threst's Blog

isccwp

writeup
2018/05/12 Share

iscc

hashdump长度碰撞

<?php
include "secret.php";`
@$username=(string)$_POST['username'];
function enc($text){
    global $key;
    return md5($key.$text);
}
if(enc($username) === $_COOKIE['verify']){
    if(is_numeric(strpos($username, "admin"))){
        die($flag);
    }
    else{
        die("you are not admin");
    }
}
else{
    setcookie("verify", enc("guest"), time()+60*60*24*7);
    setcookie("len", strlen($key), time()+60*60*24*7);
}
show_source(__FILE__);

要要注意这个$key的长度根据返回包的len参数为46,所以hashdump长度输入46,在本地测试可以把inlcude这行删掉,自己定义$key,$flag

逆向第一题

[原题wp]:(https://blog.csdn.net/xiangshangbashaonian/article/details/79575062)

openssl rsa -pubin -text -modulus -in warmup -in public.key
Public-Key: (256 bit)
Modulus:
    00:d9:9e:95:22:96:a6:d9:60:df:c2:50:4a:ba:54:
    5b:94:42:d6:0a:7b:9e:93:0a:ff:45:1c:78:ec:55:
    d5:55:eb
Exponent: 65537 (0x10001)
Modulus=D99E952296A6D960DFC2504ABA545B9442D60A7B9E930AFF451C78EC55D555EB
writing RSA key
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhANmelSKWptlg38JQSrpUW5RC1gp7npMK
/0UceOxV1VXrAgMBAAE=
-----END PUBLIC KEY-----`
python一下
a = 0xd99e952296a6d960dfc2504aba545b9442d60a7b9e930aff451c78ec55d555eb
print a = 98432079271513130981267919056149161631892822707167177858831841699521774310891L

放到这个[网站]上面试试分解(http://factordb.com/index.php)
最终代码:

#coding:utf-8   
import gmpy   
import rsa   
p = 302825536744096741518546212761194311477   
q = 325045504186436346209877301320131277983   
n = 98432079271513130981267919056149161631892822707167177858831841699521774310891   
e = 65537   
d = int(gmpy.invert(e , (p-1) * (q-1)))   
privatekey = rsa.PrivateKey(n , e , d , p , q)      #根据已知参数,计算私钥   
with open("encrypted.message1" , "rb") as f:   
    print(rsa.decrypt(f.read(), privatekey).decode())       #使用私钥对密文进行解密,并打印   
with open("encrypted.message2" , "rb") as f:   
    print(rsa.decrypt(f.read(), privatekey).decode())       #使用私钥对密文进行解密,并打印   
with open("encrypted.message3" , "rb") as f:   
    print(rsa.decrypt(f.read(), privatekey).decode())       #使用私钥对密文进行解密,并打印

iscc cbc翻转攻击

打开网页查看注释提示tips:index.txt
打开index.txt
看到源码,审计一波

<?php
include 'sqlwaf.php';
define("SECRET_KEY", "................");
define("METHOD", "aes-128-cbc");
session_start();
function get_random_iv(){
    $iv='';
    for($i=0;$i<16;$i++){
        $iv.=chr(rand(1,255));
    }
    return $iv;
}
function login($info){
    $iv=get_random_iv();
    $plain = serialize($info);
    $cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
    $_SESSION['username'] = $info['username'];
    setcookie("iv", base64_encode($iv));
    setcookie("cipher", base64_encode($cipher));
}
function show_homepage(){
    if ($_SESSION["username"]==='admin'){
        echo '<p>Hello admin</p>';
        echo '<p>Flag is ****</p>';
    }else{
        echo '<p>hello '.$_SESSION['username'].'</p>';
        echo '<p>Only admin can see flag</p>';
    }
    echo '<p><a href="loginout.php">Log out</a></p>';
    die();
}
function check_login(){
    if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){
        $cipher = base64_decode($_COOKIE['cipher']);
        $iv = base64_decode($_COOKIE["iv"]);
        if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){
            $info = unserialize($plain) or die("<p>base64_decode('".base64_encode($plain)."') can't unserialize</p>");
            $_SESSION['username'] = $info['username'];
        }else{
            die("ERROR!");
        }
    }
}
if (isset($_POST['username'])&&isset($_POST['password'])) {
  $username=waf((string)$_POST['username']);
  $password=waf((string)$_POST['password']);
  if($username === 'admin'){
        exit('<p>You are not real admin!</p>');
    }else{
        $info = array('username'=>$username,'password'=>$password);
        login($info);
        show_homepage();
    }
}
else{
  if(isset($_SESSION["username"])){
        check_login();
        show_homepage();
    }
}
?>

开始我们尝试直接username=admin,password=admin结果输出You are not real admin!
因为这行代码判断username不能为admin
if($username === ‘admin’){
exit(‘

You are not real admin!

‘);
此题与这题相似
存在index.php.swp,
vim -r index.php.swp
继续iscc
首先发送xdmin,12345,在返回包里存在iv,cipher参数

import base64
import requests
import urllib
iv_raw='%2F8iEm4jh%2BjbgVGwlQ31ycg%3D%3D'  #这里填写第一次返回的iv值
cipher_raw='8WdhbPxjZy9xYAgoCeghiOUQu0ri1Y3dv7cX44MbvOfIC6zZxCbR%2FPFpeMatL5qIgT%2BYA66tIdCBpxtWsWxV9Q%3D%3D'  #这里填写第一次返回的cipher值
print "[*]原始iv和cipher"
print "iv_raw:  " + iv_raw
print "cipher_raw:  " + cipher_raw
print "[*]对cipher解码,进行反转"
cipher = base64.b64decode(urllib.unquote(cipher_raw))
#a:2:{s:8:"username";s:5:"zdmin";s:8:"password";s:5:"12345"}
#s:2:{s:8:"userna
#me";s:5:"zdmin";
#s:8:"password";s
#:3:"12345";}
xor_cipher = cipher[0:9] +  chr(ord(cipher[9]) ^ ord('m') ^ ord('a')) + cipher[10:]  #请根据你的输入自行更改,原理看上面的介绍
xor_cipher=urllib.quote(base64.b64encode(xor_cipher))
print "反转后的cipher:" + xor_cipherost

包中的cookie中添加iv,cipher,iv的参数用放回包中的,cipher使用反转后的cipher,再发包
可以看见返回包中有串base64_decode()

import base64
import urllib
cipher = 'Bc6oENSSAEPpPdv/rbqRZG1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjU6IjEyMzQ1Ijt9'#填写提交后所得的无法反序列化密文
iv = '%2F8iEm4jh%2BjbgVGwlQ31ycg%3D%3D'#一开始提交的iv
#cipher = urllib.unquote(cipher)
cipher = base64.b64decode(cipher)
iv = base64.b64decode(urllib.unquote(iv))
newIv = ''
right = 'a:2:{s:8:"userna'#被损坏前正确的明文
for i in range(16):
    newIv += chr(ord(right[i])^ord(iv[i])^ord(cipher[i])) #这一步相当于把原来iv中不匹配的部分修改过来
print urllib.quote(base64.b64encode(newIv))

解密这串base64,加到iv参数中,再post,出flag

原文作者: threst

原文链接: https://threst.github.io/2018/05/12/isccwp/

发表日期: May 12th 2018, 5:33:09

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. iscc
    1. 1.0.1. hashdump长度碰撞
    2. 1.0.2. 逆向第一题
  2. 1.1. iscc cbc翻转攻击
Total : 42
2019
2018
瞎记罢写 ctf CVE-2017-8464 apt BadUSB netcat CVE-2017-11882 git 系统 writeup kali docker php pwn 0day 安全客弃婴 CVE-2018-8174 writeup ctf