哈希长度扩展攻击

发表于 | 更新于: | 分类于 | 阅读次数: |
字数统计: 1.5k 字 | 阅读时长 ≈ 8 分钟

之前做web题碰到md5加密,都是直接用并不了解生成原理.做实验吧让我进来这道题利用了hash长度扩展攻击,那就来好好学习下吧.

hash摘要(md5为例)

Markdown

  1. 我要对字符串chenxiyuan进行MD5计算,首先转换成16进制

  2. 补位
    消息必须进行补位,满足消息长度对512取模于448.这里我要把补位到448bit,补位规则二进制下后面添一个1和n个0直到满足条件:len(message) % 512 == 448.那么16进制下就是先补8010000000,要补够448bit就是448/8==56,56byte.
    Markdown

  3. 补长度
    补位过后,还要继续填充8byte,储存的是补位之前的消息长度.chenxiyuan是10个字节,80bit,换算成16进制为0x50,然后再填7个字节的0x00.
    Markdown

  4. 计算消息摘要
    计算消息摘要必须用补位已经补长度完成之后的消息来进行运算,拿出 512bit的消息(即64字节). 计算消息摘要的时候,有一个初始的链变量,用来参与第一轮的运算.MD5的初始链变量为:A=0x67452301 B=0xefcdab89 C=0x98badcfe D=0x10325476
    具体的计算细节就不细说了,只要知道经过一次消息摘要后,上次的链变量会被新的值覆盖,而最后一轮产生的链变量高低位互换后就是计算出来的MD5值.

长度扩展攻击

攻击条件

$hash = md5($secret.$key):当我们知道一个$key和其对应的$hash以及$secret的长度时,我们就可以构造一个新的$key$hash满足条件,进而在不知道salt加密的情况下完成攻击.

示例

靶机
随便提交一下抓包,发现source=0,修改为1成功得到源码.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$flag = "XXXXXXXXXXXXXXXXXXXXXXX";
$secret = "XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!

$username = $_POST["username"];
$password = $_POST["password"];

if (!empty($_COOKIE["getmein"])) {
    if (urldecode($username) === "admin" && urldecode($password) != "admin") {
        if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {
            echo "Congratulations! You are a registered user.\n";
            die ("The flag is ". $flag);
        }
        else {
            die ("Your cookies don't match up! STOP HACKING THIS SITE.");
        }
    }
    else {
        die ("You are not an admin! LEAVE.");
    }
}

setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));

if (empty($_COOKIE["source"])) {
    setcookie("source", 0, time() + (60 * 60 * 24 * 7));
}
else {
    if ($_COOKIE["source"] != 0) {
        echo ""; // This source code is outputted here
    }
}

已知:md5($secret."adminadmin")=='571580b26c65f306376d4f64e53cb5c7',lenth($secret)==15
构造payload:
首先$secret.'adminadmin'字符串有25个字节,即200bit,按照上面的填充方法,先填充到56个字节\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.再填8个字节,\xc8\x00\x00\x00\x00\x00\x00\x00,c8就是200.
拼接后url编码(将\x换成%)得到最终payload:

1
username=dmin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00chenxiyuan

然后贴个大佬的脚本跑:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# -*- coding: utf-8 -*-
# @Author: King kaki
# @Date:   2018-08-04 12:40:11
# @Last Modified by:   King kaki
# @Last Modified time: 2018-08-04 19:07:27
import math


F = lambda x, y, z: ((x & y) | ((~x) & z))
G = lambda x, y, z: ((x & z) | (y & (~z)))
H = lambda x, y, z: (x ^ y ^ z)
I = lambda x, y, z: (y ^ (x | (~z)))
L = lambda x, n: (((x << n) | (x >> (32 - n))) & (0xffffffff))
shi_1 = (7, 12, 17, 22) * 4
shi_2 = (5, 9, 14, 20) * 4
shi_3 = (4, 11, 16, 23) * 4
shi_4 = (6, 10, 15, 21) * 4
m_1 = (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
m_2 = (1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12)
m_3 = (5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2)
m_4 = (0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9)


def T(i):
	return (int(4294967296 * abs(math.sin(i)))) & 0xffffffff


def shift(shift_list):
	shift_list = [shift_list[3], shift_list[0], shift_list[1], shift_list[2]]
	return shift_list


def fun(fun_list, f, m, shi):
	count = 0
	global Ti_count
	while count < 16:
		xx = int(fun_list[0], 16) + f(int(fun_list[1], 16), int(fun_list[2], 16), int(fun_list[3], 16)) + int(m[count], 16) + T(Ti_count)
		xx &= 0xffffffff
		ll = L(xx, shi[count])
		fun_list[0] = hex((int(fun_list[1], 16) + ll) & 0xffffffff)
		fun_list = shift(fun_list)
		count += 1
		Ti_count += 1
	return fun_list


def gen_m16(order, ascii_list, f_offset):
	ii = 0
	m16 = [0] * 16
	f_offset *= 64
	for i in order:
		i *= 4
		m16[ii] = '0x' + ''.join((ascii_list[i + f_offset] + ascii_list[i + 1 + f_offset] + ascii_list[i + 2 + f_offset] + ascii_list[i + 3 + f_offset]).split('0x'))
		ii += 1
	for ind in range(len(m16)):
		m16[ind] = reverse_hex(m16[ind])
	return m16


def reverse_hex(hex_str):
	hex_str = hex_str[2:]
	if len(hex_str) < 8:
		hex_str = '0' * (8 - len(hex_str)) + hex_str
	hex_str_list = []
	for i in range(0, len(hex_str), 2):
		hex_str_list.append(hex_str[i:i + 2])
	hex_str_list.reverse()
	hex_str_result = '0x' + ''.join(hex_str_list)
	return hex_str_result


def show_result(f_list):
	result = ''
	f_list1 = [0] * 4
	for i in f_list:
		f_list1[f_list.index(i)] = reverse_hex(i)[2:]
		result += f_list1[f_list.index(i)]
	return result


def padding(input_m, msg_lenth=0):
	ascii_list = list(map(hex, map(ord, input_m)))
	msg_lenth += len(ascii_list) * 8
	ascii_list.append('0x80')
	for i in range(len(ascii_list)):
		if len(ascii_list[i]) < 4:
			ascii_list[i] = '0x' + '0' + ascii_list[i][2:]
	while (len(ascii_list) * 8 + 64) % 512 != 0:
		ascii_list.append('0x00')
	msg_lenth_0x = hex(msg_lenth)[2:]
	msg_lenth_0x = '0x' + msg_lenth_0x.rjust(16, '0')
	msg_lenth_0x_big_order = reverse_hex(msg_lenth_0x)[2:]
	msg_lenth_0x_list = []
	for i in range(0, len(msg_lenth_0x_big_order), 2):
		msg_lenth_0x_list.append('0x' + msg_lenth_0x_big_order[i: i + 2])
	ascii_list.extend(msg_lenth_0x_list)
	return ascii_list


def md5(input_m):
	global Ti_count
	Ti_count = 1
	abcd_list = ['0x67452301', '0xefcdab89', '0x98badcfe', '0x10325476']
	ascii_list = padding(input_m)
	for i in range(0, len(ascii_list) // 64):
		aa, bb, cc, dd = abcd_list
		order_1 = gen_m16(m_1, ascii_list, i)
		order_2 = gen_m16(m_2, ascii_list, i)
		order_3 = gen_m16(m_3, ascii_list, i)
		order_4 = gen_m16(m_4, ascii_list, i)
		abcd_list = fun(abcd_list, F, order_1, shi_1)
		abcd_list = fun(abcd_list, G, order_2, shi_2)
		abcd_list = fun(abcd_list, H, order_3, shi_3)
		abcd_list = fun(abcd_list, I, order_4, shi_4)
		output_a = hex((int(abcd_list[0], 16) + int(aa, 16)) & 0xffffffff)
		output_b = hex((int(abcd_list[1], 16) + int(bb, 16)) & 0xffffffff)
		output_c = hex((int(abcd_list[2], 16) + int(cc, 16)) & 0xffffffff)
		output_d = hex((int(abcd_list[3], 16) + int(dd, 16)) & 0xffffffff)
		abcd_list = [output_a, output_b, output_c, output_d]
		Ti_count = 1
		print(ascii_list)
	return show_result(abcd_list)


# md5-Length Extension Attack: 计算 md5(message + padding + suffix), res = md5(message), len_m = len(message)
def md5_lea(suffix, res, len_m):
	global Ti_count
	Ti_count = 1
	abcd_list = []
	for i in range(0, 32, 8):
		abcd_list.append(reverse_hex('0x' + res[i: i + 8]))
	ascii_list = padding(suffix, (len_m + 72) // 64 * 64 * 8)  # len(message + padding) * 8
	for i in range(0, len(ascii_list) // 64):
		aa, bb, cc, dd = abcd_list
		order_1 = gen_m16(m_1, ascii_list, i)
		order_2 = gen_m16(m_2, ascii_list, i)
		order_3 = gen_m16(m_3, ascii_list, i)
		order_4 = gen_m16(m_4, ascii_list, i)
		abcd_list = fun(abcd_list, F, order_1, shi_1)
		abcd_list = fun(abcd_list, G, order_2, shi_2)
		abcd_list = fun(abcd_list, H, order_3, shi_3)
		abcd_list = fun(abcd_list, I, order_4, shi_4)
		output_a = hex((int(abcd_list[0], 16) + int(aa, 16)) & 0xffffffff)
		output_b = hex((int(abcd_list[1], 16) + int(bb, 16)) & 0xffffffff)
		output_c = hex((int(abcd_list[2], 16) + int(cc, 16)) & 0xffffffff)
		output_d = hex((int(abcd_list[3], 16) + int(dd, 16)) & 0xffffffff)
		abcd_list = [output_a, output_b, output_c, output_d]
		Ti_count = 1
	# print(ascii_list)
	return show_result(abcd_list)



if __name__ == '__main__':
	print(md5_lea('chenxiyuan','571580b26c65f306376d4f64e53cb5c7',15))

抓包添加getmein=994ef981b26dd24cd67d001088e34e24,即可得到flag
Markdown

总结

作为web狗,还是有必要点点其他方向的技能树的.
参考了几位大佬的博客:
kingkk
seaii
Sp4rkW