A penetration test of c/s Architecture - Request encryption, decryption and test

0x01 summary

The target site is http://www.example.com, The official website provides api Using document , However, no vulnerability was found after testing , Catalog 、 No usable points are found in port scanning . After that, I found that the official website provides client-side download , So we tested it .

0x02 Information gathering

First, grab the package of the client , Use Fiddler and BurpSuite Can't catch it , It is doubtful that it is HTTP agreement , use WireShark To see if it is practical HTTP agreement , But packets are hard to replay .

Here we finally use WSExplorer Grab the package of the specified process , Successfully grab the communication data , Here's the data , The green one is the request package , The red one is the response package .

The packet is divided into two parts , One is the request line and the request header .

One is the request body .

Put them together and put them in BurpSuite To replay packets

0x03 Testing process

You can see that the request packet is encrypted and then transmitted , The returned response package is also encrypted . But encryption and decryption are always carried out on the client , So you can start with analyzing the client .

Use Exeinfo PE Check the shell , It is known that .NET frame C# Developed programs .

have access to dnspy, in the light of .NET Reverse engineering tools for programs , Analyze the encryption and decryption of the client . After opening, I found that the names of classes and methods are irregular numbers and letters , The code is confusing .

Confused code does not use reading analysis , You can use De4Dot Try anti aliasing , Support many kinds of source code that have been confused by encryption tools . You can get the program after anti aliasing origin-cleaned.exe

de4dot-x64.exe origin.exe

Drag the anti aliased program into dnspy see , You can see that the basic has been restored , Improved readability .

Because its communication adopts HTTP agreement , Another class named HttpHelper, Follow up analysis , The code doesn't see one more Post function , Suspected of encrypting data and initiating Post Requested method , Pictured .

Called MM.Encrypt() Encrypt the requested parameters , Follow up method , It is found that the key encryption function should be MM Under class test05 function .

Lower breakpoint , Verify that the program calls this function to encrypt and transmit , I made a breakpoint between the plaintext and the ciphertext .

F5 Start the program , Enter the account and password test123456, Sign in .

The program stops at a breakpoint , The account number I entered is included in the plaintext test123456 and md5 Encrypted password .

release , Get encrypted content , It can be determined that the encryption function here is called .

Then it is confirmed that the response packet decryption calls MM Under class test06 function , Request package encryption function test05 And the response packet decryption function test06 All calls Dll The corresponding function in .

Here, encryption and decryption call two sets of methods , The decryption function cannot be used to decrypt the encrypted data of the request packet . For testing purposes , And fast encryption and decryption , Deduct the encryption and decryption functions , Also called Dll The function in , Compile into a separate program , In this way, there is no need to analyze the algorithm .

What I'm using here is SharpDevelop Compilation of , Use Visual Studio Always report a mistake …

public static string decryptResponse(string cipher){
  byte[] bytes = Encoding.UTF8.GetBytes(cipher);  
  byte[] array = new byte[bytes.Length + 128];
  int count = Program.test06(ref bytes[0], ref array[0]);
  string text = Encoding.UTF8.GetString(array, 0, count);
  return text;
}  
  
public static string encryptRequest(string plain){
  byte[] bytes = Encoding.UTF8.GetBytes(plain);    
  int num = bytes.Length * 2 + 128;
  if(num<32){
    num = 64;
  }
  byte[] array = new byte[num];
  int num2 = 0;
  num2 = test05(ref bytes[0], ref array[0]);
  string result = Encoding.UTF8.GetString(array, 0, num2);
  return result;
}

encryption

Decrypt

Reuse Python Of Flask The framework writes a proxy forwarder locally , Convenient in BurpSuite Replay test in .

from flask import request, Flask
from urllib.parse import quote
import requests
import os

headers = {
  'User-Agent': 'Mozilla',
  'Content-Type': 'application/x-www-form-urlencoded',
  'Accept-Encoding': 'gzip, deflate',
}

app = Flask('example')
@app.route('/example', methods=['POST'])

def proxy():
  form = request.form
  request_plain = ''
  for key in form:
      request_plain += '&{}={}'.format(key, form[key])
  response_plain = test(request_plain)
  return response_plain

def encrypt(filename):
  encrypt_cmd = 'crypto.exe -encrypt {}'.format(filename) # Content to encrypt   Read from file 
  result = os.popen(encrypt_cmd) #  perform exe
  request_cipher = quote(result.read()) # Encrypted content   After a url Coding handle  +  Number   Turn into  %2B  Only the server can recognize 
  return request_cipher

def decrypt(filename):
  decrypt_cmd = 'crypto.exe -decrypt {}'.format(filename) # What to decrypt   Read from file 
  result = os.popen(decrypt_cmd) #  perform exe
  response_plain = result.read() #  Read the decrypted content 
  return response_plain

def test(request_plain):
  url = 'http://example.com/api/'
  plain_txt = 'plain.txt'
  with open(plain_txt, 'w') as f1:
    f1.writelines(request_plain) #  Store plaintext to plain.txt
  request_cipher = encrypt(plain_txt) #  Encrypt plaintext 
  response = requests.post(url=url, data=request_cipher, headers=headers) # Send a request 
  cipher_txt = 'cipher.txt'
  with open(cipher_txt, 'w') as f2:
    f2.writelines(response.text) # Store ciphertext to cipher.txt
  response_plain = decrypt(cipher_txt) #  Decrypt the ciphertext 
  return response_plain

if __name__ == '__main__':
  app.run(host='0.0.0.0', port=9999, debug=True)

The process is as follows ：

1. Send clear text packets locally to the agent
2. The agent received the request packet
3. The caller encrypts the request package
4. Forward the encrypted packet to the server
5. The caller decrypts the contents returned by the server
6. Return plaintext data to local

The interface is the same for each request , Only the parameters in the request body are changed . stay CodeService There is clear text for all interfaces in , Extract it all .

Can be normally in BurpSuite Intermediate testing ~

Finally, it is successfully found in an interface SQL Inject .

Source of the article ：CSDN Blog , Original address ：

https://blog.csdn.net/qq_32727277/article/details/102783316