Fiddler Everywhere和HTTP

原创

无情剑客

修改于 2021-03-21 18:36:07

1.3K0

修改于 2021-03-21 18:36:07

文章被收录于专栏：Android逆向

Fiddler Everywhere中图标

The Live Traffic List uses the icons listed below to provide additional context for each recorded session. Hover on an icon on an entry in the Live Traffic list to trigger an explanatory tooltip.

完整版可参考: https://docs.telerik.com/fiddler-everywhere/user-guide/live-traffic/live-traffic

抓包

牛刀小时

修改百度搜索内容，Composer中可以输入修改请求参数。可以看出我将请求参数修改为%号了。

Connect

选取公众号的一篇文章千古第一骈文进行抓包。

对应上面的图标，可知The request used the HTTP CONNECT method - establishes a tunnel used for HTTPS traffic.

CONNECT mp.weixin.qq.com:443 HTTP/1.1
Host: mp.weixin.qq.com:443
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2)
Random: 51 77 BE 85 69 6F 64 15 B3 E2 C6 97 1E 91 26 53 5B 63 D6 97 01 C4 91 00 46 2E AB E6 0E 5F 5B EE
"Time": 2041/2/7 下午8:15:13
SessionID: 01 54 46 DA 04 9B 17 75 6C 56 0F 15 88 6B 6F FA AB EB AD E7 42 6C F3 0B DB C5 B7 C9 CA 11 66 00
Extensions: 
    grease (0x1a1a)    empty
    server_name    mp.weixin.qq.com
    extended_master_secret    empty
    renegotiation_info    00
    supported_groups    grease [0xdada], x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18]
    ec_point_formats    uncompressed [0x0]
    SessionTicket    empty
    ALPN        h2, http/1.1
    status_request    OCSP - Implicit Responder
    signature_algs    ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512
    SignedCertTimestamp (RFC6962)    empty
    key_share    00 29 DA DA 00 01 00 00 1D 00 20 91 C0 DA D8 5E B4 87 6E B4 DC 15 06 F5 CF 07 2E FB 4E DA 86 C2 9F 5D 4D 07 BE 2E BF 48 E5 6D 7A
    psk_key_exchange_modes    01 01
    supported_versions    grease [0xfafa], Tls1.3, Tls1.2, Tls1.1
    0x001b        02 00 02
    grease (0x5a5a)    00
    padding        204 null bytes
Ciphers: 
    [1A1A]    Unrecognized cipher - See https://www.iana.org/assignments/tls-parameters/
    [1301]    TLS_AES_128_GCM_SHA256
    [1302]    TLS_AES_256_GCM_SHA384
    [1303]    TLS_CHACHA20_POLY1305_SHA256
    [C02B]    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    [C02F]    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    [C02C]    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    [C030]    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    [CCA9]    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    [CCA8]    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    [C013]    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    [C014]    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    [009C]    TLS_RSA_WITH_AES_128_GCM_SHA256
    [009D]    TLS_RSA_WITH_AES_256_GCM_SHA384
    [002F]    TLS_RSA_WITH_AES_128_CBC_SHA
    [0035]    TLS_RSA_WITH_AES_256_CBC_SHA

Compression: 
    [00]    NO_COMPRESSION

关于HTTPS，可参考通过Wireshark分析HTTPS(1)

HTTP的一些状态和字段

refer: 它就是表示一个来源。看下图的一个请求的 Referer 信息。

这里可以看出来源是从www.bt4kyy.com过来的[1].

403: 出现403是因为服务器拒绝了你的地址请求，很有可能是你根本就没权限访问网站，就算你提供了身份验证也没用。讲真，很有可能是你被禁止访问了。除非你与Web服务器管理员联系，否则一旦遇到403状态码都无法自行解决。

504: 代表网关超时（Gateway timeout），是指服务器作为网关或代理，但是没有及时从上游服务器收到请求。 204: 空内容服务器成功执行请求，但是没有返回信息。 0: 当rule设置为reset/drop的时候，Result是0。 drop: Close the client connection immediately without sending a response. reset: Reset the client connection immediately using a TCP/IP RST to the client. 关于RST：RST标示复位、用来异常的关闭连接。

•发送RST包关闭连接时，不必等缓冲区的包都发出去，直接就丢弃缓冲区中的包，发送RST。•而接收端收到RST包后，也不必发送ACK包来确认。

exit: Stop processing rules at this point.

下载文件的js脚本

知道需要下载文件的url，使用下面的脚本就可以实现下载。

<script type='text/javascript'>
top.location='https://down.7yolgame.com/***.apk';
</script>

Fiddler Everywhere中的正则表达式

官网中的String Literals功能感觉用途不太大，很多时候达不到要求，不知道什么原因根本没有作用，推测这个功能被废弃了。

这里主要看正则表达式: regex:(.*)www.ofgksa.com:10443/(.\*)[2] drop掉网站信息。

Meddler

目前只有exe程序，需要windows系统。个人理解，据此可以实现请求的拦截，响应的拦截等功能。

Meddler is a HTTP(S) Generation tool based around a simple but powerful JScript.NET event-based scripting subsystem. It's kinda like a basic nodeJS test server, but a little more user-friendly.

下面的代码是通过Fiddler Everywhere导出的Meddler script，运行的话需要windows安装meddler工具。

简单解释下代码，当又请求http://localhost:8088shakespeare/notes/29e0ba31fb8d/recommendations的时候，响应头和响应体会被设置。

import Meddler;
import System;
import System.Net.Sockets;
import System.Windows.Forms;

// Script generated by Fiddler2 export.
// You can set options for this script using the format:
//     ScriptOptions("StartURL" (where {$PORT} is autoreplaced by the Meddler port number), "Optional HTTPS Certificate Thumbprint", "Random # Seed")
public ScriptOptions("http://localhost:{$PORT}/shakespeare/notes/29e0ba31fb8d/recommendations")
class Handlers
{
    static function OnConnection(oSession: Session)
    {
    try {
        if (oSession.ReadRequest())
        {
            var oHeaders: ResponseHeaders = new ResponseHeaders();
            if (oSession.requestHeaders.Path == '/shakespeare/notes/29e0ba31fb8d/recommendations')
            {

                oHeaders.Version='HTTP/1.1';
                oHeaders.Status='200 OK';

                oHeaders.Add('Server', 'Tengine');
                oHeaders.Add('Date', 'Sun, 14 Mar 2021 11:06:42 GMT');
                oHeaders.Add('Content-Type', 'application/json; charset=utf-8');
                oHeaders.Add('Transfer-Encoding', 'chunked');
                oHeaders.Add('Connection', 'keep-alive');
                oHeaders.Add('Vary', 'Accept-Encoding');
                oHeaders.Add('X-Frame-Options', 'DENY');
                oHeaders.Add('X-XSS-Protection', '1; mode=block');
                oHeaders.Add('X-Content-Type-Options', 'nosniff');
                oHeaders.Add('ETag', 'W/"2ef5130a02844285dd24b1944b547bfb"');
                oHeaders.Add('Cache-Control', 'max-age=0, private, must-revalidate');
                oHeaders.Add('Set-Cookie', 'locale=zh-CN; path=/');
                oHeaders.Add('Set-Cookie', '_m7e_session_core=31e97c979dd3afee7d6cb2e17c9bc8ec; domain=.jianshu.com; path=/; expires=Sun, 14 Mar 2021 17:06:42 -0000; secure; HttpOnly');
                oHeaders.Add('X-Request-Id', 'be8871a7-fe3d-43e8-a4dd-93b527b8e3f0');
                oHeaders.Add('X-Runtime', '0.089191');
                oHeaders.Add('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
                oHeaders.Add('Content-Encoding', 'gzip');
                oSession.WriteString(oHeaders);

                oSession.WriteBytes(Convert.FromBase64String('MjAxDQofiwgAAAAAAAADrdJNaxNBGAfwr7LsOS/zPrM56kW8KGygB5Ew2Z1Np1l3l85GD1LQgjEiLYVSsfQQREQvIuLBFqP9MJrd9JSv4NRKEre9CD3tMg8z/H/P89x77OrQbXGBGOMU1FwTD3puywVR6KEgCAClyq25sTZ5Rz+QPdUZbMa2vp7nmWk1m4MsTmVY/1MyjQ0tE7M+aOj0b+HijmlCT3iUQFEHoUBRSAjnQcRBROzbuc5jZZ+cnb6ejoa/jneK42fOzTTta/XzyVNfGaPTxP610746/95ea88nY3vxoVaPTCdIB0nutiDEwMaPdV8tz4jYql0ABcSMQ4QWQC4FUgxCIrB3HUCCiAcBqSsiCMMM2MYxjhVqZElvBVmOP57t/yh23013x+XesKogFFcNCwEBAgAPLgQQQ8EBQop2wbUIMLAAXIdddp6dcmU7xhlqbGSrglvt9l1/9ulr8Xl7dvq8/PCyaoDQdvnfOSynADyAOV8aFLQHgYwwplcZVjo33Tkot0/Kw2/T7wfzycjXSS9Wjq97iXMnmU9ezN6/nQ6/FK9OijejS5EAJ9VMcBEKIE49QhehSGiHJykMwm54Vaj/3H2BIPCY7StFEYuwlF0lhZTVzfCzTUtybqRp7iDn7GhYjPacNdU1adBX+SWR3bCKCKGt+78BXVuLgs8DAAANCjANCg0K'));
                oSession.CloseSocket(); return;
            }
        }
        oSession.CloseSocket();
        }
        catch(e) {MeddlerObject.Log.LogString("Script threw exception\n"+e);}
    }
}