Secat's Blog

学习·记录

这世界变化快的真是铃儿响叮当


Hash长度扩展攻击

0x00 什么是hash长度扩展攻击

http://www.freebuf.com/articles/web/69264.html http://www.cnblogs.com/pcat/p/5478509.html

0x01 让我进去[Web]

http://www.shiyanbar.com/ctf/1848 tag:hash长度扩展攻击

post方式提交,抓包查看有没有能用的东西,在cookies下发现 Cookie: sample-hash=571580b26c65f306376d4f64e53cb5c7; source=0; PHPSESSID=g14ncg1g13ehlcv8198ubap361 将source改成1后forward,发现源代码,如下(有些注释是我自己加的):

$flag = "XXXXXXXXXXXXXXXXXXXXXXX"; 
$secret = "XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!
 
$username = $_POST["username"]; 
$password = $_POST["password"]; 

if (!empty($_COOKIE["getmein"])) {
	//username为admin,password不能是admin但是要以admin开头
	if (urldecode($username) === "admin" && urldecode($password) != "admin") {
		if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) { 
			echo "Congratulations! You are a registered user.\n"; 
			die ("The flag is ". $flag); 
		} 
		else { 
			die ("Your cookies don't match up! STOP HACKING THIS SITE."); 
		}
	 } 
	else { 
		die ("You are not an admin! LEAVE."); 
	} 
} 
//表明sample-hash这个值是由15字节长的salt串加上adminadmin后经MD5加密得出
setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));

if (empty($_COOKIE["source"])) { 
	setcookie("source", 0, time() + (60 * 60 * 24 * 7)); 
	} 
else { 
	if ($_COOKIE["source"] != 0) { 
		echo ""; // This source code is outputted here 
	} 
}

这个题用到了Hashpump,且由题意可知:

1.md5($secret."adminadmin")的值为571580b26c65f306376d4f64e53cb5c7(也就是抓包得到的sample-hash)
2.$secret是密文,长度为15,算上后面一个admin,长度为20
3.数据是admin,hash值是571580b26c65f306376d4f64e53cb5c7

已经知道必要的参数,使用hashpump(附加数据至少一位以上)

wreckingball@wreckingball-virtual-machine:~$ hashpump
Input Signature: 571580b26c65f306376d4f64e53cb5c7
Input Data: admin
Input Key Length: 20
Input Data to Add: doge
d2b831699b84d484289de96e7532eccf
admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x00doge 其中d2b831699b84d484289de96e7532eccf是一个新的hash值,把它设置到`cookie:getmein=d2b831699b84d484289de96e7532eccf`,将这里的\x换成%,提交`password= admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00doge` 。getflag  

0x02 hash200

这题得益于P神的一篇关于hash长度攻击的博客。按照博客上的讲述,百度并安装了hashpump(安装过程稍有曲折唉),具体过程如下:
01.截包找值

Cookie: sample-hash=be7413992c7e8541aa530688ddbbcc00    
这里md5($secret."adminadmin")=be7413992c7e8541aa530688ddbbcc00

02.稍微整理下我们已经知道的:

$secret是密文,长度为15,如果再算上后面第一个admin,长度就是20
而数据是admin
签名(哈希值)是be7413992c7e8541aa530688ddbbcc00

02.将截获的值结合网页源代码放进hashpump跑一下

wreckingball@wreckingball-virtual-machine:~$ hashpump
Input Signature: be7413992c7e8541aa530688ddbbcc00
Input Data: admin
Input Key Length: 20
Input Data to Add: doge
cc28c70b200c7f4e01383dcc11d75e5b
admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x00doge

03.其中输出第一行的字符串一个是新的签名,把它设置到cookies的getmein里,并且把后面的几行十六进制字符串里面的反斜杠和x换成%以post方式提交,getflag~

request:

POST /hash/ HTTP/1.1
Host: 192.168.211.14
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Cookie: getmein=cc28c70b200c7f4e01383dcc11d75e5b
Connection: close
Upgrade-Insecure-Requests: 1

username=admin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00doge

response:

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Wed, 10 May 2017 15:34:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 92

Congratulations! You are a registered user.
The flag is SKCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxx}

THANKS

取消

感谢您的支持,我会继续努力的!

扫码支持
扫码支持

^_^