首页
论坛
课程
招聘
[求助]使用frida绕过安卓App的SSL Pinning时出错
2019-11-1 17:29 3190

[求助]使用frida绕过安卓App的SSL Pinning时出错

2019-11-1 17:29
3190
最近在分析一个安卓app,发现它采用了SSL Pinning技术。

根据网上的教程,用frida进行绕过
https://www.freebuf.com/articles/terminal/214540.html
出现错误“ Failed to load script: remote Frida does not support the “runtime” option; please upgrade it

大家知道什么原因吗?

我的运行环境是:windows 7 64位,安装的python-3.7.5。frida-server-12.2.26-android-arm64,frida-12.7.16。root手机为nexus 5x,上面跑的是android 6.0.1。
绕过SSL pinning的脚本bypass-ssl.js来自于https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

setTimeout(function(){

    Java.perform(function (){

    console.log("");

    console.log("[.] Cert Pinning Bypass/Re-Pinning");


    var CertificateFactory = Java.use("java.security.cert.CertificateFactory");

    var FileInputStream = Java.use("java.io.FileInputStream");

    var BufferedInputStream = Java.use("java.io.BufferedInputStream");

    var X509Certificate = Java.use("java.security.cert.X509Certificate");

    var KeyStore = Java.use("java.security.KeyStore");

    var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");

    var SSLContext = Java.use("javax.net.ssl.SSLContext");


    // Load CAs from an InputStream

    console.log("[+] Loading our CA...")

    var cf = CertificateFactory.getInstance("X.509");

    

    try {

    var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");

    }

    catch(err) {

    console.log("[o] " + err);

    }

    

    var bufferedInputStream = BufferedInputStream.$new(fileInputStream);

  var ca = cf.generateCertificate(bufferedInputStream);

    bufferedInputStream.close();


var certInfo = Java.cast(ca, X509Certificate);

    console.log("[o] Our CA Info: " + certInfo.getSubjectDN());


    // Create a KeyStore containing our trusted CAs

    console.log("[+] Creating a KeyStore for our CA...");

    var keyStoreType = KeyStore.getDefaultType();

    var keyStore = KeyStore.getInstance(keyStoreType);

    keyStore.load(null, null);

    keyStore.setCertificateEntry("ca", ca);

    

    // Create a TrustManager that trusts the CAs in our KeyStore

    console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");

    var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();

    var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);

    tmf.init(keyStore);

    console.log("[+] Our TrustManager is ready...");


    console.log("[+] Hijacking SSLContext methods now...")

    console.log("[-] Waiting for the app to invoke SSLContext.init()...")


    SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {

    console.log("[o] App invoked javax.net.ssl.SSLContext.init...");

    SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);

    console.log("[+] SSLContext initialized with our custom TrustManager!");

    }

    });

},0);

急!急!急!望各位朋友支招,谢谢了。

第五届安全开发者峰会(SDC 2021)议题征集正式开启!

收藏
点赞0
打赏
分享
最新回复 (8)
雪    币: 59
活跃值: 活跃值 (394)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
iceway 活跃值 2019-11-1 19:58
2
0
https://github.com/frida/frida/issues/1013
雪    币: 3399
活跃值: 活跃值 (347)
能力值: ( LV8,RANK:127 )
在线值:
发帖
回帖
粉丝
elecs 活跃值 2 2019-11-1 21:37
3
0
谢谢,我试试看。
雪    币: 3399
活跃值: 活跃值 (347)
能力值: ( LV8,RANK:127 )
在线值:
发帖
回帖
粉丝
elecs 活跃值 2 2019-11-2 18:14
4
0
@iceway  文章给出的解决方案是更新FridaGadget.dylib。可我没用到它啊
雪    币: 3399
活跃值: 活跃值 (347)
能力值: ( LV8,RANK:127 )
在线值:
发帖
回帖
粉丝
elecs 活跃值 2 2019-11-4 14:33
5
0
仔细检查后,发现是frida和frida-server的版本不匹配造成的。原来安装的frida-12.7.16、 frida-server-12.2.26。

之前的问题虽然解决了,但执行绕过SSL Pinning脚本时还是出错了,提示Process terminated

雪    币: 205
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
shibaking 活跃值 2020-4-16 21:51
6
0
setImmediate
雪    币: 14
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
循环不计次 活跃值 2020-4-17 05:08
7
0
直接用objection一键搞定
雪    币: 2959
活跃值: 活跃值 (340)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
passself 活跃值 2020-4-17 09:20
8
0
循环不计次 直接用objection一键搞定
objection 相关资料有没,谢谢
雪    币: 0
活跃值: 活跃值 (58)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
jlcat 活跃值 2020-4-17 18:05
9
0
objection -g XXXXX explore 
android sslpinning disable --quiet
或者:
objection -g XXXXX explore --startup-command 'android sslpinning disable --quiet'
最后于 2020-4-17 18:05 被jlcat编辑 ,原因:
游客
登录 | 注册 方可回帖
返回