JSR223预处理器生成的值在加密后看起来像垃圾数据

问题描述 投票:0回答:1

我们的网站正在生成使用 AES 的动态登录密钥。现在,因为我没有使用他们在网站上使用的 encrypt.js 代码。

我尝试使用groovy从网站复制这部分代码:

var type="DATABASE";
    a2 = encrypt.AESEncrypt(a2, "SL1LXZP20GGGL262QIVWYURY", 256);
    document.forms[0].a3.value = a2;
    document.forms[0].a2.value = a2n;
    document.forms[0].txtResFrac.value= screen.width;
    if (getControlPrefix.prefix){
        return getControlPrefix.prefix;
    }

我从 https://groovy.apache.org/blog/encryption-and-decryption-with-groovy 复制了代码,并将 var 文本替换为 

var a2 = vars.get('password'); << taken from the user-defined variables
var a3 = ""; << this is the parameter from the website login page

我使用此代码传递加密值,因为我需要将其作为登录密钥传递回网站

vars.put("a3","${new String(encrypted)}");

网站读取的值为

userid=PERFUNIADM05
password=Password_1 << This is user-defined variable
a2=********** << This is the masked password from user-defined variable  
a3=h(Dl�cg[25�z3h << This is the encrypted value using the code from this https://groovy.apache.org/blog/encryption-and-decryption-with-groovy.
This is being pass to the application server for authentication.
But since it cannot read it, the application is throwing an error.
encryption=EBWZJQ7XNGJN53MN7I50N2XQJ71T9LK3 << This key came from the Welcome.do page generated from encrypt.js embedded in the page.

这是服务器日志中的错误

29.02.2024 23:21:21,133 DEBUG [org.apache.coyote.http11] JBWEB003028: Start processing with input [txtUserid=PERFUNIADM06&a2=**********
&**a3=%07%EF%BF%BDC%05%2F%EF%BF%BD%EF%BF%BD%60%EF%BF%BD%EF%BF%BD%C6%B6%EF%BF%BD3%09%EF%BF%BD**&txtpasswd=I+am+an+idiot.&cmbOrgCodes=001&submit=Sign+in&txtResFrac=1920]
29.02.2024 23:21:21,133 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/collections]] (http-/0.0.0.0:50443-17) I am in Timer Filter 
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /loginAction.do
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.action.RequestProcessor] Processing a 'POST' for path '/loginAction'
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'session' under attribute key 'personalizeActionform'
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.util.RequestUtils] Recycling existing DynaActionForm instance of type 'personalizeActionform'
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.action.RequestProcessor] Storing ActionForm bean instance in scope 'session' under attribute key 'personalizeActionform'
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.action.RequestProcessor] Populating bean properties from this request
29.02.2024 23:21:21,133 DEBUG [org.apache.commons.beanutils.BeanUtils] BeanUtils.populate(DynaActionForm[dynaClass=personalizeActionform,a1=,a2=,a3=,txtpasswd=,txtUserid=,cmblayout=,cmbOrgCodes=,txtMenuCode=,txtResFrac=,cmblocale=,txtMultipleOrg=,cmbtemplates=], {a2=[Ljava.lang.String;@7a6fe440, a3=[Ljava.lang.String;@5cfc5339, txtpasswd=[Ljava.lang.String;@2212b535, txtUserid=[Ljava.lang.String;@2b9b67ba, submit=[Ljava.lang.String;@2ed3cb6d, cmbOrgCodes=[Ljava.lang.String;@10083015, txtResFrac=[Ljava.lang.String;@2784843c})
29.02.2024 23:21:21,133 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string '**********' to class 'java.lang.String'
29.02.2024 23:21:21,133 DEBUG [org.apache.commons.beanutils.ConvertUtils] **Convert string '�C/��`��ƶ�3 �' to class 'java.lang.String'**
29.02.2024 23:21:21,133 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string 'I am an idiot.' to class 'java.lang.String'
29.02.2024 23:21:21,133 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string 'PERFUNIADM06' to class 'java.lang.String'
29.02.2024 23:21:21,133 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string '001' to class 'java.lang.String'
29.02.2024 23:21:21,133 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string '1920' to class 'java.lang.String'
29.02.2024 23:21:21,133 DEBUG [org.apache.struts.action.RequestProcessor] Looking for Action instance for class indus.collproj.action.security.LoginAction
29.02.2024 23:21:21,133 ERROR [stderr] java.lang.StringIndexOutOfBoundsException: String index out of range: 15
29.02.2024 23:21:21,134 ERROR [stderr]  at java.lang.String.charAt(String.java:658)
29.02.2024 23:21:21,134 ERROR [stderr]  at indus.common.security.aas.AES_Algorithm.decodeBase64(AES_Algorithm.java:352)
29.02.2024 23:21:21,134 ERROR [stderr]  at indus.common.security.aas.AES_Algorithm.AESDecrypt(AES_Algorithm.java:250)
29.02.2024 23:21:21,134 ERROR [stderr]  at indus.collproj.action.security.LoginAction.login(LoginAction.java:95)

我应该怎样做才能获得网站可读的密钥以便正确验证它?

encryption groovy jmeter jsr223
1个回答
0
投票

我认为你需要更换这个人:

vars.put("a3","${new String(encrypted)}");

这个:

vars.put("a3", new String(encrypted));

请参阅 Groovy 文档的字符串章节了解更多详细信息

还考虑提供一个最小的可重现示例,因为我们不知道你的

encrypt.AESEncrypt
做了什么以及它返回了什么。如果您有“网站功能”源代码也许也值得分享,这样您将获得最全面的帮助

而且

AES
是一种广义的术语,实现至少可以是以下

  • AES/CBC/无填充 (128)
  • AES/CBC/PKCS5Padding (128)
  • AES/ECB/无填充 (128)
  • AES/ECB/PKCS5填充(128)

请参阅 Apache Groovy:Groovy 用于什么? 文章,了解有关 JMeter 中 Groovy 脚本编写的更多信息。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.