做APP测试过程中,使用burp无法抓到数据包或提示网络错误可能是因为APP启用了SSL Pinning,刚好最近接触到apk就是这种情况,于是便有了本文。 0x01 SSL Pinning原理 SSL Pinning即证书锁定,将服务器提供的SSL/TLS证书内置到移动端开发的APP客户端中,当客户端发起请求时,通过比对内置的证书和服务器端证书的内容,以确定这...
/*Android SSL Re-pinning frida script v0.2030417-pier$ adbpushburpca-cert-der.crt /data/local/tmp/cert-der.crt$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pausehttps://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/UPDATE20191605: F...
/*Android SSL Re-pinning frida script v0.2 030417-pier$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pausehttps://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/UPDATE 20191...
授予 frida-server 权限: 设置BurpSuite: 推送代理的 CA 证书: 脚本注入绕过SSL pinning: I. 将 fridascript.js 脚本推送到设备: II. 检查并运行设备中的 frida 服务器 III. 列出设备上所有正在运行的进程 V. 将 fridascript.js hook 到目标应用程序中: VI. 绕过! 简而言之: 疑难解答 ...
切记;在测试其他关联app的时候,先把账号进行hook 关闭 sslpinning,也就是抓包需要知晓这个应用可能会跟其他应用的关联,继续关闭相关应用的sslpinning就可以了 脚本注入绕过SSL pinning 我们需要从下面下载注入脚本,我们将把这个脚本注入目标应用程序的设备 或者你可以将此代码保存为与adb相同的文件夹中的fridascript.js。
Squareup CertificatePinner [OkHTTP<v3] (double bypass) Squareup OkHostnameVerifier [OkHTTP v3] (double bypass) Android WebViewClient (double bypass) Apache Cordova WebViewClient Boye AbstractVerifier FridaContainer 调用: AI检测代码解析 FCAnd.anti.anti_ssl_unpinning(); ...
此部分代码主要借鉴了:https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/ 支持20 种类库的SSL 验证绕过: TrustManager (Android < 7) TrustManagerImpl (Android > 7) OkHTTPv3 (quadruple bypass) Trustkit (triple bypass) Appcelerator Titanium ...
/* Android SSL Re-pinning frida script v0.2 030417-pier $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/ UPDA...
Java.perform(function(){/* hook list: 1.SSLcontext 2.okhttp 3.webview 4.XUtils 5.httpclientandroidlib 6.JSSE 7.network\_security\_config (android 7.0+) 8.Apache Http client (support partly) 9.OpenSSLSocketImpl 10.TrustKit 11.Cronet */// Attempts to bypass SSL pinning implementations in...
.implementation=function(a,b,c) {console.log("[o] App invoked javax.net.ssl.SSLContext.init...");SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;","[Ljavax.net.ssl.TrustManager;","java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);console.log("[+] SSL...