Fiddler Everywhere中图标
The Live Traffic List uses the icons listed below to provide additional context for each recorded session. Hover on an icon on an entry in the Live Traffic list to trigger an explanatory tooltip.
完整版可参考: https://docs.telerik.com/fiddler-everywhere/user-guide/live-traffic/live-traffic
抓包
牛刀小时
修改百度搜索内容,Composer中可以输入修改请求参数。可以看出我将请求参数修改为%号了。
Connect
选取公众号的一篇文章千古第一骈文进行抓包。
对应上面的图标,可知The request used the HTTP CONNECT method - establishes a tunnel used for HTTPS traffic.
代码语言:javascript复制CONNECT mp.weixin.qq.com:443 HTTP/1.1
Host: mp.weixin.qq.com:443
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: 51 77 BE 85 69 6F 64 15 B3 E2 C6 97 1E 91 26 53 5B 63 D6 97 01 C4 91 00 46 2E AB E6 0E 5F 5B EE
"Time": 2041/2/7 下午8:15:13
SessionID: 01 54 46 DA 04 9B 17 75 6C 56 0F 15 88 6B 6F FA AB EB AD E7 42 6C F3 0B DB C5 B7 C9 CA 11 66 00
Extensions:
grease (0x1a1a) empty
server_name mp.weixin.qq.com
extended_master_secret empty
renegotiation_info 00
supported_groups grease [0xdada], x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
SessionTicket empty
ALPN h2, http/1.1
status_request OCSP - Implicit Responder
signature_algs ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512
SignedCertTimestamp (RFC6962) empty
key_share 00 29 DA DA 00 01 00 00 1D 00 20 91 C0 DA D8 5E B4 87 6E B4 DC 15 06 F5 CF 07 2E FB 4E DA 86 C2 9F 5D 4D 07 BE 2E BF 48 E5 6D 7A
psk_key_exchange_modes 01 01
supported_versions grease [0xfafa], Tls1.3, Tls1.2, Tls1.1
0x001b 02 00 02
grease (0x5a5a) 00
padding 204 null bytes
Ciphers:
[1A1A] Unrecognized cipher - See https://www.iana.org/assignments/tls-parameters/
[1301] TLS_AES_128_GCM_SHA256
[1302] TLS_AES_256_GCM_SHA384
[1303] TLS_CHACHA20_POLY1305_SHA256
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[002F] TLS_RSA_WITH_AES_128_CBC_SHA
[0035] TLS_RSA_WITH_AES_256_CBC_SHA
Compression:
[00] NO_COMPRESSION
关于HTTPS,可参考 通过Wireshark分析HTTPS(1)
HTTP的一些状态和字段
refer: 它就是表示一个来源。看下图的一个请求的 Referer 信息。
这里可以看出来源是从www.bt4kyy.com过来的[1].
403: 出现403是因为服务器拒绝了你的地址请求,很有可能是你根本就没权限访问网站,就算你提供了身份验证也没用。讲真,很有可能是你被禁止访问了。 除非你与Web服务器管理员联系,否则一旦遇到403状态码都无法自行解决。
504: 代表网关超时 (Gateway timeout),是指服务器作为网关或代理,但是没有及时从上游服务器收到请求。 204: 空内容 服务器成功执行请求,但是没有返回信息。 0: 当rule设置为reset/drop的时候,Result是0。 drop: Close the client connection immediately without sending a response. reset: Reset the client connection immediately using a TCP/IP RST to the client. 关于RST:RST标示复位、用来异常的关闭连接。
•发送RST包关闭连接时,不必等缓冲区的包都发出去,直接就丢弃缓冲区中的包,发送RST。•而接收端收到RST包后,也不必发送ACK包来确认。
exit: Stop processing rules at this point.
下载文件的js脚本
知道需要下载文件的url,使用下面的脚本就可以实现下载。
代码语言:javascript复制<script type='text/javascript'>
top.location='https://down.7yolgame.com/***.apk';
</script>
Fiddler Everywhere中的正则表达式
官网中的String Literals功能感觉用途不太大,很多时候达不到要求,不知道什么原因根本没有作用,推测这个功能被废弃了。
这里主要看正则表达式: regex:(.*)www.ofgksa.com:10443/(.*)[2] drop掉网站信息。
Meddler
目前只有exe程序,需要windows系统。个人理解,据此可以实现请求的拦截,响应的拦截等功能。
Meddler is a HTTP(S) Generation tool based around a simple but powerful JScript.NET event-based scripting subsystem. It's kinda like a basic nodeJS test server, but a little more user-friendly.
下面的代码是通过Fiddler Everywhere导出的Meddler script,运行的话需要windows安装meddler工具。
简单解释下代码,当又请求http://localhost:8088shakespeare/notes/29e0ba31fb8d/recommendations的时候,响应头和响应体会被设置。
代码语言:javascript复制import Meddler;
import System;
import System.Net.Sockets;
import System.Windows.Forms;
// Script generated by Fiddler2 export.
// You can set options for this script using the format:
// ScriptOptions("StartURL" (where {$PORT} is autoreplaced by the Meddler port number), "Optional HTTPS Certificate Thumbprint", "Random # Seed")
public ScriptOptions("http://localhost:{$PORT}/shakespeare/notes/29e0ba31fb8d/recommendations")
class Handlers
{
static function OnConnection(oSession: Session)
{
try {
if (oSession.ReadRequest())
{
var oHeaders: ResponseHeaders = new ResponseHeaders();
if (oSession.requestHeaders.Path == '/shakespeare/notes/29e0ba31fb8d/recommendations')
{
oHeaders.Version='HTTP/1.1';
oHeaders.Status='200 OK';
oHeaders.Add('Server', 'Tengine');
oHeaders.Add('Date', 'Sun, 14 Mar 2021 11:06:42 GMT');
oHeaders.Add('Content-Type', 'application/json; charset=utf-8');
oHeaders.Add('Transfer-Encoding', 'chunked');
oHeaders.Add('Connection', 'keep-alive');
oHeaders.Add('Vary', 'Accept-Encoding');
oHeaders.Add('X-Frame-Options', 'DENY');
oHeaders.Add('X-XSS-Protection', '1; mode=block');
oHeaders.Add('X-Content-Type-Options', 'nosniff');
oHeaders.Add('ETag', 'W/"2ef5130a02844285dd24b1944b547bfb"');
oHeaders.Add('Cache-Control', 'max-age=0, private, must-revalidate');
oHeaders.Add('Set-Cookie', 'locale=zh-CN; path=/');
oHeaders.Add('Set-Cookie', '_m7e_session_core=31e97c979dd3afee7d6cb2e17c9bc8ec; domain=.jianshu.com; path=/; expires=Sun, 14 Mar 2021 17:06:42 -0000; secure; HttpOnly');
oHeaders.Add('X-Request-Id', 'be8871a7-fe3d-43e8-a4dd-93b527b8e3f0');
oHeaders.Add('X-Runtime', '0.089191');
oHeaders.Add('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
oHeaders.Add('Content-Encoding', 'gzip');
oSession.WriteString(oHeaders);
oSession.WriteBytes(Convert.FromBase64String('MjAxDQofiwgAAAAAAAADrdJNaxNBGAfwr7LsOS/zPrM56kW8KGygB5Ew2Z1Np1l3l85GD1LQgjEiLYVSsfQQREQvIuLBFqP9MJrd9JSv4NRKEre9CD3tMg8z/H/P89x77OrQbXGBGOMU1FwTD3puywVR6KEgCAClyq25sTZ5Rz QPdUZbMa2vp7nmWk1m4MsTmVY/1MyjQ0tE7M aOj0b HijmlCT3iUQFEHoUBRSAjnQcRBROzbuc5jZZ cnb6ejoa/jneK42fOzTTta/XzyVNfGaPTxP610746/95ea88nY3vxoVaPTCdIB0nutiDEwMaPdV8tz4jYql0ABcSMQ4QWQC4FUgxCIrB3HUCCiAcBqSsiCMMM2MYxjhVqZElvBVmOP57t/yh23013x XesKogFFcNCwEBAgAPLgQQQ8EBQop2wbUIMLAAXIdddp6dcmU7xhlqbGSrglvt9l1/9ulr8Xl7dvq8/PCyaoDQdvnfOSynADyAOV8aFLQHgYwwplcZVjo33Tkot0/Kw2/T7wfzycjXSS9Wjq97iXMnmU9ezN6/nQ6/FK9OijejS5EAJ9VMcBEKIE49QhehSGiHJykMwm54Vaj/3H2BIPCY7StFEYuwlF0lhZTVzfCzTUtybqRp7iDn7GhYjPacNdU1adBX SWR3bCKCKGt 78BXVuLgs8DAAANCjANCg0K'));
oSession.CloseSocket(); return;
}
}
oSession.CloseSocket();
}
catch(e) {MeddlerObject.Log.LogString("Script threw exceptionn" e);}
}
}
公众号
更多内容, 欢迎关注我的微信公众号: 无情剑客。
References
[1]
www.bt4kyy.com过来的: http://www.bt4kyy.com过来的
[2]
www.ofgksa.com:10443/(.*): http://www.ofgksa.com:10443/(.*)