Hash扩展长度攻击及hashpump使用(转载)

  • by

很早以前看到一篇文章,昨天又再次遇到

参考:

参考:
https://www.cnblogs.com/gwind/p/8025130.html
https://www.freebuf.com/column/186288.html

<?php

$flag = "flag{flag is here}";
$secret = "aaaaabbbbbccccc"; // This secret is 15 characters long for security!
print_r("<br>");
print_r(md5($secret."adminadmin"));
print_r("<br>");
print_r(md5($secret . urldecode("admin" . "admin")));
print_r("<br>");
@$username = $_POST["username"];
@$password = $_POST["password"];
print_r($username);
if (!empty($_COOKIE["getmein"])) {
    if (urldecode($username) === "admin" && urldecode($password) != "admin") {
		print_r($password);
		print_r("<br>");
		print(md5($secret . urldecode($username . $password)));
		print_r("<br>");
        if ($_COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {
            echo "Congratulations! You are a registered user.\n";
            die ("The flag is ". $flag);
        }
        else {
            die ("Your cookies don't match up! STOP HACKING THIS SITE.");
        }
    }
    else {
        die ("You are not an admin! LEAVE.");
    }
}

setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));


if (empty($_COOKIE["source"])) {
    setcookie("source", 0, time() + (60 * 60 * 24 * 7));
}
else {
    if ($_COOKIE["source"] != 0) {
        echo ""; // This source code is outputted here
    }
}
?>

hashpump下载:

git clone https://github.com/bwall/HashPump
apt-get install g++ libssl-dev
cd HashPump
make
make install

1.

setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));

$secret = “aaaaabbbbbccccc”;
print_r(md5($secret.”adminadmin”)); // e2c25a7f7fd42f0f03194d7258fbcdb6

2.

secret 15位 admin5位 password填补

3.hahspump工具使用

root@kali:~/shentou# hashpump
Input Signature: e2c25a7f7fd42f0f03194d7258fbcdb6
Input Data: admin
Input Key Length: 20
Input Data to Add: 1
479706f076e8c16e5bb7252d4f042e13
admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x001

4.

将(\x)化为%

root@kali:~# echo "admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x001" | tr "\x" '%'
admin\%80\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%c8\%00\%00\%00\%00\%00\%00\%001

>>> strings="admin\%80\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%00\%c8\%00\%00\%00\%00\%00\%00\%001"
>>> print(strings.replace("\\",""))
admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%001
>>>

5. Chrome的EditThisCookie插件 (蛮好用的)

增加cookies的getmein参数

2019.9.9

标签:

发表评论

电子邮件地址不会被公开。 必填项已用*标注