[CTF]No.0003 哈希长度扩展攻击以及HashPump

哈希长度扩展攻击以及HashPump

来源：群里的朋友
类别： 哈希长度扩展攻击、源码泄漏
来源：http://www.moonsos.com/post/256.html
用到工具：Linux 、 HashPump

题目:无
CTF地址：http://115.28.78.16:10026/hash/
百度网盘下载：（暂无）

进入地址

进入地址，返回一片空白。查看Header

Ip: 115.28.78.16
Request URL: http://115.28.78.16:10026/hash/
Request Method: POST
Status Code: 200 OK
Request Proto: HTTP/1.1

Request Header
Content-Type:application/x-www-form-urlencoded;

Response Header
Date:Sun, 20 Aug 2017 15:05:22 GMT;
Vary:Accept-Encoding;
Set-Cookie:hint=295c2a4121224809b6576ab695d10b439a2a85b5; expires=Sun, 27-Aug-2017 15:05:22 GMT;
Server:nginx;
Connection:keep-alive;
X-Powered-By:PHP/5.4.41;
Content-Type:text/html;

找源码

在 http://115.28.78.16:10026/hash/.index.php.swp 可以看到源码

$flag = 'flag{????}'; $salt = '???????????????'; $username = $_POST["username"]; $password = $_POST["password"]; if (!empty($_COOKIE["token"])) { if (urldecode($username) === "admin" && urldecode($password) != "admin") { if ($COOKIE["token"] === sha1($salt . urldecode($username . $password))) { echo "Congratulations! You are a registered user.\n"; die ("The flag is ". $flag); } else { die ("Your cookies don't match up! STOP HACKING THIS SITE."); } } else { die ("You are not an admin! LEAVE."); } } setcookie("hint", sha1($salt . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7)); ?> 

自行格式化

$flag = 'flag{????}'; 
$salt = '???????????????';
 $username = $_POST["username"]; 
 $password = $_POST["password"]; 
 if (!empty($_COOKIE["token"])) 
    { 
        if (urldecode($username) === "admin" && urldecode($password) != "admin")
        { 
            if ($COOKIE["token"] === sha1($salt . urldecode($username . $password))) 
            { 
                    echo "Congratulations! You are a registered user.\n"; die ("The flag is ". $flag); 
            }else {
                die ("Your cookies don't match up! STOP HACKING THIS SITE."); 
            } 
        } else { 
            die ("You are not an admin! LEAVE."); 
        } 
} 
 setcookie("hint", sha1($salt . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
 ?> 

分析源码

进入地址时，$_COOKIE["token"] 为空的时候就返回一个由$salt . urldecode("admin" . "admin")经过SHA1加密的哈希值。如果$_COOKIE["token"] 不为空，则 进行一系列的判断。

揭密

由cookies可以看出：hint=295c2a4121224809b6576ab695d10b439a2a85b5;,扔到SHA1解密的网站解码失败，于是通过百度搜索找到几篇类似的文章（文章在下面给出）。
于是进入centOS（LINUX系统）
安装HashPump进行攻击：

git clone https://github.com/bwall/HashPump
yum install g++ libssl-dev
#apt-get install g++ libssl-dev
cd HashPump
make
make install

Python未测试：

pip install hashpumpy

运行HashPump

[root@iZuf6c363gqa4g5ecbbcdbZ ~]# hashpump
Input Signature: 295c2a4121224809b6576ab695d10b439a2a85b5
Input Data: admin
Input Key Length: 20
Input Data to Add: sb
2ee42cea7ef6c7ff586e06395ce316a243efd424
admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8sb

把\x替换为%，然后把POST中的password改为下面的值，token取上面2ee42cea7ef6c7ff586e06395ce316a243efd424

讲解：

Input Signature 为COOKIES中hint的值
Input Data 为用户名
Input Key Length: 为长度(20为上面15个“？”号+admin的长度=20)
Input Data to Add: 为密码（自定义，除了admin）
至于为什么分开呢？我也不知道

提交

Ip: 115.28.78.16
Request URL: http://115.28.78.16:10026/hash/
Request Method: POST
Status Code: 200 OK
Request Proto: HTTP/1.1

Request Header
Cookie:token=2ee42cea7ef6c7ff586e06395ce316a243efd424;
Content-Type:application/x-www-form-urlencoded;
username=admin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8sb

Response Header
Content-Type:text/html;
X-Powered-By:PHP/5.4.41;
Server:nginx;
Date:Sun, 20 Aug 2017 14:53:17 GMT;
Connection:keep-alive;
Vary:Accept-Encoding;

返回文本：

Congratulations! You are a registered user.
The flag is flag{ohyes_flag}

破解成功

参考

哈希长度扩展攻击以及HashPump
校赛 writeup
http://www.cnblogs.com/pcat/p/5478509.html