抓包需要hook sslpinning
// hook_ssl_pinning
function logger(message) {
console.log(message);
Java.perform(function () {
var Log = Java.use("android.util.Log");
Log.v("ssl_pinnig_bypass", message);
});
}
Java.perform(function () {
try {
const x509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
const sSLContext = Java.use("javax.net.ssl.SSLContext");
const TrustManager = Java.registerClass({
implements: [x509TrustManager],
methods: {
checkClientTrusted(chain, authType) {
},
checkServerTrusted(chain, authType) {
},
getAcceptedIssuers() {
return [];
},
},
name: "cc.timer9527",
});
const TrustManagers = [TrustManager.$new()];
const SSLContextInit = sSLContext.init.overload(
"[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom");
SSLContextInit.implementation = function (keyManager, trustManager, secureRandom) {
SSLContextInit.call(this, keyManager, TrustManagers, secureRandom);
};
logger("[*][+] Hooked SSLContextInit")
} catch (e) {
logger("[*][-] Failed to hook SSLContextInit")
}
})
请求app1路径可以获取数字的返回值,提交参数中的sign是需要计算的,需要拿到每次请求的sign值
jadx反编译,并搜索app1,找到相关路由的定义
右键“查找用例”,发现有两处调用了该函数
选择第一个,点进去,发现sign参数的生成函数,跟进去
sign方法需要一个byte数组作为参数
最后返回一个String类型字符串,hook这个返回值,然后拿这个返回值去请求就可以了
frida rpc调用脚本如下。tips:由于js没有byte类型,传入sign方法的参数需要转化一下(stringToBytes函数)
//check1.js
function hookSign(str){
let result
let test = 0
Java.perform(function (){
let targetClassName = Java.use("com.yuanrenxue.match2022.security.Sign")
let targetClassNameObj = targetClassName.$new()
result = targetClassNameObj.sign(stringToBytes(str))
})
return result
}
function stringToBytes(str) {
var data = Java.use("java.lang.String").$new(str);
return data.getBytes();
}
rpc.exports = {
hooksign: hookSign
}
import frida, sys
import time
import requests
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print('msg: ', message)
print('test data2', data)
device = frida.get_usb_device()
# attach
session = device.attach("猿人学2022")
with open('check1.js', encoding='utf-8') as f:
jscode = f.read()
script = session.create_script(jscode)
script.on('message', on_message)
script.load()
url = "https://appmatch.yuanrenxue.cn/app1"
headers = {
"Accept-Language": "zh-CN,zh;q=0.8",
"User-Agent": "Mozilla/5.0 (Linux; U; Android 8.1.0; zh-cn; Nexus 6P Build/OPM1.171019.011) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30",
"Cache-Control": "no-cache"
}
sum = 0
for i in range(1, 101):
t = str(int(time.time() * 1000))
payload = "page=" + str(i) + t
result = script.exports_sync.hooksign(payload)
print("sign>> ", result)
data = {
"page": str(i),
"sign": result,
"t": t,
"token": "IKLostJxwdM%20ktruxVoZSAZsS6hiThDIkGizuHGvfScO2jmu4OaGArRxg6lZdAUl"
}
resp = requests.post(url=url, data=data, headers=headers)
print(resp.json())
for x in resp.json()["data"]:
sum += int(x['value'].strip())
print("tmp >>: ", sum)
print("sum is >>: ", sum)
sys.stdin.read()
标签:function,Java,猿人,第一,app2022,sign,print,message,data From: https://www.cnblogs.com/planBinary/p/17746615.html