Fiddler Everywhere中圖標(biāo)
The Live Traffic List uses the icons listed below to provide additional context for each recorded session. Hover on an icon on an entry in the Live Traffic list to trigger an explanatory tooltip.完整版可參考: https://docs.telerik.com/fiddler-everywhere/user-guide/live-traffic/live-traffic
抓包
牛刀小時(shí)
修改百度搜索內(nèi)容,Composer中可以輸入修改請(qǐng)求參數(shù)∥独龋可以看出我將請(qǐng)求參數(shù)修改為%號(hào)了。Connect
選取公眾號(hào)的一篇文章千古第一駢文進(jìn)行抓包骂铁。
對(duì)應(yīng)上面的圖標(biāo),可知The request used the HTTP CONNECT method - establishes a tunnel used for HTTPS traffic.
CONNECT mp.weixin.qq.com:443 HTTP/1.1Host: mp.weixin.qq.com:443Connection: keep-aliveUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.Version: 3.3 (TLS/1.2)Random: 51 77 BE 85 69 6F 64 15 B3 E2 C6 97 1E 91 26 53 5B 63 D6 97 01 C4 91 00 46 2E AB E6 0E 5F 5B EE"Time": 2041/2/7 下午8:15:13SessionID: 01 54 46 DA 04 9B 17 75 6C 56 0F 15 88 6B 6F FA AB EB AD E7 42 6C F3 0B DB C5 B7 C9 CA 11 66 00Extensions: grease (0x1a1a) empty server_name mp.weixin.qq.com extended_master_secret empty renegotiation_info 00 supported_groups grease [0xdada], x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18] ec_point_formats uncompressed [0x0] SessionTicket empty ALPN h2, http/1.1 status_request OCSP - Implicit Responder signature_algs ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512 SignedCertTimestamp (RFC6962) empty key_share 00 29 DA DA 00 01 00 00 1D 00 20 91 C0 DA D8 5E B4 87 6E B4 DC 15 06 F5 CF 07 2E FB 4E DA 86 C2 9F 5D 4D 07 BE 2E BF 48 E5 6D 7A psk_key_exchange_modes 01 01 supported_versions grease [0xfafa], Tls1.3, Tls1.2, Tls1.1 0x001b 02 00 02 grease (0x5a5a) 00 padding 204 null bytesCiphers: [1A1A] Unrecognized cipher - See https://www.iana.org/assignments/tls-parameters/ [1301] TLS_AES_128_GCM_SHA256 [1302] TLS_AES_256_GCM_SHA384 [1303] TLS_CHACHA20_POLY1305_SHA256 [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [009C] TLS_RSA_WITH_AES_128_GCM_SHA256 [009D] TLS_RSA_WITH_AES_256_GCM_SHA384 [002F] TLS_RSA_WITH_AES_128_CBC_SHA [0035] TLS_RSA_WITH_AES_256_CBC_SHACompression: [00] NO_COMPRESSION
關(guān)于HTTPS罩抗,可參考 通過Wireshark分析HTTPS(1)
HTTP的一些狀態(tài)和字段
refer: 它就是表示一個(gè)來源拉庵。看下圖的一個(gè)請(qǐng)求的 Referer 信息套蒂。這里可以看出來源是從www.bt4kyy.com過來的[1].
403: 出現(xiàn)403是因?yàn)榉?wù)器拒絕了你的地址請(qǐng)求名段,很有可能是你根本就沒權(quán)限訪問網(wǎng)站阱扬,就算你提供了身份驗(yàn)證也沒用。講真伸辟,很有可能是你被禁止訪問了麻惶。 除非你與Web服務(wù)器管理員聯(lián)系,否則一旦遇到403狀態(tài)碼都無法自行解決信夫。
504: 代表網(wǎng)關(guān)超時(shí) (Gateway timeout)窃蹋,是指服務(wù)器作為網(wǎng)關(guān)或代理,但是沒有及時(shí)從上游服務(wù)器收到請(qǐng)求静稻。 204: 空內(nèi)容 服務(wù)器成功執(zhí)行請(qǐng)求警没,但是沒有返回信息。 0: 當(dāng)rule設(shè)置為reset/drop的時(shí)候振湾,Result是0杀迹。 drop: Close the client connection immediately without sending a response. reset: Reset the client connection immediately using a TCP/IP RST to the client. 關(guān)于RST:RST標(biāo)示復(fù)位、用來異常的關(guān)閉連接押搪。
?發(fā)送RST包關(guān)閉連接時(shí)树酪,不必等緩沖區(qū)的包都發(fā)出去,直接就丟棄緩沖區(qū)中的包大州,發(fā)送RST续语。?而接收端收到RST包后,也不必發(fā)送ACK包來確認(rèn)厦画。
exit: Stop processing rules at this point.下載文件的js腳本
知道需要下載文件的url疮茄,使用下面的腳本就可以實(shí)現(xiàn)下載。
<script type='text/javascript'>top.location='https://down.7yolgame.com/***.apk';</script>
Fiddler Everywhere中的正則表達(dá)式
官網(wǎng)中的String Literals功能感覺用途不太大根暑,很多時(shí)候達(dá)不到要求力试,不知道什么原因根本沒有作用,推測(cè)這個(gè)功能被廢棄了排嫌。
這里主要看正則表達(dá)式: regex:(.*)www.ofgksa.com:10443/(.*)[2] drop掉網(wǎng)站信息畸裳。
Meddler
目前只有exe程序,需要windows系統(tǒng)躏率。個(gè)人理解,據(jù)此可以實(shí)現(xiàn)請(qǐng)求的攔截民鼓,響應(yīng)的攔截等功能薇芝。
Meddler is a HTTP(S) Generation tool based around a simple but powerful JScript.NET event-based scripting subsystem. It's kinda like a basic nodeJS test server, but a little more user-friendly.
下面的代碼是通過Fiddler Everywhere導(dǎo)出的Meddler script,運(yùn)行的話需要windows安裝meddler工具丰嘉。
簡(jiǎn)單解釋下代碼夯到,當(dāng)又請(qǐng)求http://localhost:8088shakespeare/notes/29e0ba31fb8d/recommendations的時(shí)候,響應(yīng)頭和響應(yīng)體會(huì)被設(shè)置饮亏。
import Meddler;import System;import System.Net.Sockets;import System.Windows.Forms;// Script generated by Fiddler2 export.// You can set options for this script using the format:// ScriptOptions("StartURL" (where {$PORT} is autoreplaced by the Meddler port number), "Optional HTTPS Certificate Thumbprint", "Random # Seed")public ScriptOptions("http://localhost:{$PORT}/shakespeare/notes/29e0ba31fb8d/recommendations")class Handlers{ static function OnConnection(oSession: Session) { try { if (oSession.ReadRequest()) { var oHeaders: ResponseHeaders = new ResponseHeaders(); if (oSession.requestHeaders.Path == '/shakespeare/notes/29e0ba31fb8d/recommendations') { oHeaders.Version='HTTP/1.1'; oHeaders.Status='200 OK'; oHeaders.Add('Server', 'Tengine'); oHeaders.Add('Date', 'Sun, 14 Mar 2021 11:06:42 GMT'); oHeaders.Add('Content-Type', 'application/json; charset=utf-8'); oHeaders.Add('Transfer-Encoding', 'chunked'); oHeaders.Add('Connection', 'keep-alive'); oHeaders.Add('Vary', 'Accept-Encoding'); oHeaders.Add('X-Frame-Options', 'DENY'); oHeaders.Add('X-XSS-Protection', '1; mode=block'); oHeaders.Add('X-Content-Type-Options', 'nosniff'); oHeaders.Add('ETag', 'W/"2ef5130a02844285dd24b1944b547bfb"'); oHeaders.Add('Cache-Control', 'max-age=0, private, must-revalidate'); oHeaders.Add('Set-Cookie', 'locale=zh-CN; path=/'); oHeaders.Add('Set-Cookie', '_m7e_session_core=31e97c979dd3afee7d6cb2e17c9bc8ec; domain=.jianshu.com; path=/; expires=Sun, 14 Mar 2021 17:06:42 -0000; secure; HttpOnly'); oHeaders.Add('X-Request-Id', 'be8871a7-fe3d-43e8-a4dd-93b527b8e3f0'); oHeaders.Add('X-Runtime', '0.089191'); oHeaders.Add('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload'); oHeaders.Add('Content-Encoding', 'gzip'); oSession.WriteString(oHeaders); oSession.WriteBytes(Convert.FromBase64String('MjAxDQofiwgAAAAAAAADrdJNaxNBGAfwr7LsOS/zPrM56kW8KGygB5Ew2Z1Np1l3l85GD1LQgjEiLYVSsfQQREQvIuLBFqP9MJrd9JSv4NRKEre9CD3tMg8z/H/P89x77OrQbXGBGOMU1FwTD3puywVR6KEgCAClyq25sTZ5Rz+QPdUZbMa2vp7nmWk1m4MsTmVY/1MyjQ0tE7M+aOj0b+HijmlCT3iUQFEHoUBRSAjnQcRBROzbuc5jZZ+cnb6ejoa/jneK42fOzTTta/XzyVNfGaPTxP610746/95ea88nY3vxoVaPTCdIB0nutiDEwMaPdV8tz4jYql0ABcSMQ4QWQC4FUgxCIrB3HUCCiAcBqSsiCMMM2MYxjhVqZElvBVmOP57t/yh23013x+XesKogFFcNCwEBAgAPLgQQQ8EBQop2wbUIMLAAXIdddp6dcmU7xhlqbGSrglvt9l1/9ulr8Xl7dvq8/PCyaoDQdvnfOSynADyAOV8aFLQHgYwwplcZVjo33Tkot0/Kw2/T7wfzycjXSS9Wjq97iXMnmU9ezN6/nQ6/FK9OijejS5EAJ9VMcBEKIE49QhehSGiHJykMwm54Vaj/3H2BIPCY7StFEYuwlF0lhZTVzfCzTUtybqRp7iDn7GhYjPacNdU1adBX+SWR3bCKCKGt+78BXVuLgs8DAAANCjANCg0K')); oSession.CloseSocket(); return; } } oSession.CloseSocket(); } catch(e) {MeddlerObject.Log.LogString("Script threw exception\n"+e);} }}
更多內(nèi)容耍贾, 歡迎關(guān)注我的微信公眾號(hào): 無情劍客阅爽。
