10.让我进去 – 11846238 – 51CTO技术博客

进入网页发现输入什么都没反应,我们还是老办法,查看源代码,发现好像也没问题,想起外部提示,查看协议发现cookie好像有问题:

修改为1试一试::

我们进行代码审计,发现,需要通过三层if才能得到flag

1、第一次cookie里getmein是否已经设置

2、账号为admin并且密码不为admin

3、满足cookie和md5加密后的结果

前两个比较容易通过,第三个就是hash长度扩展攻击,详细内容去一下参考看看,我也看了好久的说

http://www.freebuf.com/articles/web/69264.html

http://blog.csdn.net/syh_486_007/article/details/51228628http://blog.csdn.net/syh_486_007/article/details/51228628

http://www.freebuf.com/articles/web/31756.html

集体我就不详细说明了,先构造出需要加密的值:

由上图我们知道位置的量长度由15位,我们随便用x来替代

key='x'*15+'adminadmin'+'\x80'+'\x00'*30+'\xc8'+'\x00'*7

前15是替代的,用其他的也没关系

第一个admin是用户名输入的

第二个admin以及之后的就是输入到密码栏里(注意,要把\x换为%,因为php里面还有一个解码)

\xc8是25(前面字符长度)*8位在化为16进制的结果

最后python加入应该库:(网上找的)

#!/usr/bin/envpython#-*-coding:utf-8-*-#@Author:DshtAnger#theoryreference:#blog:#http://blog.csdn.net/adidala/article/details/28677393#http://blog.csdn.net/forgotaboutgirl/article/details/7258109#http://blog.sina.com.cn/s/blog_6fe0eb1901014cpl.html#RFC1321:#https://www.rfc-editor.org/rfc/pdfrfc/rfc1321.txt.pdf##############################################################################importsysdefgenMsgLengthDescriptor(msg_bitsLenth):
'''
---args:
msg_bitsLenth:thebitslengthofrawmessage
--return:
16hex-encodedstring,i.e.64bits,8byteswhichusedtodescribethebitslengthofrawmessageaddedafterpadding
'''
return__import__("struct").pack(">Q",msg_bitsLenth).encode("hex")defreverse_hex_8bytes(hex_str):
'''
--args:
hex_str:ahex-encodedstringwithlength16,i.e.8bytes
--return:
transformrawmessagedescriptortolittle-endian
'''
hex_str="%016x"%int(hex_str,16)assertlen(hex_str)==16
return__import__("struct").pack("
 
  >(32-n)))&(0xffffffff))defFF(a,b,c,d,x,s,ac):
a=(a+F((b),(c),(d))+(x)+(ac)&0xffffffff)&0xffffffff;
a=RL((a),(s))&0xffffffff;
a=(a+b)&0xffffffff
returna
defGG(a,b,c,d,x,s,ac):
a=(a+G((b),(c),(d))+(x)+(ac)&0xffffffff)&0xffffffff;
a=RL((a),(s))&0xffffffff;
a=(a+b)&0xffffffff
returna
defHH(a,b,c,d,x,s,ac):
a=(a+H((b),(c),(d))+(x)+(ac)&0xffffffff)&0xffffffff;
a=RL((a),(s))&0xffffffff;
a=(a+b)&0xffffffff
returna
defII(a,b,c,d,x,s,ac):
a=(a+I((b),(c),(d))+(x)+(ac)&0xffffffff)&0xffffffff;
a=RL((a),(s))&0xffffffff;
a=(a+b)&0xffffffff
returna

defshow_md5(A,B,C,D):
return"".join(["".join(__import__("re").findall(r"..","%08x"%i)[::-1])foriin(A,B,C,D)])defrun_md5(A=0x67452301,B=0xefcdab89,C=0x98badcfe,D=0x10325476,readyMsg=""):

a=A
b=B
c=C
d=Dforiinxrange(0,len(readyMsg)/128):
M=getM16(readyMsg,i+1)foriinxrange(16):exec"M"+str(i)+"=M["+str(i)+"]"
#Firstround
a=FF(a,b,c,d,M0,7,0xd76aa478L)
d=FF(d,a,b,c,M1,12,0xe8c7b756L)
c=FF(c,d,a,b,M2,17,0x242070dbL)
b=FF(b,c,d,a,M3,22,0xc1bdceeeL)
a=FF(a,b,c,d,M4,7,0xf57c0fafL)
d=FF(d,a,b,c,M5,12,0x4787c62aL)
c=FF(c,d,a,b,M6,17,0xa8304613L)
b=FF(b,c,d,a,M7,22,0xfd469501L)
a=FF(a,b,c,d,M8,7,0x698098d8L)
d=FF(d,a,b,c,M9,12,0x8b44f7afL)
c=FF(c,d,a,b,M10,17,0xffff5bb1L)
b=FF(b,c,d,a,M11,22,0x895cd7beL)
a=FF(a,b,c,d,M12,7,0x6b901122L)
d=FF(d,a,b,c,M13,12,0xfd987193L)
c=FF(c,d,a,b,M14,17,0xa679438eL)
b=FF(b,c,d,a,M15,22,0x49b40821L)#Secondround
a=GG(a,b,c,d,M1,5,0xf61e2562L)
d=GG(d,a,b,c,M6,9,0xc040b340L)
c=GG(c,d,a,b,M11,14,0x265e5a51L)
b=GG(b,c,d,a,M0,20,0xe9b6c7aaL)
a=GG(a,b,c,d,M5,5,0xd62f105dL)
d=GG(d,a,b,c,M10,9,0x02441453L)
c=GG(c,d,a,b,M15,14,0xd8a1e681L)
b=GG(b,c,d,a,M4,20,0xe7d3fbc8L)
a=GG(a,b,c,d,M9,5,0x21e1cde6L)
d=GG(d,a,b,c,M14,9,0xc33707d6L)
c=GG(c,d,a,b,M3,14,0xf4d50d87L)
b=GG(b,c,d,a,M8,20,0x455a14edL)
a=GG(a,b,c,d,M13,5,0xa9e3e905L)
d=GG(d,a,b,c,M2,9,0xfcefa3f8L)
c=GG(c,d,a,b,M7,14,0x676f02d9L)
b=GG(b,c,d,a,M12,20,0x8d2a4c8aL)#Thirdround
a=HH(a,b,c,d,M5,4,0xfffa3942L)
d=HH(d,a,b,c,M8,11,0x8771f681L)
c=HH(c,d,a,b,M11,16,0x6d9d6122L)
b=HH(b,c,d,a,M14,23,0xfde5380c)
a=HH(a,b,c,d,M1,4,0xa4beea44L)
d=HH(d,a,b,c,M4,11,0x4bdecfa9L)
c=HH(c,d,a,b,M7,16,0xf6bb4b60L)
b=HH(b,c,d,a,M10,23,0xbebfbc70L)
a=HH(a,b,c,d,M13,4,0x289b7ec6L)
d=HH(d,a,b,c,M0,11,0xeaa127faL)
c=HH(c,d,a,b,M3,16,0xd4ef3085L)
b=HH(b,c,d,a,M6,23,0x04881d05L)
a=HH(a,b,c,d,M9,4,0xd9d4d039L)
d=HH(d,a,b,c,M12,11,0xe6db99e5L)
c=HH(c,d,a,b,M15,16,0x1fa27cf8L)
b=HH(b,c,d,a,M2,23,0xc4ac5665L)#Fourthround
a=II(a,b,c,d,M0,6,0xf4292244L)
d=II(d,a,b,c,M7,10,0x432aff97L)
c=II(c,d,a,b,M14,15,0xab9423a7L)
b=II(b,c,d,a,M5,21,0xfc93a039L)
a=II(a,b,c,d,M12,6,0x655b59c3L)
d=II(d,a,b,c,M3,10,0x8f0ccc92L)
c=II(c,d,a,b,M10,15,0xffeff47dL)
b=II(b,c,d,a,M1,21,0x85845dd1L)
a=II(a,b,c,d,M8,6,0x6fa87e4fL)
d=II(d,a,b,c,M15,10,0xfe2ce6e0L)
c=II(c,d,a,b,M6,15,0xa3014314L)
b=II(b,c,d,a,M13,21,0x4e0811a1L)
a=II(a,b,c,d,M4,6,0xf7537e82L)
d=II(d,a,b,c,M11,10,0xbd3af235L)
c=II(c,d,a,b,M2,15,0x2ad7d2bbL)
b=II(b,c,d,a,M9,21,0xeb86d391L)


A+=a
B+=b
C+=c
D+=d

A=A&0xffffffff
B=B&0xffffffff
C=C&0xffffffff
D=D&0xffffffff

a=A
b=B
c=C
d=Dreturnshow_md5(a,b,c,d)
 

然后在写程序调用

#!/usr/bin/envpython
#-*-coding:utf-8-*-
#@Author:DshtAnger
importmy_md5
importhashlib
importurllib
#reference:
#http://www.freebuf.com/articles/web/69264.html
#problemlink:
#http://ctf4.shiyanbar.com/web/kzhan.php
samplehash="571580b26c65f306376d4f64e53cb5c7"
#将哈希值分为四段,并反转该四字节为小端序,作为64第二次循环的输入幻书
s1=0xb2801557
s2=0x06f3656c
s3=0x644f6d37
s4=0xc7b53ce5
#exp
secret="a"*15
secret_admin="xxxxxxxxxxxxxxxadminadmin"+'\x80'+'\x00'*30+'\xc8'+'\x00'*7+"admin"

r=my_md5.deal_rawInputMsg(secret_admin)
inp=r[len(r)/2:]#我们需要截断的地方,也是我们需要控制的地方
#printr
#printinp
print"getmein:"+my_md5.run_md5(s1,s2,s3,s4,inp)

print"admin"+'%80'+'%00'*30+'%c8'+'%00'*7+"admin"

即可以得到结果

这题我看来好多相关内容,基本上懂了,就是实现MD5的程序没看,所以有很多毛病,希望大家发现后指正,三口油!

本文出自 “11846238” 博客,请务必保留此出处http://11856238.blog.51cto.com/11846238/1948336

Leave A Comment