知识点
MD5拓展攻击
解题思路
打开网站后看到,什么都没有,尝试抓包分析
360截图17860604827894.PNG
Burp 抓包发现,Cookie有东西。先是把source=0改成source=1,得到源码。
、、、
$flag = "XXXXXXXXXXXXXXXXXXXXXXX";
$secret = "XXXXXXXXXXXXXXX"; // 密码未知,但是长度 已知15位
$username = $_POST["username"];
$password = $_POST["password"];
//想获取flag:
//1.需要知道usename === "admin"
//2.需要知道password != "admin"
//3.并且cookie的参数getmein=== md5(15位未知密 码.admin.$password)
if (!empty($_COOKIE["getmein"])) {
if (urldecode($username) === "admin" && urldecode($password) != "admin") {
if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {
echo "Congratulations! You are a registered user.\n";
die ("The flag is ". $flag);
}
else {
die ("Your cookies don't match up! STOP HACKING THIS SITE.");
}
}
else {
die ("You are not an admin! LEAVE.");
}
}
//这里给出了sample-hash = md5(15位未知密码."adminadmin") = 571580b26c65f306376d4f64e53cb5c7
setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
if (empty($_COOKIE["source"])) {
setcookie("source", 0, time() + (60 * 60 * 24 * 7));
}
else {
if ($_COOKIE["source"] != 0) {
echo ""; // This source code is outputted here
}
}
所以我们这里就可以利用kali下的工具HashPump来直接构造MD5长度的拓展。
360截图17290429100125124.PNG
这里就以利用burp进行修改数据包,从而得到想要的数据包
添加getmein参数等于870cb8de7a5d442220d00ef95d71590d
post传参的值改为username=admin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00lll
放包后得到flag
CTF{cOOkieS_4nd_hAshIng_G0_w3LL_t0g3ther}
