모의해킹/Web
E2E 암호화 데이터 복호화 Fiddler Script
- -
반응형
E2E 암호화 로직은 말 그대로 종단 간 암호화로
공격자가 중간에 패킷을 가로채도 데이터가 암호화되어 볼 수 없는 상태로 만드는 역할을 수행한다.
모의해킹을 수행하는 입장에서도 또한 E2E 암호화 로직이 존재하는 경우,
파라미터 변조가 불가능하므로 우회 작업이 불가피하다.
E2E 암호화 된 데이터를 처리하는 서버 측에서는 대부분
단말기의 성능이 매우 낮거나 단말기 환경의 호환성 이슈 등의 이유로
암호화 로직이 제대로 동작하지 않는다면 가용성에 침해 될 수 있기 때문에
평문 데이터의 전송도 허용하는 경우가 많다.
이러한 특성을 이용하여 암호문을 평문으로 복호화한 후 변조, 전송하여 진단을 수행하면 된다.
그리고 이 암호문 복호화 작업을 자동화하기 위해서는 당연하게도 일단 암호문과 암호키를 찾아야 한다.
대상이 웹 페이지라면 js에서 crypt 등의 키워드로 검색하여 함수명을 찾거나
암호문이 실리는 파라미터명을 소스코드 상에서 검색하는 방식으로 정적분석 또는
디버깅을 통해 암호 로직을 찾을 수 있으며,
Android 앱의 경우 SecretKeySpec + doFinal 등 의 알려진 라이브러리 함수 또는
E2E 암호화 솔루션명을 패키지명으로 하는 클래스를 정적/동적 분석하여 찾고
iOS 앱의 경우에는 CCCrypt 등의 알려진 라이브러리 또는
aes, crypt 등의 키워드가 사용된 구간을 중심으로 분석하여 찾아야 한다.
암호문을 찾았다면 개발자도구를 통한 디버깅(웹서비스) 및 Frida 후킹(모바일앱) 등을 통해
암호화 함수가 전달받은 평문 데이터를 리턴값으로 그대로 Bypass 하여 리턴하도록 변조하면 되지만,
문제는 탐지 로직이 까다로워 후킹이 어려운 모바일앱을 진단하는 상황이다.
이 문제를 해결하기 위해 Burp Suite와 진단 단말기 사이에 Fiddler를 두고
Fiddler Script를 통해 복호화하여 Burp Suite에게 포워딩하는 방식을 사용했다.
단말기는 피들러의 포트(default: 8888)를 향하도록 프록시 설정하고,
피들러에서는 아래의 게이트웨이 설정을 통해 Burp Suite 로 포워딩하도록 설정하면 된다.
Fiddler의 FiddlerScript를 클릭해 보면 각 상태에 해당하는 부분을 커스텀하여 통제할 수 있도록
여러 상태에 따른 API 함수들이 정의되어 있다.
현재는 요청 패킷을 전달하기 전에 암호문을 복호화해야 하는 상황이므로
onBeforeRequest 함수 안에 복호화 로직을 구현하면 된다.
Fiddler Script 는 JScript .Net 문법을 사용하는데
System.Security.Cryptography라는 네임스페이스를 통해 암복호화 관련 API를 제공한다.
맨 윗줄에 해당 네임스페이스를 임포트 시켜놓고
onBeforeRequest 내부에는 복호화 로직을 구현해야 한다.
AES (CBC 모드) 알고리즘을 사용하고 있어 아래와 같이 작성했다.
암호문 플래그(encrypt), 암호키 및 초기벡터(key, iv), 암호알고리즘(AES_CBC) 및
암호문이 전달되는 파라미터명(data) 등을 확인하여 복호화 로직을 작성하면 된다.
복호화 스크립트 작성이 끝나면 Burp Suite 로 포워딩되는 평문 데이터로 편하게 진단하면 된다.
끝으로 전체 코드는 아래와 같다.
import System;
import System.Windows.Forms;
import Fiddler;
import System.Security.Cryptography;
import System.Text;
import System.IO;
// INTRODUCTION
//
// Well, hello there!
//
// Don't be scared! :-)
//
// This is the FiddlerScript Rules file, which creates some of the menu commands and
// other features of Progress Telerik Fiddler Classic. You can edit this file to modify or add new commands.
//
// The original version of this file is named SampleRules.js and it is in the
// \Program Files\Fiddler\ folder. When Fiddler Classic first runs, it creates a copy named
// CustomRules.js inside your \Documents\Fiddler2\Scripts folder. If you make a
// mistake in editing this file, simply delete the CustomRules.js file and restart
// Fiddler Classic. A fresh copy of the default rules will be created from the original
// sample rules file.
// The best way to edit this file is to install the FiddlerScript Editor, located in the Fiddler
// install directory %localappdata%\Programs\Fiddler\ScriptEditor\FSE2.exe
// GLOBALIZATION NOTE: Save this file using UTF-8 Encoding.
// JScript.NET Reference
// https://api.getfiddler.com/r/?msdnjsnet
//
// FiddlerScript Reference
// https://api.getfiddler.com/r/?fiddlerscriptcookbook
class Handlers
{
// *****************
//
// This is the Handlers class. Pretty much everything you ever add to FiddlerScript
// belongs right inside here, or inside one of the already-existing functions below.
//
// *****************
// The following snippet demonstrates a custom-bound column for the Web Sessions list.
// See https://api.getfiddler.com/r/?fiddlercolumns for more info
/*
public static BindUIColumn("Method", 60)
function FillMethodColumn(oS: Session): String {
return oS.RequestMethod;
}
*/
// The following snippet demonstrates how to create a custom tab that shows simple text
/*
public BindUITab("Flags")
static function FlagsReport(arrSess: Session[]):String {
var oSB: System.Text.StringBuilder = new System.Text.StringBuilder();
for (var i:int = 0; i<arrSess.Length; i++)
{
oSB.AppendLine("SESSION FLAGS");
oSB.AppendFormat("{0}: {1}\n", arrSess[i].id, arrSess[i].fullUrl);
for(var sFlag in arrSess[i].oFlags)
{
oSB.AppendFormat("\t{0}:\t\t{1}\n", sFlag.Key, sFlag.Value);
}
}
return oSB.ToString();
}
*/
// You can create a custom menu like so:
/*
QuickLinkMenu("&Links")
QuickLinkItem("IE GeoLoc TestDrive", "http://ie.microsoft.com/testdrive/HTML5/Geolocation/Default.html")
QuickLinkItem("FiddlerCore", "https://api.getfiddler.com/r/?fiddlercore")
public static function DoLinksMenu(sText: String, sAction: String)
{
Utilities.LaunchHyperlink(sAction);
}
*/
public static RulesOption("Hide 304s")
BindPref("fiddlerscript.rules.Hide304s")
var m_Hide304s: boolean = false;
// Cause Fiddler Classic to override the Accept-Language header with one of the defined values
public static RulesOption("Request &Japanese Content")
var m_Japanese: boolean = false;
// Automatic Authentication
public static RulesOption("&Automatically Authenticate")
BindPref("fiddlerscript.rules.AutoAuth")
var m_AutoAuth: boolean = false;
// Cause Fiddler Classic to override the User-Agent header with one of the defined values
// The page http://browserscope2.org/browse?category=selectors&ua=Mobile%20Safari is a good place to find updated versions of these
RulesString("&User-Agents", true)
BindPref("fiddlerscript.ephemeral.UserAgentString")
RulesStringValue(0,"Netscape &3", "Mozilla/3.0 (Win95; I)")
RulesStringValue(1,"WinPhone8.1", "Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 520) like iPhone OS 7_0_3 Mac OS X AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537")
RulesStringValue(2,"&Safari5 (Win7)", "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1")
RulesStringValue(3,"Safari9 (Mac)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56")
RulesStringValue(4,"iPad", "Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F5027d Safari/600.1.4")
RulesStringValue(5,"iPhone6", "Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4")
RulesStringValue(6,"IE &6 (XPSP2)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)")
RulesStringValue(7,"IE &7 (Vista)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1)")
RulesStringValue(8,"IE 8 (Win2k3 x64)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0)")
RulesStringValue(9,"IE &8 (Win7)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)")
RulesStringValue(10,"IE 9 (Win7)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)")
RulesStringValue(11,"IE 10 (Win8)", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)")
RulesStringValue(12,"IE 11 (Surface2)", "Mozilla/5.0 (Windows NT 6.3; ARM; Trident/7.0; Touch; rv:11.0) like Gecko")
RulesStringValue(13,"IE 11 (Win8.1)", "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko")
RulesStringValue(14,"Edge (Win10)", "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.11082")
RulesStringValue(15,"&Opera", "Opera/9.80 (Windows NT 6.2; WOW64) Presto/2.12.388 Version/12.17")
RulesStringValue(16,"&Firefox 3.6", "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.7) Gecko/20100625 Firefox/3.6.7")
RulesStringValue(17,"&Firefox 43", "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0")
RulesStringValue(18,"&Firefox Phone", "Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0")
RulesStringValue(19,"&Firefox (Mac)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0")
RulesStringValue(20,"Chrome (Win)", "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.48 Safari/537.36")
RulesStringValue(21,"Chrome (Android)", "Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Mobile Safari/537.36")
RulesStringValue(22,"ChromeBook", "Mozilla/5.0 (X11; CrOS x86_64 6680.52.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.74 Safari/537.36")
RulesStringValue(23,"GoogleBot Crawler", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)")
RulesStringValue(24,"Kindle Fire (Silk)", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.22.79_10013310) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16 Silk-Accelerated=true")
RulesStringValue(25,"&Custom...", "%CUSTOM%")
public static var sUA: String = null;
// Cause Fiddler Classic to delay HTTP traffic to simulate typical 56k modem conditions
public static RulesOption("Simulate &Modem Speeds", "Per&formance")
var m_SimulateModem: boolean = false;
// Removes HTTP-caching related headers and specifies "no-cache" on requests and responses
public static RulesOption("&Disable Caching", "Per&formance")
var m_DisableCaching: boolean = false;
public static RulesOption("Cache Always &Fresh", "Per&formance")
var m_AlwaysFresh: boolean = false;
// Force a manual reload of the script file. Resets all
// RulesOption variables to their defaults.
public static ToolsAction("Reset Script")
function DoManualReload() {
FiddlerObject.ReloadScript();
}
public static ContextAction("Decode Selected Sessions")
function DoRemoveEncoding(oSessions: Session[]) {
for (var x:int = 0; x < oSessions.Length; x++){
oSessions[x].utilDecodeRequest();
oSessions[x].utilDecodeResponse();
}
UI.actUpdateInspector(true,true);
}
static function OnBeforeRequest(oSession: Session) {
// Sample Rule: Color ASPX requests in RED
// if (oSession.uriContains(".aspx")) { oSession["ui-color"] = "red"; }
// Sample Rule: Flag POSTs to telerik.com in italics
// if (oSession.HostnameIs("www.telerik.com") && oSession.HTTPMethodIs("POST")) { oSession["ui-italic"] = "yup"; }
// Sample Rule: Break requests for URLs containing "/sandbox/"
// if (oSession.uriContains("/sandbox/")) {
// oSession.oFlags["x-breakrequest"] = "yup"; // Existence of the x-breakrequest flag creates a breakpoint; the "yup" value is unimportant.
// }
if ((null != gs_ReplaceToken) && (oSession.url.indexOf(gs_ReplaceToken)>-1)) { // Case sensitive
oSession.url = oSession.url.Replace(gs_ReplaceToken, gs_ReplaceTokenWith);
}
if ((null != gs_OverridenHost) && (oSession.host.toLowerCase() == gs_OverridenHost)) {
oSession["x-overridehost"] = gs_OverrideHostWith;
}
if ((null!=bpRequestURI) && oSession.uriContains(bpRequestURI)) {
oSession["x-breakrequest"]="uri";
}
if ((null!=bpMethod) && (oSession.HTTPMethodIs(bpMethod))) {
oSession["x-breakrequest"]="method";
}
if ((null!=uiBoldURI) && oSession.uriContains(uiBoldURI)) {
oSession["ui-bold"]="QuickExec";
}
if (m_SimulateModem) {
// Delay sends by 300ms per KB uploaded.
oSession["request-trickle-delay"] = "300";
// Delay receives by 150ms per KB downloaded.
oSession["response-trickle-delay"] = "150";
}
if (m_DisableCaching) {
oSession.oRequest.headers.Remove("If-None-Match");
oSession.oRequest.headers.Remove("If-Modified-Since");
oSession.oRequest["Pragma"] = "no-cache";
}
// User-Agent Overrides
if (null != sUA) {
oSession.oRequest["User-Agent"] = sUA;
}
if (m_Japanese) {
oSession.oRequest["Accept-Language"] = "ja";
}
if (m_AutoAuth) {
// Automatically respond to any authentication challenges using the
// current Fiddler Classic user's credentials. You can change (default)
// to a domain\\username:password string if preferred.
//
// WARNING: This setting poses a security risk if remote
// connections are permitted!
oSession["X-AutoAuth"] = "(default)";
}
if (m_AlwaysFresh && (oSession.oRequest.headers.Exists("If-Modified-Since") || oSession.oRequest.headers.Exists("If-None-Match")))
{
oSession.utilCreateResponseAndBypassServer();
oSession.responseCode = 304;
oSession["ui-backcolor"] = "Lavender";
}
if (oSession.oRequest.headers.ExistsAndContains("Content-Type", "application/x-www-form-urlencoded")) {
var body = oSession.GetRequestBodyAsString();
if (body.indexOf("encrypt=A") > -1) {
body = body.Replace("encrypt=A", "encrypt=");
oSession.utilSetRequestBody(body);
}
var key = Encoding.UTF8.GetBytes("input_your_key_here");
var iv = Encoding.UTF8.GetBytes("input_your_iv_here");
var params = body.Split('&');
for (var i = 0; i < params.Length; i++) {
if (params[i].StartsWith("data=")) {
var encryptedData = params[i].Substring(5);
var decodedData = System.Uri.UnescapeDataString(encryptedData);
var decryptedData = DecryptStringFromBytes_Aes(Convert.FromBase64String(decodedData), key, iv);
params[i] = "data=" + System.Uri.EscapeDataString(decryptedData);
}
}
oSession.utilSetRequestBody(params.join('&'));
}
}
static function DecryptStringFromBytes_Aes(encryptedData: byte[], key: byte[], iv: byte[]): String {
var plaintext: String = null;
var aesAlg = Aes.Create();
aesAlg.Key = key;
aesAlg.IV = iv;
var decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
var msDecrypt = new MemoryStream(encryptedData);
try {
var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
try {
var srDecrypt = new StreamReader(csDecrypt);
try {
plaintext = srDecrypt.ReadToEnd();
} finally {
srDecrypt.Close();
}
} finally {
csDecrypt.Close();
}
} finally {
msDecrypt.Close();
}
return plaintext;
}
// This function is called immediately after a set of request headers has
// been read from the client. This is typically too early to do much useful
// work, since the body hasn't yet been read, but sometimes it may be useful.
//
// For instance, see
// http://blogs.msdn.com/b/fiddler/archive/2011/11/05/http-expect-continue-delays-transmitting-post-bodies-by-up-to-350-milliseconds.aspx
// for one useful thing you can do with this handler.
//
// Note: oSession.requestBodyBytes is not available within this function!
/*
static function OnPeekAtRequestHeaders(oSession: Session) {
var sProc = ("" + oSession["x-ProcessInfo"]).ToLower();
if (!sProc.StartsWith("mylowercaseappname")) oSession["ui-hide"] = "NotMyApp";
}
*/
//
// If a given session has response streaming enabled, then the OnBeforeResponse function
// is actually called AFTER the response was returned to the client.
//
// In contrast, this OnPeekAtResponseHeaders function is called before the response headers are
// sent to the client (and before the body is read from the server). Hence this is an opportune time
// to disable streaming (oSession.bBufferResponse = true) if there is something in the response headers
// which suggests that tampering with the response body is necessary.
//
// Note: oSession.responseBodyBytes is not available within this function!
//
static function OnPeekAtResponseHeaders(oSession: Session) {
//FiddlerApplication.Log.LogFormat("Session {0}: Response header peek shows status is {1}", oSession.id, oSession.responseCode);
if (m_DisableCaching) {
oSession.oResponse.headers.Remove("Expires");
oSession.oResponse["Cache-Control"] = "no-cache";
}
if ((bpStatus>0) && (oSession.responseCode == bpStatus)) {
oSession["x-breakresponse"]="status";
oSession.bBufferResponse = true;
}
if ((null!=bpResponseURI) && oSession.uriContains(bpResponseURI)) {
oSession["x-breakresponse"]="uri";
oSession.bBufferResponse = true;
}
}
static function OnBeforeResponse(oSession: Session) {
if (m_Hide304s && oSession.responseCode == 304) {
oSession["ui-hide"] = "true";
}
}
/*
// This function executes just before Fiddler Classic returns an error that it has
// itself generated (e.g. "DNS Lookup failure") to the client application.
// These responses will not run through the OnBeforeResponse function above.
static function OnReturningError(oSession: Session) {
}
*/
/*
// This function executes after Fiddler Classic finishes processing a Session, regardless
// of whether it succeeded or failed. Note that this typically runs AFTER the last
// update of the Web Sessions UI listitem, so you must manually refresh the Session's
// UI if you intend to change it.
static function OnDone(oSession: Session) {
}
*/
/*
static function OnBoot() {
MessageBox.Show("Fiddler Classic has finished booting");
System.Diagnostics.Process.Start("iexplore.exe");
UI.ActivateRequestInspector("HEADERS");
UI.ActivateResponseInspector("HEADERS");
}
*/
/*
static function OnBeforeShutdown(): Boolean {
// Return false to cancel shutdown.
return ((0 == FiddlerApplication.UI.lvSessions.TotalItemCount()) ||
(DialogResult.Yes == MessageBox.Show("Allow Fiddler Classic to exit?", "Go Bye-bye?",
MessageBoxButtons.YesNo, MessageBoxIcon.Question, MessageBoxDefaultButton.Button2)));
}
*/
/*
static function OnShutdown() {
MessageBox.Show("Fiddler Classic has shutdown");
}
*/
/*
static function OnAttach() {
MessageBox.Show("Fiddler Classic is now the system proxy");
}
*/
/*
static function OnDetach() {
MessageBox.Show("Fiddler Classic is no longer the system proxy");
}
*/
// The Main() function runs everytime your FiddlerScript compiles
static function Main() {
var today: Date = new Date();
FiddlerObject.StatusText = " CustomRules.js was loaded at: " + today;
// Uncomment to add a "Server" column containing the response "Server" header, if present
// UI.lvSessions.AddBoundColumn("Server", 50, "@response.server");
// Uncomment to add a global hotkey (Win+G) that invokes the ExecAction method below...
// UI.RegisterCustomHotkey(HotkeyModifiers.Windows, Keys.G, "screenshot");
}
// These static variables are used for simple breakpointing & other QuickExec rules
BindPref("fiddlerscript.ephemeral.bpRequestURI")
public static var bpRequestURI:String = null;
BindPref("fiddlerscript.ephemeral.bpResponseURI")
public static var bpResponseURI:String = null;
BindPref("fiddlerscript.ephemeral.bpMethod")
public static var bpMethod: String = null;
static var bpStatus:int = -1;
static var uiBoldURI: String = null;
static var gs_ReplaceToken: String = null;
static var gs_ReplaceTokenWith: String = null;
static var gs_OverridenHost: String = null;
static var gs_OverrideHostWith: String = null;
// The OnExecAction function is called by either the QuickExec box in the Fiddler Classic window,
// or by the ExecAction.exe command line utility.
static function OnExecAction(sParams: String[]): Boolean {
FiddlerObject.StatusText = "ExecAction: " + sParams[0];
var sAction = sParams[0].toLowerCase();
switch (sAction) {
case "bold":
if (sParams.Length<2) {uiBoldURI=null; FiddlerObject.StatusText="Bolding cleared"; return false;}
uiBoldURI = sParams[1]; FiddlerObject.StatusText="Bolding requests for " + uiBoldURI;
return true;
case "bp":
FiddlerObject.alert("bpu = breakpoint request for uri\nbpm = breakpoint request method\nbps=breakpoint response status\nbpafter = breakpoint response for URI");
return true;
case "bps":
if (sParams.Length<2) {bpStatus=-1; FiddlerObject.StatusText="Response Status breakpoint cleared"; return false;}
bpStatus = parseInt(sParams[1]); FiddlerObject.StatusText="Response status breakpoint for " + sParams[1];
return true;
case "bpv":
case "bpm":
if (sParams.Length<2) {bpMethod=null; FiddlerObject.StatusText="Request Method breakpoint cleared"; return false;}
bpMethod = sParams[1].toUpperCase(); FiddlerObject.StatusText="Request Method breakpoint for " + bpMethod;
return true;
case "bpu":
if (sParams.Length<2) {bpRequestURI=null; FiddlerObject.StatusText="RequestURI breakpoint cleared"; return false;}
bpRequestURI = sParams[1];
FiddlerObject.StatusText="RequestURI breakpoint for "+sParams[1];
return true;
case "bpa":
case "bpafter":
if (sParams.Length<2) {bpResponseURI=null; FiddlerObject.StatusText="ResponseURI breakpoint cleared"; return false;}
bpResponseURI = sParams[1];
FiddlerObject.StatusText="ResponseURI breakpoint for "+sParams[1];
return true;
case "overridehost":
if (sParams.Length<3) {gs_OverridenHost=null; FiddlerObject.StatusText="Host Override cleared"; return false;}
gs_OverridenHost = sParams[1].toLowerCase();
gs_OverrideHostWith = sParams[2];
FiddlerObject.StatusText="Connecting to [" + gs_OverrideHostWith + "] for requests to [" + gs_OverridenHost + "]";
return true;
case "urlreplace":
if (sParams.Length<3) {gs_ReplaceToken=null; FiddlerObject.StatusText="URL Replacement cleared"; return false;}
gs_ReplaceToken = sParams[1];
gs_ReplaceTokenWith = sParams[2].Replace(" ", "%20"); // Simple helper
FiddlerObject.StatusText="Replacing [" + gs_ReplaceToken + "] in URIs with [" + gs_ReplaceTokenWith + "]";
return true;
case "allbut":
case "keeponly":
if (sParams.Length<2) { FiddlerObject.StatusText="Please specify Content-Type to retain during wipe."; return false;}
UI.actSelectSessionsWithResponseHeaderValue("Content-Type", sParams[1]);
UI.actRemoveUnselectedSessions();
UI.lvSessions.SelectedItems.Clear();
FiddlerObject.StatusText="Removed all but Content-Type: " + sParams[1];
return true;
case "stop":
UI.actDetachProxy();
return true;
case "start":
UI.actAttachProxy();
return true;
case "cls":
case "clear":
UI.actRemoveAllSessions();
return true;
case "g":
case "go":
UI.actResumeAllSessions();
return true;
case "goto":
if (sParams.Length != 2) return false;
Utilities.LaunchHyperlink("https://www.google.com/search?hl=en&btnI=I%27m+Feeling+Lucky&q=" + Utilities.UrlEncode(sParams[1]));
return true;
case "help":
Utilities.LaunchHyperlink("https://api.getfiddler.com/r/?quickexec");
return true;
case "hide":
UI.actMinimizeToTray();
return true;
case "log":
FiddlerApplication.Log.LogString((sParams.Length<2) ? "User couldn't think of anything to say..." : sParams[1]);
return true;
case "nuke":
UI.actClearWinINETCache();
UI.actClearWinINETCookies();
return true;
case "screenshot":
UI.actCaptureScreenshot(false);
return true;
case "show":
UI.actRestoreWindow();
return true;
case "tail":
if (sParams.Length<2) { FiddlerObject.StatusText="Please specify # of sessions to trim the session list to."; return false;}
UI.TrimSessionList(int.Parse(sParams[1]));
return true;
case "quit":
UI.actExit();
return true;
case "dump":
UI.actSelectAll();
UI.actSaveSessionsToZip(CONFIG.GetPath("Captures") + "dump.saz");
UI.actRemoveAllSessions();
FiddlerObject.StatusText = "Dumped all sessions to " + CONFIG.GetPath("Captures") + "dump.saz";
return true;
default:
if (sAction.StartsWith("http") || sAction.StartsWith("www.")) {
System.Diagnostics.Process.Start(sParams[0]);
return true;
}
else
{
FiddlerObject.StatusText = "Requested ExecAction: '" + sAction + "' not found. Type HELP to learn more.";
return false;
}
}
}
}
+ 추가 (Fiddler Script 를 통한 암호화 예시)
static function OnBeforeResponse(oSession: Session) {
if (m_Hide304s && oSession.responseCode == 304) {
oSession["ui-hide"] = "true";
}
if (oSession.oResponse.headers.ExistsAndContains("Content-Type", "application/json")) {
var responseBody = oSession.GetResponseBodyAsString();
var jsonResponse = Fiddler.WebFormats.JSON.JsonDecode(responseBody).JSONObject;
if (jsonResponse["data"]) {
var key = Encoding.UTF8.GetBytes("input_your_key_here");
var iv = Encoding.UTF8.GetBytes("input_your_iv_here");
var encryptedData = EncryptStringToBytes_Aes(jsonResponse["data"].ToString(), key, iv);
jsonResponse["data"] = Convert.ToBase64String(encryptedData);
oSession.utilSetResponseBody(Fiddler.WebFormats.JSON.JsonEncode(jsonResponse));
}
}
}
static function EncryptStringToBytes_Aes(plainText, key, iv) {
var encrypted;
var aesAlg = Aes.Create();
aesAlg.Key = key;
aesAlg.IV = iv;
var encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
var msEncrypt = new MemoryStream();
try {
var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write);
try {
var swEncrypt = new StreamWriter(csEncrypt);
try {
swEncrypt.Write(plainText);
} finally {
swEncrypt.Close();
}
} finally {
csEncrypt.Close();
}
encrypted = msEncrypt.ToArray();
} finally {
msEncrypt.Close();
}
return encrypted;
}
Reference
https://learn.microsoft.com/ko-kr/dotnet/api/system.security.cryptography?view=net-9.0
반응형
'모의해킹 > Web' 카테고리의 다른 글
| URL Endpoints 파싱 (0) | 2025.02.09 |
|---|---|
| Blind SQL Injection(Boolean-Based) 자동화 파이썬 코드 (1) | 2023.09.28 |
Contents
소중한 공감 감사합니다