baby-crtpto:
阅读源码发现程序首先要求我们输入username和password,然后对cookie“admin:0;username:%s;password:%s"做aes-cbc加密,然后计算sha1(key+cookie),最后将AES-cbc的iv,密文和sha1的值连接在一起返回给我们。要求我们输入相同形式的字符串,并要求cookie中存在"admin"="1"且验证sha1。这里我们首先做sha1扩展攻击,可以使用https://github.com/stephenbradshaw/hlextend中的工具得到存在admin:1;的字符串和相应的sha1值,由于我们知道iv,我们可以使用aes-cbc字节反转获得我们刚刚得到字符串对应密文。这时就完成该题
random:
使用Pohlig-Hellman算法,具体可参见https://www.colabug.com/4577607.html
baby-aes
import pickle
PGF2.<a> = PolynomialRing(GF(2))
f = a^8 + a^4 + a^3 + a + 1 # Rijndael Polynomial
F.<x> = GF(2^8, modulus=f)
def toint32(x):
x = x.list()
x = [ZZ(e.polynomial().coeffs(), 2) for e in x]
return int(x[3] | (x[2] << 8) | (x[1] << 16) | (x[0] << 24))
P.<t> = PolynomialRing(F)
m = t^4 + 1
R.<u> = P.quo(m)
c = R([F(8.bits()), F(9.bits()), F(7.bits()), F(5.bits())])
c_inv = 1 / c
T_inv = [[ toint32(c_inv * (F(ZZ(i).bits()) * u^p)) for i in range(256)] for p in range(4)]
with open('inv.pkl', 'wb') as f:
pickle.dump(T_inv, f)f(x):
# sagemath
import random
import multiprocessing as mp
from tqdm import tqdm, trange
from problem import enc
sz = 0x101
def worker(i):
e = enc[:]
rand = random.Random()
rand.shuffle(e)
x, y = zip(*e)
dens = []
for i in trange(sz):
den = prod([x[i] - x[j] for j in range(sz) if i != j])
dens.append(den)
g = gcd(dens)
dens = [den / g for den in tqdm(dens)]
Z = prod(dens)
nums = [y * (Z / den) for y, den in tqdm(zip(y, dens), total=len(dens))]
num = sum(tqdm(nums))
return num
pool = mp.Pool(24)
result = []
for n in pool.imap_unordered(worker, range(24)):
result.append(n)# sagemath
import libnum
from problem import enc
m = 81923...97099
F = IntegerModRing(m)
x, y = zip(*enc)
x, y = vector(F, x), vector(F, y)
print('Building vandermonde matrix')
M = Matrix.vandermonde(x)
print('Solving equations - this step takes several minutes')
z = M.solve_right(y)
print(repr(libnum.n2s(int(z[0]))))
504
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
