来源:群里的朋友
类别: 哈希长度扩展攻击、源码泄漏
来源:http://www.moonsos.com/post/256.html
用到工具:Linux 、 HashPump
题目:无
CTF地址:http://115.28.78.16:10026/hash/
百度网盘下载:(暂无)
进入地址,返回一片空白。查看Header
Ip: 115.28.78.16
Request URL: http://115.28.78.16:10026/hash/
Request Method: POST
Status Code: 200 OK
Request Proto: HTTP/1.1
Request Header
Content-Type:application/x-www-form-urlencoded;
Response Header
Date:Sun, 20 Aug 2017 15:05:22 GMT;
Vary:Accept-Encoding;
Set-Cookie:hint=295c2a4121224809b6576ab695d10b439a2a85b5; expires=Sun, 27-Aug-2017 15:05:22 GMT;
Server:nginx;
Connection:keep-alive;
X-Powered-By:PHP/5.4.41;
Content-Type:text/html;
在 http://115.28.78.16:10026/hash/.index.php.swp 可以看到源码
$flag = 'flag{????}'; $salt = '???????????????'; $username = $_POST["username"]; $password = $_POST["password"]; if (!empty($_COOKIE["token"])) { if (urldecode($username) === "admin" && urldecode($password) != "admin") { if ($COOKIE["token"] === sha1($salt . urldecode($username . $password))) { echo "Congratulations! You are a registered user.\n"; die ("The flag is ". $flag); } else { die ("Your cookies don't match up! STOP HACKING THIS SITE."); } } else { die ("You are not an admin! LEAVE."); } } setcookie("hint", sha1($salt . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7)); ?>
自行格式化
$flag = 'flag{????}';
$salt = '???????????????';
$username = $_POST["username"];
$password = $_POST["password"];
if (!empty($_COOKIE["token"]))
{
if (urldecode($username) === "admin" && urldecode($password) != "admin")
{
if ($COOKIE["token"] === sha1($salt . urldecode($username . $password)))
{
echo "Congratulations! You are a registered user.\n"; die ("The flag is ". $flag);
}else {
die ("Your cookies don't match up! STOP HACKING THIS SITE.");
}
} else {
die ("You are not an admin! LEAVE.");
}
}
setcookie("hint", sha1($salt . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
?>
进入地址时,$_COOKIE["token"]
为空的时候就返回一个由$salt . urldecode("admin" . "admin")
经过SHA1加密的哈希值。如果$_COOKIE["token"]
不为空,则 进行一系列的判断。
由cookies可以看出:hint=295c2a4121224809b6576ab695d10b439a2a85b5;
,扔到SHA1解密的网站解码失败,于是通过百度搜索找到几篇类似的文章(文章在下面给出)。
于是进入centOS(LINUX系统)
安装HashPump进行攻击:
git clone https://github.com/bwall/HashPump
yum install g++ libssl-dev
#apt-get install g++ libssl-dev
cd HashPump
make
make install
Python未测试:
pip install hashpumpy
运行HashPump
[root@iZuf6c363gqa4g5ecbbcdbZ ~]# hashpump
Input Signature: 295c2a4121224809b6576ab695d10b439a2a85b5
Input Data: admin
Input Key Length: 20
Input Data to Add: sb
2ee42cea7ef6c7ff586e06395ce316a243efd424
admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8sb
把\x替换为%,然后把POST中的password改为下面的值,token取上面2ee42cea7ef6c7ff586e06395ce316a243efd424
Input Signature 为COOKIES中hint的值
Input Data 为用户名
Input Key Length: 为长度(20为上面15个“?”号+admin的长度=20)
Input Data to Add: 为密码(自定义,除了admin)
至于为什么分开呢?我也不知道
提交
Ip: 115.28.78.16
Request URL: http://115.28.78.16:10026/hash/
Request Method: POST
Status Code: 200 OK
Request Proto: HTTP/1.1
Request Header
Cookie:token=2ee42cea7ef6c7ff586e06395ce316a243efd424;
Content-Type:application/x-www-form-urlencoded;
username=admin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8sb
Response Header
Content-Type:text/html;
X-Powered-By:PHP/5.4.41;
Server:nginx;
Date:Sun, 20 Aug 2017 14:53:17 GMT;
Connection:keep-alive;
Vary:Accept-Encoding;
返回文本:
Congratulations! You are a registered user.
The flag is flag{ohyes_flag}
破解成功
哈希长度扩展攻击以及HashPump
校赛 writeup
http://www.cnblogs.com/pcat/p/5478509.html