x3ff6ff,_0x1f1b0e,_0x1249c1){return _0x443f(_0x41daa4-0x3ac,_0x1249c1);}function _0x4116f3(_0x528f7a,_0x2f6820,_0x15364f,_0x1c9966,_0x57853b){return _0x443f(_0x15364f-0x2ab,_0x57853b);}function _0x463cdc(_0x3344bd,_0x2a003b,_0x4862fa,_0x3797da,_0x22c871){return _0x443f(_0x3344bd-0x55,_0x4862fa);}_0x4a103f=0x1;if(_0x435ae5>(0xdb71e^0xdb70e)){_0x3f2016=_0x3f2016['substring'](0x1fc64^0x1fc64,0x53c69^0x53c79);}if(_0x435ae5<(0x2011b^0x2010b)){if(_0x463cdc(0x73,0x63,0x68,0x63,0x65)===_0x463cdc(0x73,0x6a,0x7b,0x66,0x6b)){var _0x4a8e78;var _0xc0aad7=(0x7097b^0x7096b)-_0x435ae5;_0x4a8e78=_0x1920ce(-0x177,-0x174,-0x172,-0x16b,-0x166);var _0x145175=['G',"\u005a",'Z','S'];for(var _0x21fe72=0x3dbf9^0x3dbf9;_0x21fe72<_0xc0aad7;_0x21fe72++){console['error'](_0x145175[_0x21fe72%(0xb4917^0xb4913)]);_0x3f2016=_0x3f2016+_0x145175[_0x21fe72%(0x904a3^0x904a7)];}}else{var _0x1ed31f;var _0xa8c99e=(0x7097b^0x7096b)-_0xd66675;_0x1ed31f=_0x4116f3(0x2c3,0x2cd,0x2c0,0x2af,0x2b4);var _0x1aa99a=["\u0047","\u005a",'Z','S'];for(var _0x32f003=0x3dbf9^0x3dbf9;_0x32f003<_0xa8c99e;_0x32f003++){_0x19b9fe["\u0065\u0072\u0072\u006f\u0072"](_0x1aa99a[_0x32f003%(0xb4917^0xb4913)]);_0x50f28f=_0x3d143f+_0x1aa99a[_0x32f003%(0x904a3^0x904a7)];}}}return _0x3f2016;}(aeskeyOriginal);function Encrypt(_0xd38f18){var _0x24f3da=CryptoJS['enc']['Utf8']['parse'](aeskey);var _0x496e2a=0x0+0x5;var _0x1d81ab=CryptoJS["\u0065\u006e\u0063"]["\u0055\u0074\u0066\u0038"]['parse'](_0xd38f18);_0x496e2a=0x2;var _0x4e1e84=CryptoJS['AES']['encrypt'](_0x1d81ab,_0x24f3da,{'mode':getEcb(),'padding':CryptoJS["\u0070\u0061\u0064"]["\u0050\u006b\u0063\u0073\u0037"]});return _0x4e1e84['toString']();}function getEcb(){var _0x359456;var _0xd82ce2=CryptoJS["\u006c\u0069\u0062"]["\u0042\u006c\u006f\u0063\u006b\u0043\u0069\u0070\u0068\u0065\u0072\u004d\u006f\u0064\u0065"]["\u0065\u0078\u0074\u0065\u006e\u0064"]();_0x359456=_0x248003(-0x290,-0x297,-0x28b,-0x29b,-0x28e);_0xd82ce2['Encryptor']=_0xd82ce2['extend']({"\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u0042\u006c\u006f\u0063\u006b":function(_0x1ee2c8,_0x5518cc){this["\u005f\u0063\u0069\u0070\u0068\u0065\u0072"]["\u0065\u006e\u0063\u0072\u0079\u0070\u0074\u0042\u006c\u006f\u0063\u006b"](_0x1ee2c8,_0x5518cc);}});_0xd82ce2["\u0044\u0065\u0063\u0072\u0079\u0070\u0074\u006f\u0072"]=_0xd82ce2['extend']({'processBlock':function(_0x4e4888,_0x164758){function _0x22d224(_0x2fcea5,_0xc2e735,_0xe53dfd,_0x50985f,_0x500d93){return _0x443f(_0xe53dfd-0x1e9,_0xc2e735);}function _0x4e16ee(_0x5dc972,_0x16f7c4,_0x7996d1,_0x4ee193,_0x3accff){return _0x443f(_0x16f7c4-0x27,_0x4ee193);}if(_0x22d224(0x200,0x20f,0x203,0x206,0x1fc)!==_0x4e16ee(0x30,0x41,0x3d,0x3d,0x36)){var _0x3d5956=_0x318c97["\u0065\u006e\u0063"]['Utf8']["\u0070\u0061\u0072\u0073\u0065"](_0x434618);var _0x1f437c=0x0+0x5;var _0x59156a=_0x4556a7['enc']['Utf8']['parse'](_0x4f1109);_0x1f437c=0x2;var _0x37244f=_0x5e06d2["\u0041\u0045\u0053"]['encrypt'](_0x59156a,_0x3d5956,{"\u006d\u006f\u0064\u0065":_0x45b1d0(),"\u0070\u0061\u0064\u0064\u0069\u006e\u0067":_0x1c4aa3["\u0070\u0061\u0064"]["\u0050\u006b\u0063\u0073\u0037"]});return _0x37244f['toString']();}else{this['_cipher']['decryptBlock'](_0x4e4888,_0x164758);}}});function _0x248003(_0x1527d3,_0x5dcae2,_0x25f174,_0x213d3a,_0x33d22c){return _0x443f(_0x213d3a- -0x2ae,_0x33d22c);}return _0xd82ce2;}

明显的混淆,反一下。https://obf-io.deobfuscate.io/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
var CryptoJS = document.write(">tpircs/<>'sj.sea/bil/sj/..'=crs tpircsavaj=egaugnal tpircs<".split("").reverse().join(""));
var base64 = document.write(">tpircs/<>'sj.46esab/bil/sj/..'=crs tpircsavaj=egaugnal tpircs<".split("").reverse().join(""));
(function (_0x2aea55, _0x2e748c) {
  var _0x2ad42e = _0x2aea55();
  while (true) {
    try {
      var _0x122ced = parseInt(_0x443f(5, -0x267)) / 0x1 * (parseInt(_0x443f(27, -0x249)) / 0x2) + -parseInt(_0x443f(22, 0x17f)) / 0x3 * (-parseInt(_0x443f(16, -0x267)) / 0x4) + -parseInt(_0x443f(33, -0x178)) / 0x5 * (parseInt(_0x443f(28, 0x3db)) / 0x6) + parseInt(_0x443f(4, -0x26a)) / 0x7 + parseInt(_0x443f(23, -0x260)) / 0x8 + parseInt(_0x443f(0, -0x178)) / 0x9 * (parseInt(_0x443f(1, 0x161)) / 0xa) + -parseInt(_0x443f(12, -0x264)) / 0xb;
      if (_0x122ced === _0x2e748c) {
        break;
      } else {
        _0x2ad42e.push(_0x2ad42e.shift());
      }
    } catch (_0x40a231) {
      _0x2ad42e.push(_0x2ad42e.shift());
    }
  }
})(_0x5154, 0x37ac5);
var _0x5f = 15;
function _0x4d1802(_0x5ec7f3, _0x5d6a04, _0x4eea62, _0x3948d7, _0x3e3f76) {
  return _0x443f(_0x3e3f76 + 0x1f5, _0x3948d7);
}
var aeskeyOriginal = _0x443f(24, -0x1d6);
function _0x443f(_0x3c35be, _0x5154ce) {
  var _0x443fce = _0x5154();
  _0x443f = function (_0x56e89c, _0x384a2) {
    _0x56e89c = _0x56e89c - 0x0;
    var _0x5089ac = _0x443fce[_0x56e89c];
    return _0x5089ac;
  };
  return _0x443f(_0x3c35be, _0x5154ce);
}
function _0x5154() {
  var _0x31fd54 = ["enc", "KINoJq9212251".split("").reverse().join(""), "VwGnXp112".split("").reverse().join(""), "parse", "kcolBtpyrced".split("").reverse().join(""), "gnirtsbus".split("").reverse().join(""), "htgnel".split("").reverse().join(""), 'Pkcs7', "dap".split("").reverse().join(""), "bfkGlR4990788".split("").reverse().join(""), 'lib', "dnetxe".split("").reverse().join(""), "Utf8", "JZWyCW6922411".split("").reverse().join(""), "Encryptor", "AES", "cdph".split("").reverse().join(""), "Decryptor", 'ehpe', "3sVABFb", '3260760oYubim', '202306045YDZCWGZ', "rehpic_".split("").reverse().join(""), 'FbKtv', "ClRYxq0501".split("").reverse().join(""), '4194meseVb', "gnirtSot".split("").reverse().join(""), 'jrCCd', "encrypt", "BlockCipherMode", "TnZGlN55".split("").reverse().join(""), "rorre".split("").reverse().join(""), "9mCGKMT", '207890VhBBQE', "encryptBlock"];
  _0x5154 = function () {
    return _0x31fd54;
  };
  return _0x5154();
}
_0x5f = 0x9;
var aeskey = function (_0x3f2016) {
  var _0x435ae5 = _0x3f2016.length;
  if (_0x435ae5 > 16) {
    _0x3f2016 = _0x3f2016.substring(0, 16);
  }
  if (_0x435ae5 < 16) {
    if (_0x443f(30, 0x68) === _0x443f(30, 0x7b)) {
      var _0x4a8e78;
      var _0xc0aad7 = 16 - _0x435ae5;
      _0x4a8e78 = _0x443f(21, -0x177);
      var _0x145175 = ['G', "Z", 'Z', 'S'];
      for (var _0x21fe72 = 0; _0x21fe72 < _0xc0aad7; _0x21fe72++) {
        console.error(_0x145175[_0x21fe72 % 4]);
        _0x3f2016 = _0x3f2016 + _0x145175[_0x21fe72 % 4];
      }
    } else {
      var _0x1ed31f;
      var _0xa8c99e = 16 - _0xd66675;
      _0x1ed31f = _0x443f(21, 0x2b4);
      var _0x1aa99a = ["G", "Z", 'Z', 'S'];
      for (var _0x32f003 = 0; _0x32f003 < _0xa8c99e; _0x32f003++) {
        _0x19b9fe.error(_0x1aa99a[_0x32f003 % 4]);
        _0x50f28f = _0x3d143f + _0x1aa99a[_0x32f003 % 4];
      }
    }
  }
  return _0x3f2016;
}(aeskeyOriginal);
function Encrypt(_0xd38f18) {
  var _0x24f3da = CryptoJS.enc.Utf8.parse(aeskey);
  var _0x496e2a = 5;
  var _0x1d81ab = CryptoJS.enc.Utf8.parse(_0xd38f18);
  _0x496e2a = 0x2;
  var _0x4e1e84 = CryptoJS.AES.encrypt(_0x1d81ab, _0x24f3da, {
    'mode': getEcb(),
    'padding': CryptoJS.pad.Pkcs7
  });
  return _0x4e1e84.toString();
}
function getEcb() {
  var _0x359456;
  var _0xd82ce2 = CryptoJS.lib.BlockCipherMode.extend();
  _0x359456 = _0x443f(19, -0x28e);
  _0xd82ce2.Encryptor = _0xd82ce2.extend({
    "processBlock": function (_0x1ee2c8, _0x5518cc) {
      this._cipher.encryptBlock(_0x1ee2c8, _0x5518cc);
    }
  });
  _0xd82ce2.Decryptor = _0xd82ce2.extend({
    'processBlock': function (_0x4e4888, _0x164758) {
      if (_0x443f(26, 0x20f) !== _0x443f(26, 0x3d)) {
        var _0x3d5956 = _0x318c97.enc.Utf8.parse(_0x434618);
        var _0x1f437c = 5;
        var _0x59156a = _0x4556a7.enc.Utf8.parse(_0x4f1109);
        _0x1f437c = 0x2;
        var _0x37244f = _0x5e06d2.AES.encrypt(_0x59156a, _0x3d5956, {
          "mode": _0x45b1d0(),
          "padding": _0x1c4aa3.pad.Pkcs7
        });
        return _0x37244f.toString();
      } else {
        this._cipher.decryptBlock(_0x4e4888, _0x164758);
      }
    }
  });
  return _0xd82ce2;
}

还是看不懂,让ai读下:

很笨,但是推测AESkey为encryptBlockGZZS,加密方式为ECB(没有加密向量)
目前AES还没解出来
加密流程图参考:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
flowchart TD
    A[JS生成UUID] --> B[传UUID到验证码接口]
    B --> C[验证码接口返回验证码]
    C --> D[用户输入账号密码验证码]
    D --> E[JS接收账号密码验证码]
    E --> F1[对账号加密]
    E --> F2[对密码加密]
    E --> F3[对验证码加密]
    E --> F4[对ecatid加密]
    E --> F5[对accsms加密]
    F1 --> G1[账号Base64转码]
    F2 --> G2[密码Base64转码]
    F3 --> G3[验证码Base64转码]
    F4 --> G4[ecatid Base64转码]
    F5 --> G5[accsms Base64转码]
    E --> H[获取version]
    E --> I[获取type]
    E --> J[获取vtype]
    E --> K[获取uuid]
    K --> L[加密UUID]
    E --> M1[获取Timestamp]
    E --> N1[获取catid]
    N1 --> O1[对catid加密]
    O1 --> P1[catid Base64转码]
    G1 --> Q[生成JWT payload]
    G2 --> Q
    G3 --> Q
    G4 --> Q
    G5 --> Q
    P1 --> Q
    H --> Q
    I --> Q
    J --> Q
    L --> Q
    M1 --> Q
    Q --> R[JWT编码payload]
    R --> S[去掉header和签名]
    S --> T[URL转码JWT信息]
    T --> U[放入请求body]
    U --> V[发送请求]

    subgraph 加密和转码流程
    F1 --> G1
    F2 --> G2
    F3 --> G3
    F4 --> G4
    F5 --> G5
    O1 --> P1
    end

    subgraph 获取字段
    E --> H
    E --> I
    E --> J
    E --> K
    E --> M1
    E --> N1
    N1 --> O1
    end