-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathapp.html
More file actions
130 lines (111 loc) · 61.9 KB
/
app.html
File metadata and controls
130 lines (111 loc) · 61.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<!DOCTYPE html>
<html lang="zh-CN" data-theme="light">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<meta name="generator" content="VuePress 2.0.0-beta.53" />
<meta name="theme" content="VuePress Theme Hope" />
<meta property="og:url" content="https://wintrysec.github.io/app.html"><meta property="og:site_name" content="网络安全知识库"><meta property="og:title" content="APP渗透测试"><meta property="og:type" content="article"><meta property="og:locale" content="zh-CN"><link rel="icon" href="/favicon.ico"><link rel="icon" href="/assets/icon/chrome-mask-512.png" type="image/png" sizes="512x512"><link rel="icon" href="/assets/icon/chrome-mask-192.png" type="image/png" sizes="192x192"><link rel="icon" href="/assets/icon/chrome-512.png" type="image/png" sizes="512x512"><link rel="icon" href="/assets/icon/chrome-192.png" type="image/png" sizes="192x192"><link rel="manifest" href="/manifest.webmanifest" crossorigin="use-credentials"><meta name="theme-color" content="#46bd87"><link rel="apple-touch-icon" href="/assets/icon/apple-icon-152.png"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="msapplication-TileImage" content="/assets/icon/ms-icon-144.png"><meta name="msapplication-TileColor" content="#ffffff"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover"><title>APP渗透测试 | 网络安全知识库</title><meta name="description" content="网络安全知识库,渗透测试,web安全,攻防对抗,安全开发,golang,vue3,sqlmap,burpsuite,sql注入,nmap,metasploit,cobaltstrike">
<style>
:root {
--bg-color: #fff;
}
html[data-theme="dark"] {
--bg-color: #1d2025;
}
html,
body {
background: var(--bg-color);
}
</style>
<script>
const userMode = localStorage.getItem("vuepress-theme-hope-scheme");
const systemDarkMode =
window.matchMedia &&
window.matchMedia("(prefers-color-scheme: dark)").matches;
if (userMode === "dark" || (userMode !== "light" && systemDarkMode)) {
document.querySelector("html").setAttribute("data-theme", "dark");
}
</script>
<link rel="preload" href="/assets/style.9d4e7cd8.css" as="style" /><link rel="stylesheet" href="/assets/style.9d4e7cd8.css" />
<link rel="modulepreload" href="/assets/app.3b9f01e1.js"><link rel="modulepreload" href="/assets/app.html.9a694960.js"><link rel="modulepreload" href="/assets/_plugin-vue_export-helper.cdc0426e.js"><link rel="modulepreload" href="/assets/app.html.c30aea39.js">
</head>
<body>
<div id="app"><!--[--><!--[--><!--[--><span tabindex="-1"></span><a href="#main-content" class="skip-link sr-only">Skip to content</a><!--]--><div class="theme-container no-sidebar has-toc"><!--[--><!--[--><header class="navbar"><div class="navbar-left"><button class="toggle-sidebar-button" title="Toggle Sidebar"><span class="icon"></span></button><!--[--><!----><!--]--><a href="/" class="brand"><img class="logo" src="/logo.svg" alt="网络安全知识库"><!----><span class="site-name hide-in-pad">网络安全知识库</span></a><!--[--><!----><!--]--></div><div class="navbar-center"><!--[--><!----><!--]--><nav class="nav-links"><div class="nav-item hide-in-mobile"><a href="/" class="nav-link" aria-label="项目主页"><span class="icon iconfont icon-home"></span>项目主页<!----></a></div><div class="nav-item hide-in-mobile"><div class="dropdown-wrapper"><button class="dropdown-title" type="button" aria-label="计算机网络"><span class="title"><span class="icon iconfont icon-router"></span>计算机网络</span><span class="arrow"></span><ul class="nav-dropdown"><li class="dropdown-item"><a href="/network/tcp.html" class="nav-link" aria-label="TCP/IP"><!---->TCP/IP<!----></a></li><li class="dropdown-item"><a href="/network/http.html" class="nav-link" aria-label="HTTP"><!---->HTTP<!----></a></li><li class="dropdown-item"><a href="/network/https.html" class="nav-link" aria-label="HTTPS"><!---->HTTPS<!----></a></li><li class="dropdown-item"><a href="/network/dns.html" class="nav-link" aria-label="DNS"><!---->DNS<!----></a></li><li class="dropdown-item"><a href="/network/IP%E7%9B%B8%E5%85%B3%E5%8D%8F%E8%AE%AE.html" class="nav-link" aria-label="IP相关协议"><!---->IP相关协议<!----></a></li><li class="dropdown-item"><a href="/network/Wireshark.html" class="nav-link" aria-label="Wireshark抓包"><!---->Wireshark抓包<!----></a></li></ul></button></div></div><div class="nav-item hide-in-mobile"><div class="dropdown-wrapper"><button class="dropdown-title" type="button" aria-label="Linux系统"><span class="title"><span class="icon iconfont icon-linux"></span>Linux系统</span><span class="arrow"></span><ul class="nav-dropdown"><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/Linux%E6%9B%B4%E6%8D%A2%E6%9B%B4%E6%96%B0%E6%BA%90.html" class="nav-link" aria-label="Linux更换更新源"><!---->Linux更换更新源<!----></a></li><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/Linux%E5%B8%B8%E7%94%A8%E5%91%BD%E4%BB%A4.html" class="nav-link" aria-label="Linux常用命令"><!---->Linux常用命令<!----></a></li><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/%E7%94%A8%E6%88%B7%E7%AE%A1%E7%90%86.html" class="nav-link" aria-label="用户管理"><!---->用户管理<!----></a></li><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/%E8%BF%9B%E7%A8%8B%E7%AE%A1%E7%90%86.html" class="nav-link" aria-label="进程管理"><!---->进程管理<!----></a></li><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/%E7%BD%91%E7%BB%9C%E7%AE%A1%E7%90%86.html" class="nav-link" aria-label="网络管理"><!---->网络管理<!----></a></li><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/%E8%AE%A1%E5%88%92%E4%BB%BB%E5%8A%A1.html" class="nav-link" aria-label="计划任务"><!---->计划任务<!----></a></li><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/%E5%BC%80%E6%9C%BA%E5%90%AF%E5%8A%A8%E9%A1%B9.html" class="nav-link" aria-label="开机启动项"><!---->开机启动项<!----></a></li><li class="dropdown-item"><a href="/Linux%E7%B3%BB%E7%BB%9F/Linux%E5%AE%88%E6%8A%A4%E8%BF%9B%E7%A8%8B.html" class="nav-link" aria-label="Linux守护进程"><!---->Linux守护进程<!----></a></li></ul></button></div></div><div class="nav-item hide-in-mobile"><div class="dropdown-wrapper"><button class="dropdown-title" type="button" aria-label="Web安全"><span class="title"><span class="icon iconfont icon-chrome"></span>Web安全</span><span class="arrow"></span><ul class="nav-dropdown"><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html" class="nav-link" aria-label="SQL注入漏洞"><!---->SQL注入漏洞<!----></a></li><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/XSS%E8%B7%A8%E7%AB%99%E8%84%9A%E6%9C%AC%E6%94%BB%E5%87%BB.html" class="nav-link" aria-label="XSS跨站脚本攻击"><!---->XSS跨站脚本攻击<!----></a></li><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html" class="nav-link" aria-label="文件上传漏洞"><!---->文件上传漏洞<!----></a></li><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E.html" class="nav-link" aria-label="文件包含漏洞"><!---->文件包含漏洞<!----></a></li><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html" class="nav-link" aria-label="命令执行漏洞"><!---->命令执行漏洞<!----></a></li><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/%E8%AF%B7%E6%B1%82%E4%BC%AA%E9%80%A0%E6%BC%8F%E6%B4%9E.html" class="nav-link" aria-label="请求伪造漏洞"><!---->请求伪造漏洞<!----></a></li><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/XXE%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html" class="nav-link" aria-label="XXE注入漏洞"><!---->XXE注入漏洞<!----></a></li><li class="dropdown-item"><a href="/Web%E5%AE%89%E5%85%A8/%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E.html" class="nav-link" aria-label="会话劫持和会话固定漏洞"><!---->会话劫持和会话固定漏洞<!----></a></li></ul></button></div></div><div class="nav-item hide-in-mobile"><div class="dropdown-wrapper"><button class="dropdown-title" type="button" aria-label="武器库"><span class="title"><span class="icon iconfont icon-frame"></span>武器库</span><span class="arrow"></span><ul class="nav-dropdown"><li class="dropdown-item"><h4 class="dropdown-subtitle"><span>在线工具</span></h4><ul class="dropdown-subitem-wrapper"><li class="dropdown-subitem"><a href="https://xssor.io/" rel="noopener noreferrer" target="_blank" aria-label="XSS'OR" class="nav-link"><span class="icon iconfont icon-dart"></span>XSS'OR<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span><!----></a></li><li class="dropdown-subitem"><a href="https://www.revshells.com/" rel="noopener noreferrer" target="_blank" aria-label="反弹shell" class="nav-link"><span class="icon iconfont icon-creative"></span>反弹shell<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span><!----></a></li><li class="dropdown-subitem"><a href="https://www.shentoushi.top/av/av.php" rel="noopener noreferrer" target="_blank" aria-label="杀软比对" class="nav-link"><span class="icon iconfont icon-discover"></span>杀软比对<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span><!----></a></li><li class="dropdown-subitem"><a href="https://wintrysec.github.io/ChaVuln/" rel="noopener noreferrer" target="_blank" aria-label="Goby红队漏洞库" class="nav-link"><span class="icon iconfont icon-debug"></span>Goby红队漏洞库<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span><!----></a></li></ul></li><li class="dropdown-item"><h4 class="dropdown-subtitle"><span>渗透神器</span></h4><ul class="dropdown-subitem-wrapper"><li class="dropdown-subitem"><a href="/tools/../fscan.html" rel="noopener noreferrer" target="_blank" aria-label="fscan" class="nav-link"><span class="icon iconfont icon-anonymous"></span>fscan<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span><!----></a></li><li class="dropdown-subitem"><a href="/tools/nuclei.html" class="nav-link" aria-label="nuclei"><!---->nuclei<!----></a></li><li class="dropdown-subitem"><a href="/tools/nmap.html" class="nav-link" aria-label="nmap"><!---->nmap<!----></a></li><li class="dropdown-subitem"><a href="/tools/SQLmap.html" class="nav-link" aria-label="SQLmap"><!---->SQLmap<!----></a></li><li class="dropdown-subitem"><a href="/tools/BurpSuite.html" class="nav-link" aria-label="BurpSuite"><!---->BurpSuite<!----></a></li><li class="dropdown-subitem"><a href="/tools/CobaltStrike.html" class="nav-link" aria-label="CobaltStrike"><!---->CobaltStrike<!----></a></li></ul></li></ul></button></div></div><div class="nav-item hide-in-mobile"><div class="dropdown-wrapper"><button class="dropdown-title" type="button" aria-label="攻防对抗"><span class="title"><span class="icon iconfont icon-hot"></span>攻防对抗</span><span class="arrow"></span><ul class="nav-dropdown"><li class="dropdown-item"><h4 class="dropdown-subtitle"><span>攻击方</span></h4><ul class="dropdown-subitem-wrapper"><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E4%BA%92%E8%81%94%E7%BD%91%E4%BE%A7%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86.html" class="nav-link" aria-label="互联网侧信息收集"><!---->互联网侧信息收集<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/Getshell%E6%9D%83%E9%99%90%E8%8E%B7%E5%8F%96.html" class="nav-link" aria-label="Getshell权限获取"><!---->Getshell权限获取<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87-Linux.html" class="nav-link" aria-label="权限提升-Linux"><!---->权限提升-Linux<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87-Windows.html" class="nav-link" aria-label="权限提升-Windows"><!---->权限提升-Windows<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87-%E6%95%B0%E6%8D%AE%E5%BA%93.html" class="nav-link" aria-label="权限提升-数据库"><!---->权限提升-数据库<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81-Linux%E5%90%8E%E9%97%A8.html" class="nav-link" aria-label="权限维持-Linux后门"><!---->权限维持-Linux后门<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81-Windows%E5%90%8E%E9%97%A8.html" class="nav-link" aria-label="权限维持-Windows后门"><!---->权限维持-Windows后门<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E6%8A%80%E5%B7%A7.html" class="nav-link" aria-label="权限维持技巧"><!---->权限维持技巧<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%9E%84%E5%BB%BA%E9%80%9A%E9%81%93%E6%BC%AB%E6%B8%B8%E5%86%85%E7%BD%91.html" class="nav-link" aria-label="构建通道漫游内网"><!---->构建通道漫游内网<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8-%E5%86%85%E7%BD%91%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86.html" class="nav-link" aria-label="横向移动-内网信息收集"><!---->横向移动-内网信息收集<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8-%E6%9C%AC%E6%9C%BA%E5%87%AD%E8%AF%81%E8%8E%B7%E5%8F%96.html" class="nav-link" aria-label="横向移动-本机凭证获取"><!---->横向移动-本机凭证获取<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8-IPC%E5%91%BD%E5%90%8D%E7%AE%A1%E9%81%93.html" class="nav-link" aria-label="横向移动-IPC命名管道"><!---->横向移动-IPC命名管道<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8-%E6%9D%83%E9%99%90%E6%8B%93%E5%B1%95%E6%96%B9%E5%BC%8F.html" class="nav-link" aria-label="横向移动-权限拓展方式"><!---->横向移动-权限拓展方式<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E6%B8%85%E7%90%86%E6%88%98%E5%9C%BA%E5%8F%8D%E6%BA%AF%E6%BA%90-%E6%97%A5%E5%BF%97%E5%A4%84%E7%90%86.html" class="nav-link" aria-label="清理战场反溯源-日志处理"><!---->清理战场反溯源-日志处理<!----></a></li></ul></li><li class="dropdown-item"><h4 class="dropdown-subtitle"><span>防守方</span></h4><ul class="dropdown-subitem-wrapper"><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E4%BA%8B%E4%BB%B6%E5%A4%84%E7%90%86%E6%B5%81%E7%A8%8B.html" class="nav-link" aria-label="应急响应事件处理流程"><!---->应急响应事件处理流程<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94.html" class="nav-link" aria-label="Linux应急响应"><!---->Linux应急响应<!----></a></li><li class="dropdown-subitem"><a href="/%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97/Windows%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94.html" class="nav-link" aria-label="Windows应急响应"><!---->Windows应急响应<!----></a></li></ul></li></ul></button></div></div><div class="nav-item hide-in-mobile"><div class="dropdown-wrapper"><button class="dropdown-title" type="button" aria-label="域渗透"><span class="title"><span class="icon iconfont icon-anonymous"></span>域渗透</span><span class="arrow"></span><ul class="nav-dropdown"><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/%E5%9F%9F%E7%8E%AF%E5%A2%83%E4%BB%8B%E7%BB%8D.html" class="nav-link" aria-label="域环境介绍"><!---->域环境介绍<!----></a></li><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/%E5%9F%9F%E5%86%85%E7%BD%91%E5%8D%8F%E8%AE%AE.html" class="nav-link" aria-label="域内网协议"><!---->域内网协议<!----></a></li><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/%E5%9F%9F%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86.html" class="nav-link" aria-label="域信息收集"><!---->域信息收集<!----></a></li><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/%E5%9F%9F%E6%8E%A7%E8%8E%B7%E5%8F%96%E6%96%B9%E5%BC%8F.html" class="nav-link" aria-label="域控获取方式"><!---->域控获取方式<!----></a></li><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/%E5%93%88%E5%B8%8C%E4%BC%A0%E9%80%92%E6%94%BB%E5%87%BB.html" class="nav-link" aria-label="哈希传递攻击"><!---->哈希传递攻击<!----></a></li><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/%E7%A5%A8%E6%8D%AE%E4%BC%A0%E9%80%92%E6%94%BB%E5%87%BB.html" class="nav-link" aria-label="票据传递攻击"><!---->票据传递攻击<!----></a></li><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/NTLM%E4%B8%AD%E7%BB%A7%E6%94%BB%E5%87%BB.html" class="nav-link" aria-label="NTLM中继攻击"><!---->NTLM中继攻击<!----></a></li><li class="dropdown-item"><a href="/%E5%9F%9F%E6%B8%97%E9%80%8F/%E5%A7%94%E6%B4%BE%E6%94%BB%E5%87%BB.html" class="nav-link" aria-label="委派攻击"><!---->委派攻击<!----></a></li></ul></button></div></div></nav><!--[--><!----><!--]--></div><div class="navbar-right"><!--[--><!----><!--]--><!----><div class="nav-item"><a class="repo-link" href="https://github.com/wintrysec" target="_blank" rel="noopener noreferrer" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" class="icon github-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="github icon" style="width:1.25rem;height:1.25rem;vertical-align:middle;"><path d="M511.957 21.333C241.024 21.333 21.333 240.981 21.333 512c0 216.832 140.544 400.725 335.574 465.664 24.49 4.395 32.256-10.07 32.256-23.083 0-11.69.256-44.245 0-85.205-136.448 29.61-164.736-64.64-164.736-64.64-22.315-56.704-54.4-71.765-54.4-71.765-44.587-30.464 3.285-29.824 3.285-29.824 49.195 3.413 75.179 50.517 75.179 50.517 43.776 75.008 114.816 53.333 142.762 40.79 4.523-31.66 17.152-53.377 31.19-65.537-108.971-12.458-223.488-54.485-223.488-242.602 0-53.547 19.114-97.323 50.517-131.67-5.035-12.33-21.93-62.293 4.779-129.834 0 0 41.258-13.184 134.912 50.346a469.803 469.803 0 0 1 122.88-16.554c41.642.213 83.626 5.632 122.88 16.554 93.653-63.488 134.784-50.346 134.784-50.346 26.752 67.541 9.898 117.504 4.864 129.834 31.402 34.347 50.474 78.123 50.474 131.67 0 188.586-114.73 230.016-224.042 242.09 17.578 15.232 33.578 44.672 33.578 90.454v135.85c0 13.142 7.936 27.606 32.854 22.87C862.25 912.597 1002.667 728.747 1002.667 512c0-271.019-219.648-490.667-490.71-490.667z"></path></svg></a></div><div class="nav-item hide-in-mobile"><button id="appearance-switch"><svg xmlns="http://www.w3.org/2000/svg" class="icon auto-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="auto icon" style="display:block;"><path d="M512 992C246.92 992 32 777.08 32 512S246.92 32 512 32s480 214.92 480 480-214.92 480-480 480zm0-840c-198.78 0-360 161.22-360 360 0 198.84 161.22 360 360 360s360-161.16 360-360c0-198.78-161.22-360-360-360zm0 660V212c165.72 0 300 134.34 300 300 0 165.72-134.28 300-300 300z"></path></svg><svg xmlns="http://www.w3.org/2000/svg" class="icon dark-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="dark icon" style="display:none;"><path d="M524.8 938.667h-4.267a439.893 439.893 0 0 1-313.173-134.4 446.293 446.293 0 0 1-11.093-597.334A432.213 432.213 0 0 1 366.933 90.027a42.667 42.667 0 0 1 45.227 9.386 42.667 42.667 0 0 1 10.24 42.667 358.4 358.4 0 0 0 82.773 375.893 361.387 361.387 0 0 0 376.747 82.774 42.667 42.667 0 0 1 54.187 55.04 433.493 433.493 0 0 1-99.84 154.88 438.613 438.613 0 0 1-311.467 128z"></path></svg><svg xmlns="http://www.w3.org/2000/svg" class="icon light-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="light icon" style="display:none;"><path d="M952 552h-80a40 40 0 0 1 0-80h80a40 40 0 0 1 0 80zM801.88 280.08a41 41 0 0 1-57.96-57.96l57.96-58a41.04 41.04 0 0 1 58 58l-58 57.96zM512 752a240 240 0 1 1 0-480 240 240 0 0 1 0 480zm0-560a40 40 0 0 1-40-40V72a40 40 0 0 1 80 0v80a40 40 0 0 1-40 40zm-289.88 88.08-58-57.96a41.04 41.04 0 0 1 58-58l57.96 58a41 41 0 0 1-57.96 57.96zM192 512a40 40 0 0 1-40 40H72a40 40 0 0 1 0-80h80a40 40 0 0 1 40 40zm30.12 231.92a41 41 0 0 1 57.96 57.96l-57.96 58a41.04 41.04 0 0 1-58-58l58-57.96zM512 832a40 40 0 0 1 40 40v80a40 40 0 0 1-80 0v-80a40 40 0 0 1 40-40zm289.88-88.08 58 57.96a41.04 41.04 0 0 1-58 58l-57.96-58a41 41 0 0 1 57.96-57.96z"></path></svg></button></div><form class="search-box" role="search"><input type="search" autocomplete="off" spellcheck="false" value><!----></form><!--[--><!----><!--]--><button class="toggle-navbar-button" aria-label="Toggle Navbar" aria-expanded="false" aria-controls="nav-screen"><span class="button-container"><span class="button-top"></span><span class="button-middle"></span><span class="button-bottom"></span></span></button></div></header><!----><!--]--><!----><div class="toggle-sidebar-wrapper"><span class="arrow left"></span></div><aside class="sidebar"><!--[--><!----><!--]--><ul class="sidebar-links"></ul><!--[--><!----><!--]--></aside><!--[--><main class="page" id="main-content"><!--[--><!----><nav class="breadcrumb disable"></nav><div class="page-title"><h1><!---->APP渗透测试</h1><div class="page-info"><span class="author-info" aria-label="作者🖊" data-balloon-pos="down"><svg xmlns="http://www.w3.org/2000/svg" class="icon author-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="author icon"><path d="M649.6 633.6c86.4-48 147.2-144 147.2-249.6 0-160-128-288-288-288s-288 128-288 288c0 108.8 57.6 201.6 147.2 249.6-121.6 48-214.4 153.6-240 288-3.2 9.6 0 19.2 6.4 25.6 3.2 9.6 12.8 12.8 22.4 12.8h704c9.6 0 19.2-3.2 25.6-12.8 6.4-6.4 9.6-16 6.4-25.6-25.6-134.4-121.6-240-243.2-288z"></path></svg><span><a class="author-item" href="https://wintrysec.github.io" target="_blank" rel="noopener noreferrer">张天师</a></span><span property="author" content="张天师"></span></span><!----><!----><span class="reading-time-info" aria-label="阅读时间⌛" data-balloon-pos="down"><svg xmlns="http://www.w3.org/2000/svg" class="icon timer-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="timer icon"><path d="M799.387 122.15c4.402-2.978 7.38-7.897 7.38-13.463v-1.165c0-8.933-7.38-16.312-16.312-16.312H256.33c-8.933 0-16.311 7.38-16.311 16.312v1.165c0 5.825 2.977 10.874 7.637 13.592 4.143 194.44 97.22 354.963 220.201 392.763-122.204 37.542-214.893 196.511-220.2 389.397-4.661 5.049-7.638 11.651-7.638 19.03v5.825h566.49v-5.825c0-7.379-2.849-13.981-7.509-18.9-5.049-193.016-97.867-351.985-220.2-389.527 123.24-37.67 216.446-198.453 220.588-392.892zM531.16 450.445v352.632c117.674 1.553 211.787 40.778 211.787 88.676H304.097c0-48.286 95.149-87.382 213.728-88.676V450.445c-93.077-3.107-167.901-81.297-167.901-177.093 0-8.803 6.99-15.793 15.793-15.793 8.803 0 15.794 6.99 15.794 15.793 0 80.261 63.69 145.635 142.01 145.635s142.011-65.374 142.011-145.635c0-8.803 6.99-15.793 15.794-15.793s15.793 6.99 15.793 15.793c0 95.019-73.789 172.82-165.96 177.093z"></path></svg><span>大约 5 分钟</span><meta property="timeRequired" content="PT5M"></span></div><hr></div><div class="toc-place-holder"><aside id="toc"><div class="toc-header">此页内容</div><div class="toc-wrapper"><ul class="toc-list"><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#apk敏感信息收集" class="router-link-active router-link-exact-active toc-link level2">APK敏感信息收集</a></li><ul class="toc-list"><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#使用工具快速扫描" class="router-link-active router-link-exact-active toc-link level3">使用工具快速扫描</a></li><!----><!--]--><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#反编译apk" class="router-link-active router-link-exact-active toc-link level3">反编译APK</a></li><!----><!--]--></ul><!--]--><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#app抓包" class="router-link-active router-link-exact-active toc-link level2">APP抓包</a></li><ul class="toc-list"><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#一、设置代理" class="router-link-active router-link-exact-active toc-link level3">一、设置代理</a></li><!----><!--]--><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#二、安装系统证书" class="router-link-active router-link-exact-active toc-link level3">二、安装系统证书</a></li><!----><!--]--></ul><!--]--><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#加固绕过" class="router-link-active router-link-exact-active toc-link level2">加固绕过</a></li><ul class="toc-list"><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#root检测绕过" class="router-link-active router-link-exact-active toc-link level3">root检测绕过</a></li><!----><!--]--><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#代理检测绕过" class="router-link-active router-link-exact-active toc-link level3">代理检测绕过</a></li><!----><!--]--><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#frida检测绕过" class="router-link-active router-link-exact-active toc-link level3">frida检测绕过</a></li><!----><!--]--><!--[--><li class="toc-item"><a aria-current="page" href="/app.html#ssl-pinning证书绑定绕过" class="router-link-active router-link-exact-active toc-link level3">ssl Pinning证书绑定绕过</a></li><!----><!--]--></ul><!--]--></ul></div></aside></div><!----><div class="theme-hope-content"><h2 id="apk敏感信息收集" tabindex="-1"><a class="header-anchor" href="#apk敏感信息收集" aria-hidden="true">#</a> APK敏感信息收集</h2><h3 id="使用工具快速扫描" tabindex="-1"><a class="header-anchor" href="#使用工具快速扫描" aria-hidden="true">#</a> 使用工具快速扫描</h3><p>推荐 apkleaks <a href="https://github.com/dwisiswant0/apkleaks" target="_blank" rel="noopener noreferrer">https://github.com/dwisiswant0/apkleaks<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a></p><p>可以发现比如云主机的key,服务器真实IP、其他服务的密钥等信息。</p><div class="language-powershell line-numbers-mode" data-ext="powershell"><pre class="language-powershell"><code>python apkleaks<span class="token punctuation">.</span>py <span class="token operator">-</span>f <span class="token string">"C:\Users\Administrator\Desktop\app\test.apk"</span>
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div></div></div><p><img src="/assets/clip_image002.d6a903d8.gif" alt="img" loading="lazy"></p><h3 id="反编译apk" tabindex="-1"><a class="header-anchor" href="#反编译apk" aria-hidden="true">#</a> 反编译APK</h3><p>一个apk包的本质是一个zip格式的压缩包,我们可以直接使用解压缩工具进行解压。</p><h4 id="_1-检查-classes-dex-硬编码" tabindex="-1"><a class="header-anchor" href="#_1-检查-classes-dex-硬编码" aria-hidden="true">#</a> 1)检查 classes.dex 硬编码</h4><p>使用<a href="https://mt2.cn" target="_blank" rel="noopener noreferrer">MT管理器<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a>查看apk,检查apk包中是否存在硬编码的敏感信息。</p><p>重点查看classes.dex文件反编译后是否有硬编码的敏感信息。</p><p><strong>APK文件结构如下</strong></p><p><img src="/assets/clip_image004.dd9d60d8.gif" alt="img" loading="lazy"></p><h4 id="_2-检查sharedpreferences-配置文件" tabindex="-1"><a class="header-anchor" href="#_2-检查sharedpreferences-配置文件" aria-hidden="true">#</a> 2)检查SharedPreferences 配置文件</h4><p>检查客户端程序存储在手机中的 SharedPreferences 配置文件是否存储、泄露敏感信息。</p><p>可以使用MT管理器查看(手机需要root)</p><p>• 用MT管理器查看下APK的应用包名</p><p>• 查看路径/data/data/<应用包名>/shared_prefs/<应用包名>_preferences.xml</p><p>• 可以查看保存的SharedPreferences键值对信息</p><p><img src="/assets/clip_image006.bd693c76.gif" alt="img" loading="lazy"></p><h4 id="_3-检查sqlite数据库" tabindex="-1"><a class="header-anchor" href="#_3-检查sqlite数据库" aria-hidden="true">#</a> 3)检查SQLite数据库</h4><p>检查客户端程序存储在手机中的SQLite 数据库文件是否保存、泄漏敏感信息。</p><p>将路径/data/data/<应用包名>/databases/下的sqlite3类型的数据库文件</p><p>用文件管理器导出来用可视化工具查看</p><p><img src="/assets/clip_image008.837439bf.gif" alt="img" loading="lazy"></p><p><img src="/assets/clip_image010.64d7f7b4.gif" alt="img" loading="lazy"></p><h4 id="_4-检查logcat日志" tabindex="-1"><a class="header-anchor" href="#_4-检查logcat日志" aria-hidden="true">#</a> 4)检查logcat日志</h4><p>APP客户端本地 log 运行日志是否打印、泄露用户敏感信息(使用adb即可查看)。</p><p>• 按照应用过滤日志</p><div class="language-powershell line-numbers-mode" data-ext="powershell"><pre class="language-powershell"><code>pm list packages <span class="token operator">-</span>3 <span class="token comment">#查看非系统的第三方应用包名</span>
logcat <span class="token punctuation">|</span> grep <应用包名或者关键字>
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div><div class="line-number"></div></div></div><p><img src="/assets/clip_image012.9c32a944.gif" alt="img" loading="lazy"></p><p>然后运行要检查的APP即可实时查看日志。</p><h2 id="app抓包" tabindex="-1"><a class="header-anchor" href="#app抓包" aria-hidden="true">#</a> APP抓包</h2><h3 id="一、设置代理" tabindex="-1"><a class="header-anchor" href="#一、设置代理" aria-hidden="true">#</a> 一、设置代理</h3><p><strong>1)Burp代理设置为局域网的IP</strong></p><p><img src="/assets/clip_image014.8cf88bdc.gif" alt="img" loading="lazy"></p><p><strong>2)模拟器设置桥接模式,和代理工具Burp所在宿主机处于同一局域网</strong></p><p><img src="/assets/clip_image016.e62e027c.gif" alt="img" loading="lazy"></p><p>设置模拟器的网络代理为Burp的地址</p><p><img src="/assets/clip_image018.8d3830fa.gif" alt="img" loading="lazy"></p><p><strong>3)模拟器访问Burp代理的IP,下载并安装CA证书</strong></p><p><img src="/assets/clip_image020.8cdb89c8.gif" alt="img" loading="lazy"></p><p>下载完先把后缀改为cer</p><p>夜神模拟器是在WLAN设置中点高级安装证书</p><p><img src="/assets/clip_image022.fd0c45da.gif" alt="img" loading="lazy"></p><p>或者有的模拟器是从设置中搜索安全,打开加密与凭据选项选择从SD卡安装证书</p><p><img src="/assets/clip_image024.9d9079d9.gif" alt="img" loading="lazy"></p><p><img src="/assets/clip_image026.c6f1ff9f.gif" alt="img" loading="lazy"></p><h3 id="二、安装系统证书" tabindex="-1"><a class="header-anchor" href="#二、安装系统证书" aria-hidden="true">#</a> 二、安装系统证书</h3><p><img src="/assets/clip_image028.93048bdf.gif" alt="img" loading="lazy"></p><p>抓到的HTTPS包都是乱码,因为安卓高版本即7.0之后,app可以只信任指定证书和系统内置的证书,后续用户安装的证书是不生效的。所以需要将Burp的CA证书安装到系统内部。</p><div class="language-powershell line-numbers-mode" data-ext="powershell"><pre class="language-powershell"><code> <span class="token comment"># 转为pem格式</span>
openssl x509 <span class="token operator">-</span>inform DER <span class="token operator">-in</span> cacert<span class="token punctuation">.</span>der <span class="token operator">-</span>out cacert<span class="token punctuation">.</span>pem
<span class="token comment"># 重命名为<hash值>.0</span>
<span class="token function">mv</span> cacert<span class="token punctuation">.</span>pem `openssl x509 <span class="token operator">-</span>inform PEM <span class="token operator">-</span>subject_hash_old <span class="token operator">-in</span> cacert<span class="token punctuation">.</span>pem <span class="token punctuation">|</span>head <span class="token operator">-</span>1`<span class="token string">'.0'</span>
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><p>将xxxhash.0证书文件复制到系统根信任证书目录即可</p><p>或者直接使用面具的movecert模块</p><p><a href="https://github.com/ys1231/MoveCertificate" target="_blank" rel="noopener noreferrer">https://github.com/ys1231/MoveCertificate<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a></p><h2 id="加固绕过" tabindex="-1"><a class="header-anchor" href="#加固绕过" aria-hidden="true">#</a> 加固绕过</h2><h3 id="root检测绕过" tabindex="-1"><a class="header-anchor" href="#root检测绕过" aria-hidden="true">#</a> root检测绕过</h3><p>通过<a href="https://github.com/topjohnwu/Magisk" target="_blank" rel="noopener noreferrer">Magisk<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a>本身的排除列表或者<a href="https://github.com/LSPosed/LSPosed.github.io/releases" target="_blank" rel="noopener noreferrer">Shamiko<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a>插件来绕过。</p><p>1)用adb将shamiko推送到手机上</p><div class="language-bash line-numbers-mode" data-ext="sh"><pre class="language-bash"><code>adb push Shamiko-v1.0.1-300-release.zip /sdcard/Download/Shamiko-v1.0.1-300-release.zip
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div></div></div><p>2)打开面具,进入模块,选择从本地安装,将zip刷入,点击重启</p><p>3)再次打开面具,点击右上角齿轮,配置排除列表,将绕过的APP排除,打开APP就没有提示了</p><h3 id="代理检测绕过" tabindex="-1"><a class="header-anchor" href="#代理检测绕过" aria-hidden="true">#</a> 代理检测绕过</h3><p>使用VPN代理:<a href="https://github.com/ys1231/appproxy" target="_blank" rel="noopener noreferrer">https://github.com/ys1231/appproxy<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a></p><h3 id="frida检测绕过" tabindex="-1"><a class="header-anchor" href="#frida检测绕过" aria-hidden="true">#</a> frida检测绕过</h3><p><a href="https://github.com/frida/frida" target="_blank" rel="noopener noreferrer">https://github.com/frida/frida<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a> 现已经支持自动构建反检测</p><p>windows安装客户端</p><div class="language-bash line-numbers-mode" data-ext="sh"><pre class="language-bash"><code>pip3 <span class="token function">install</span> Frida
pip3 <span class="token function">install</span> frida-tools
pip3 <span class="token function">install</span> objection
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><h3 id="ssl-pinning证书绑定绕过" tabindex="-1"><a class="header-anchor" href="#ssl-pinning证书绑定绕过" aria-hidden="true">#</a> ssl Pinning证书绑定绕过</h3><p>有些APP有预埋证书验证,遇到Burp的证书不能通过验证还是不能抓包。</p><p>使用frida进行hook绕过,使用通用的绕过脚本或自己编写。</p><p>1)查找设备的arch版本,下载对应的frida</p><div class="language-text line-numbers-mode" data-ext="text"><pre class="language-text"><code>adb shell getprop ro.product.cpu.abi
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div></div></div><p>2)推送frida到手机上</p><p>下载后解压,把解压后的文件使用adb命令上传到设备</p><div class="language-bash line-numbers-mode" data-ext="sh"><pre class="language-bash"><code><span class="token comment">#推送到设备</span>
adb push C:<span class="token punctuation">\</span>frida-server /data/local/tmp
<span class="token comment">#授予执行权限</span>
adb shell <span class="token function">chmod</span> <span class="token number">777</span> /data/local/tmp/frida-server
<span class="token comment">#启动firdas-erver</span>
adb shell /data/local/tmp/frida-server <span class="token operator">&</span>
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><p>4)打开新终端,列出服务列表,找到包名</p><div class="language-bash line-numbers-mode" data-ext="sh"><pre class="language-bash"><code>frida-ps <span class="token parameter variable">-U</span>
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div></div></div><p>3)使用Hook注入脚本</p><p><a href="https://github.com/fdciabdul/Frida-Multiple-Bypass" target="_blank" rel="noopener noreferrer">https://github.com/fdciabdul/Frida-Multiple-Bypass<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span></a></p><div class="language-bash line-numbers-mode" data-ext="sh"><pre class="language-bash"><code><span class="token comment">#客户端注入</span>
frida <span class="token parameter variable">-U</span> <span class="token parameter variable">-f</span> com.package.name --no-pause <span class="token parameter variable">-l</span> C:<span class="token punctuation">\</span>bypass.js
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div><div class="line-number"></div></div></div><p>另一个hook脚本</p><div class="language-javascript line-numbers-mode" data-ext="js"><pre class="language-javascript"><code><span class="token comment">/*
Android SSL Re-pinning frida script v0.2 030417-pier
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
*/</span>
<span class="token function">setTimeout</span><span class="token punctuation">(</span><span class="token keyword">function</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
Java<span class="token punctuation">.</span><span class="token function">perform</span><span class="token punctuation">(</span><span class="token keyword">function</span> <span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[.] Cert Pinning Bypass/Re-Pinning"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> CertificateFactory <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span><span class="token string">"java.security.cert.CertificateFactory"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> FileInputStream <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span><span class="token string">"java.io.FileInputStream"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> BufferedInputStream <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span><span class="token string">"java.io.BufferedInputStream"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> X509Certificate <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span><span class="token string">"java.security.cert.X509Certificate"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> KeyStore <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span><span class="token string">"java.security.KeyStore"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> TrustManagerFactory <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span><span class="token string">"javax.net.ssl.TrustManagerFactory"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> SSLContext <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span><span class="token string">"javax.net.ssl.SSLContext"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token comment">// Load CAs from an InputStream</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[+] Loading our CA..."</span><span class="token punctuation">)</span>
<span class="token keyword">var</span> cf <span class="token operator">=</span> CertificateFactory<span class="token punctuation">.</span><span class="token function">getInstance</span><span class="token punctuation">(</span><span class="token string">"X.509"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">try</span> <span class="token punctuation">{</span>
<span class="token keyword">var</span> fileInputStream <span class="token operator">=</span> FileInputStream<span class="token punctuation">.</span>$<span class="token keyword">new</span><span class="token punctuation">(</span><span class="token string">"/data/local/tmp/cert-der.crt"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">catch</span><span class="token punctuation">(</span>err<span class="token punctuation">)</span> <span class="token punctuation">{</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[o] "</span> <span class="token operator">+</span> err<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">var</span> bufferedInputStream <span class="token operator">=</span> BufferedInputStream<span class="token punctuation">.</span>$<span class="token keyword">new</span><span class="token punctuation">(</span>fileInputStream<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> ca <span class="token operator">=</span> cf<span class="token punctuation">.</span><span class="token function">generateCertificate</span><span class="token punctuation">(</span>bufferedInputStream<span class="token punctuation">)</span><span class="token punctuation">;</span>
bufferedInputStream<span class="token punctuation">.</span><span class="token function">close</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> certInfo <span class="token operator">=</span> Java<span class="token punctuation">.</span><span class="token function">cast</span><span class="token punctuation">(</span>ca<span class="token punctuation">,</span> X509Certificate<span class="token punctuation">)</span><span class="token punctuation">;</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[o] Our CA Info: "</span> <span class="token operator">+</span> certInfo<span class="token punctuation">.</span><span class="token function">getSubjectDN</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token comment">// Create a KeyStore containing our trusted CAs</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[+] Creating a KeyStore for our CA..."</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> keyStoreType <span class="token operator">=</span> KeyStore<span class="token punctuation">.</span><span class="token function">getDefaultType</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> keyStore <span class="token operator">=</span> KeyStore<span class="token punctuation">.</span><span class="token function">getInstance</span><span class="token punctuation">(</span>keyStoreType<span class="token punctuation">)</span><span class="token punctuation">;</span>
keyStore<span class="token punctuation">.</span><span class="token function">load</span><span class="token punctuation">(</span><span class="token keyword">null</span><span class="token punctuation">,</span> <span class="token keyword">null</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
keyStore<span class="token punctuation">.</span><span class="token function">setCertificateEntry</span><span class="token punctuation">(</span><span class="token string">"ca"</span><span class="token punctuation">,</span> ca<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token comment">// Create a TrustManager that trusts the CAs in our KeyStore</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[+] Creating a TrustManager that trusts the CA in our KeyStore..."</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> tmfAlgorithm <span class="token operator">=</span> TrustManagerFactory<span class="token punctuation">.</span><span class="token function">getDefaultAlgorithm</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> tmf <span class="token operator">=</span> TrustManagerFactory<span class="token punctuation">.</span><span class="token function">getInstance</span><span class="token punctuation">(</span>tmfAlgorithm<span class="token punctuation">)</span><span class="token punctuation">;</span>
tmf<span class="token punctuation">.</span><span class="token function">init</span><span class="token punctuation">(</span>keyStore<span class="token punctuation">)</span><span class="token punctuation">;</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[+] Our TrustManager is ready..."</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[+] Hijacking SSLContext methods now..."</span><span class="token punctuation">)</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[-] Waiting for the app to invoke SSLContext.init()..."</span><span class="token punctuation">)</span>
SSLContext<span class="token punctuation">.</span>init<span class="token punctuation">.</span><span class="token function">overload</span><span class="token punctuation">(</span><span class="token string">"[Ljavax.net.ssl.KeyManager;"</span><span class="token punctuation">,</span> <span class="token string">"[Ljavax.net.ssl.TrustManager;"</span><span class="token punctuation">,</span> <span class="token string">"java.security.SecureRandom"</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function-variable function">implementation</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">a<span class="token punctuation">,</span>b<span class="token punctuation">,</span>c</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[o] App invoked javax.net.ssl.SSLContext.init..."</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
SSLContext<span class="token punctuation">.</span>init<span class="token punctuation">.</span><span class="token function">overload</span><span class="token punctuation">(</span><span class="token string">"[Ljavax.net.ssl.KeyManager;"</span><span class="token punctuation">,</span> <span class="token string">"[Ljavax.net.ssl.TrustManager;"</span><span class="token punctuation">,</span> <span class="token string">"java.security.SecureRandom"</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">call</span><span class="token punctuation">(</span><span class="token keyword">this</span><span class="token punctuation">,</span> a<span class="token punctuation">,</span> tmf<span class="token punctuation">.</span><span class="token function">getTrustManagers</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> c<span class="token punctuation">)</span><span class="token punctuation">;</span>
console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">"[+] SSLContext initialized with our custom TrustManager!"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">,</span><span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre><div class="line-numbers" aria-hidden="true"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div></div><!----><footer class="page-meta"><div class="meta-item edit-link"><a href="https://github.com/wintrysec/edit/main/src/app.md" rel="noopener noreferrer" target="_blank" aria-label="编辑此页" class="nav-link label"><!--[--><svg xmlns="http://www.w3.org/2000/svg" class="icon edit-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="edit icon"><path d="M430.818 653.65a60.46 60.46 0 0 1-50.96-93.281l71.69-114.012 7.773-10.365L816.038 80.138A60.46 60.46 0 0 1 859.225 62a60.46 60.46 0 0 1 43.186 18.138l43.186 43.186a60.46 60.46 0 0 1 0 86.373L588.879 565.55l-8.637 8.637-117.466 68.234a60.46 60.46 0 0 1-31.958 11.229z"></path><path d="M728.802 962H252.891A190.883 190.883 0 0 1 62.008 771.98V296.934a190.883 190.883 0 0 1 190.883-192.61h267.754a60.46 60.46 0 0 1 0 120.92H252.891a69.962 69.962 0 0 0-69.098 69.099V771.98a69.962 69.962 0 0 0 69.098 69.098h475.911A69.962 69.962 0 0 0 797.9 771.98V503.363a60.46 60.46 0 1 1 120.922 0V771.98A190.883 190.883 0 0 1 728.802 962z"></path></svg><!--]-->编辑此页<span><svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path><polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg><span class="external-link-icon-sr-only">open in new window</span></span><!----></a></div><!----><!----></footer><!----><!----><!----><!--]--></main><!--]--><!----><!--]--></div><!--]--><!----><!----><!--]--></div>
<script type="module" src="/assets/app.3b9f01e1.js" defer></script>
</body>
</html>