First, Overview
Nowadays, most web application systems basically use js encryption for passwords on the background login interface. Some encrypt both the username and password. For those that use encryption, we can use the burp plugin to directly call the encryption function for local encryption and then perform爆破, or we can use some tools to directly simulate the browser login interface for爆破.
Second, tool introduction
1. Blasting (Graphical爆破工具) Advantages: Can automate爆破 and captcha recognition, ignores encryption methods, has lower debugging difficulty. Disadvantages: The results only include title and response length, the爆破 results may contain false positives. Download method: https://github.com/gubeihc/blasting
2. jsEncrypter | front-end encryption Fuzz plugin Advantages: burp installation, fast speed, high accuracy, results are easy to view. Disadvantages: Need to download encrypted js to local, need to manually search for the calling method of the encryption function. Download method: https://github.com/c0ny1/jsEncrypter
3. BurpCrypto | burp plugin Advantages: No need to download js, encryption and decryption can be performed in burp. Disadvantages: Need to manually search for encryption parameters, currently only supports AES/DES encryption, RSA public key encryption. Download method: Search for BurpCrypto in the burp extension store to install
Three, practical case
1. Use BurpCrypto for爆破 with parameters of prefix + AES encryption
(1) Encryption method search
1. First enter the username 123, password 456, use the packet capture tool to intercept and view
2. It can be seen that both the username and password have been encrypted, and here we know the corresponding parameters loginName and loginPwd
3. Open the browser's F12, here first search for loginName
4. In the place where we think it is more likely to be a call to the encryption function, set a breakpoint, it is not unrelated, just set the breakpoint a few times to see
Here we see that the username and password have not been encrypted, but the username is prefixed with 'undefined#', let's scroll up to see more
5. From the previous section, we can see that loginName=orgid+#+loginName1 (undefind#123), here we also know how the username prefix comes from, continue to read on
6. Continue to click step over to skip the next function execution. As can be seen from the following figure, the encryption uses aes to encrypt the username and password, and the key and iv are all provided here. Can we take the encrypted value to reverse decrypt and verify it? Of course, but we still need to know the aes encryption mode, continue to scroll down
7. As can be seen from the following figure, the AES encryption mode is CBC, the padding is Pkcs7, and the encoding is base64
8. Now let's use the decryption tool to verify it. As can be seen from the following figure, the username and password are successfully decrypted, proving that there is no problem with our encryption parameters. The next step is to automatically perform encryption and爆破
(2) BurpCrypto usage and configuration method
1. Open burp and select the corresponding plugin, configure the following parameters, click add processor and fill in any name
2. Send the previously captured login packet to the爆破 module, where both the username and password are added
3. Add the username dictionary and processing rules next, add the prefix undefined# first in the processing rules, then add the BurpCrypto extension call, and the password can be added directly through the BurpCrypto extension call.
4. After clicking the start attack button, you can proceed with the爆破, and the plugin also supports decryption. The method of use is to select the ciphertext content completely, right-click, and find the Get PlainText function in the BurpCrypto menu.
The author of this article: Track-qishi
评论已关闭