+关注
已关注

分类  

暂无分类

标签  

暂无标签

日期归档  

2019-08(62)

2019-09(95)

2019-10(16)

2019-11(4)

2019-12(21)

hook框架frida 绕过fillder证书认证

发布于2020-09-16 06:38     阅读(293)     评论(0)     点赞(11)     收藏(2)


一.fridajs脚本模板(网上找的保留)

//Thanks to https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
//At the moment, this seems to fix the SSL exceptions, but bypass the proxy itself!

//If you have any idea why Android would ignore the proxy setting completely after the following runs, please email androidbugs@voltagex.org - thanks!
(function () {
    Java.perform(function () {
        console.log("");
        console.log("[.] Cert Pinning Bypass/Re-Pinning");

        var URL = Java.use('java.net.URL');
        var InputStreamReader = Java.use('java.io.InputStreamReader');
        var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
        var FileInputStream = Java.use("java.io.FileInputStream");
        var BufferedInputStream = Java.use("java.io.BufferedInputStream");
        var X509Certificate = Java.use("java.security.cert.X509Certificate");
        var KeyStore = Java.use("java.security.KeyStore");
        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
        var SSLContext = Java.use("javax.net.ssl.SSLContext");

        // Load CAs from an InputStream
        console.log("[+] Loading our CA...")
        var cf = CertificateFactory.getInstance("X.509");

        try {
            //this assumes you've already got the system proxy set to use Fiddler
            var fiddlerUrl = URL.$new("http://ipv4.fiddler:8888/FiddlerRoot.cer");
            var connection = fiddlerUrl.openConnection();

        } catch (err) {
            console.log("[o] " + err);
        }

        var bufferedInputStream = BufferedInputStream.$new(connection.getInputStream());
        var ca = cf.generateCertificate(bufferedInputStream);
        bufferedInputStream.close();

        var certInfo = Java.cast(ca, X509Certificate);
        console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

        // Create a KeyStore containing our trusted CAs
        console.log("[+] Creating a KeyStore for our CA...");
        var keyStoreType = KeyStore.getDefaultType();
        var keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);

        // Create a TrustManager that trusts the CAs in our KeyStore
        console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);
        console.log("[+] Our TrustManager is ready...");

        console.log("[+] Hijacking SSLContext methods now...")
        console.log("[-] Waiting for the app to invoke SSLContext.init()...")

        SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function (a, b, c) {
            console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
            SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
            console.log("[+] SSLContext initialized with our custom TrustManager!");
        }
    })
})();

原文链接:https://www.cnblogs.com/pythonywy/p/13673867.html



所属网站分类: 技术文章 > 博客

作者:大魔王

链接: https://www.pythonheidong.com/blog/article/525764/

来源: python黑洞网

任何形式的转载都请注明出处,如有侵权 一经发现 必将追究其法律责任

11 0
收藏该文
已收藏

评论内容:(最多支持255个字符)