Android渗透测试HTTPS证书校验绕过
环境
nuexs 5
windows10
burpsuite
jeb3
情况分类
情况2,客户端存在校验服务端证书,服务器也不存在证书校验,单项校验。
情况3、客户端存在证书校验,服务器也存在证书校验,双向校验。
情况1
情况2
绕过思路1
绕过思路2
绕过思路3
# -*- coding: utf-8 -*-
import frida, sys, re, sys, os
import codecs, time
APP_NAME = ''
def sbyte2ubyte(byte):
return (byte % 256)
def print_result(message):
print ('[!] Received: [%s]' %(message))
def on_message(message, data):
if 'payload' in message:
data = message['payload']
if type(data) is str:
print_result(data)
elif type(data) is list:
a = data[0]
if type(a) is int:
hexstr = ''.join([('%02X' % (sbyte2ubyte(a))) for a in data])
print_result(hexstr)
print_result(hexstr.decode('hex'))
else:
print_result(data)
print_result(hexstr.decode('hex'))
else:
print_result(data)
else:
if message['type'] == 'error':
print (message['stack'])
else:
print_result(message)
def main():
try:
with codecs.open('hooks.js', 'r', encoding='utf8') as f:
jscode = f.read()
process = frida.get_usb_device().attach(APP_NAME)
script = process.create_script(jscode)
script.on('message', on_message)
print ('[*] Intercepting on (pid: )...')
script.load()
sys.stdin.read()
except KeyboardInterrupt:
print ('[!] Killing app...')
if __name__ == '__main__':
if (len(sys.argv) > 1):
APP_NAME = str(sys.argv[1])
main()
else:
print('must input two arg')
print('For exanple: python application.py packName')
# python3.7
import sys
import subprocess
cmd = ['adb shell','su','cd /data/local/tmp','./frida-server-12-7-11-android-arm64']
def Forward1():
s = subprocess.Popen('adb forward tcp:27042 tcp:27042')
return s.returncode
def Forward2():
s = subprocess.Popen('adb forward tcp:27043 tcp:27043')
return s.returncode
def Run():
s = subprocess.Popen('adb shell', stdin=subprocess.PIPE,stdout=subprocess.PIPE, shell=True)
for i in range(1,len(cmd)):
s.stdin.write(str(cmd[i]+'\r\n').encode('utf-8'))
s.stdin.flush()
return s.returncode
if __name__ == '__main__':
Forward1()
print('adb forward tcp:27042 tcp:27042')
Forward2()
print('adb forward tcp:27043 tcp:27043')
print('Android server--->./frida-server-12-7-11-android-arm64')
print('success-->frida-ps -R')
Run()
python application.py com.flick.flickcheck
情况3
客户端
下载安装如下:
服务端
因此,客户端私钥一般都是存放在apk本身内,在apk里找到私钥,便可利用私钥对证书进行签名。
作者:ESE007 文章来源:先知社区
0条评论