实验吧ctf-web-让我进去(Hash长度扩展攻击)

骑猪看日落 2022-02-16 11:17 292阅读 0赞

### **解题链接：[http://ctf5.shiyanbar.com/web/kzhan.php][http_ctf5.shiyanbar.com_web_kzhan.php]** ###

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70][]

## ##

### **抓包：** ###

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1][]

## ##

### **尝试修改sourece值为1时，源码出现，如图：** ###

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2][]

$flag = "XXXXXXXXXXXXXXXXXXXXXXX";
    $secret = "XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!
    
    $username = $_POST["username"];
    $password = $_POST["password"];
    
    if (!empty($_COOKIE["getmein"])) {
        if (urldecode($username) === "admin" && urldecode($password) != "admin") {
            if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {
                echo "Congratulations! You are a registered user.\n";
                die ("The flag is ". $flag);
            }
            else {
                die ("Your cookies don't match up! STOP HACKING THIS SITE.");
            }
        } else {
            die ("You are not an admin! LEAVE.");
        }
    }
    
    setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
    
    if (empty($_COOKIE["source"])) {
        setcookie("source", 0, time() + (60 * 60 * 24 * 7));
    } else {
        if ($_COOKIE["source"] != 0) {
            echo ""; // This source code is outputted here
        }
    }

分析可知，用户名为admin，密码不能为admin，且cookie中getmein的值需要和md5($secret.urldecode(username . password)相等。才能通过验证。

**以下为有用信息：**

1.  secrect也就是密文的长度为15。
2.  md5($serect,”adminadmin”)的哈希。
3.  用户名为admin。

**整理下我们知道的数据：**

1.  secret的长度为15，再加上第一个admin就是20。
2.  哈希值为571580b26c65f306376d4f64e53cb5c7。
3.  data为第二个admin。
4.  add数据为任意。

### 这时候我们就可以使用HashPump了。 ###

[HashPump的安装及使用方法][HashPump]

![2019042215480417.png][]

**把内容中值反转一下，把\\x替换为%：**

admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00dyw

4a159f3519478f255d7b95df3cb036f8

**将其输入到cookie对应的参数getmein中，获得flag：**

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 3][]

[http_ctf5.shiyanbar.com_web_kzhan.php]: http://ctf5.shiyanbar.com/web/kzhan.php
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70]: /images/20220216/d5f88605ce82473c8e9589d386d3f145.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1]: /images/20220216/d54661a042ce431ea76b98144d9f4b82.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2]: /images/20220216/a6b46927197a484dbe15004c1ebe1d5a.png
[HashPump]: https://blog.csdn.net/dyw_666666/article/details/89371741#flag%E5%9C%A8%E7%AE%A1%E7%90%86%E5%91%98%E6%89%8B%E9%87%8C%EF%BC%88Hash%E9%95%BF%E5%BA%A6%E6%89%A9%E5%B1%95%E6%94%BB%E5%87%BB%EF%BC%89
[2019042215480417.png]: /images/20220216/86f318e5f676478eb112827b47ae1198.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 3]: /images/20220216/38eebbd6d6d94ff8bcff76b45f0d81eb.png