

Tianji's Blog.

cbc翻转

Tianji's Blog.

cbc翻转

web安全

Word count: 943 / Reading time: 5 min

 2018/05/08   Share

• 
• 
• 
• 
• 

CBC翻转攻击

参考链接:

1. https://blog.csdn.net/csu_vc/article/details/79619309
2. http://wooyun.jozxing.cc/static/drops/tips-7828.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login Form</title>
<link href="static/css/style.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="static/js/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function() {
    $(".username").focus(function() {
        $(".user-icon").css("left","-48px");
    });
    $(".username").blur(function() {
        $(".user-icon").css("left","0px");
    });
    $(".password").focus(function() {
        $(".pass-icon").css("left","-48px");
    });
    $(".password").blur(function() {
        $(".pass-icon").css("left","0px");
    });
});
</script>
</head>
<?php
define("SECRET_KEY", file_get_contents('/root/key'));
define("METHOD", "aes-128-cbc");
session_start();
function get_random_iv(){
    $random_iv='';
    for($i=0;$i<16;$i++){
        $random_iv.=chr(rand(1,255));
    }
    return $random_iv;
}
function login($info){
    $iv = get_random_iv();
    $plain = serialize($info);
    $cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
    $_SESSION['username'] = $info['username'];
    setcookie("iv", base64_encode($iv));
    setcookie("cipher", base64_encode($cipher));
}
function check_login(){
    if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){
        $cipher = base64_decode($_COOKIE['cipher']);
        $iv = base64_decode($_COOKIE["iv"]);
        if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){
            $info = unserialize($plain) or die("<p>base64_decode('".base64_encode($plain)."') can't unserialize</p>");
            $_SESSION['username'] = $info['username'];
        }else{
            die("ERROR!");
        }
    }
}
function show_homepage(){
    if ($_SESSION["username"]==='admin'){
        echo '<p>Hello admin</p>';
        echo '<p>Flag is $flag</p>';
    }else{
        echo '<p>hello '.$_SESSION['username'].'</p>';
        echo '<p>Only admin can see flag</p>';
    }
    echo '<p><a href="loginout.php">Log out</a></p>';
}
if(isset($_POST['username']) && isset($_POST['password'])){
    $username = (string)$_POST['username'];
    $password = (string)$_POST['password'];
    if($username === 'admin'){
        exit('<p>admin are not allowed to login</p>');
    }else{
        $info = array('username'=>$username,'password'=>$password);
        login($info);
        show_homepage();
    }
}else{
    if(isset($_SESSION["username"])){
        check_login();
        show_homepage();
    }else{
        echo '<body class="login-body">
                <div id="wrapper">
                    <div class="user-icon"></div>
                    <div class="pass-icon"></div>
                    <form name="login-form" class="login-form" action="" method="post">
                        <div class="header">
                        <h1>Login Form</h1>
                        <span>Fill out the form below to login to my super awesome imaginary control panel.</span>
                        </div>
                        <div class="content">
                        <input name="username" type="text" class="input username" value="Username" onfocus="this.value=\'\'" />
                        <input name="password" type="password" class="input password" value="Password" onfocus="this.value=\'\'" />
                        </div>
                        <div class="footer">
                        <input type="submit" name="submit" value="Login" class="button" />
                        </div>
                    </form>
                </div>
            </body>';
    }
}
?>
</html>

首先确定解密后的字符串:

a:2:{s:8:”username”;s:5:”zdmin”;s:8:”password”;s:5:”12345”}

第一步: 替换cookie中的cipher为反转后的cipher.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date    : 2018-03-15 11:45:57
# @Author  : Mr.zhang(s4ad0w.protonmail.com)
# @Link    : http://blog.csdn.net/csu_vc
# username='zdmin'
import base64
import requests
import urllib
iv_raw='DbVDXiIkUNkqwCARqqpYew%3D%3D'  #这里填写第一次返回的iv值
cipher_raw='27cekPxVgR5hbiu6ay%2BUfSmepzwYYL%2FTdbN1K3kmrH2EJ%2FqvBtAdKGGqGytHgJXJzNB26ZRX5dwupd885R%2Bwng%3D%3D'  #这里填写第一次返回的cipher值
print "[*]原始iv和cipher"
print "iv_raw:  " + iv_raw
print "cipher_raw:  " + cipher_raw
print "[*]对cipher解码，进行反转"
cipher = base64.b64decode(urllib.unquote(cipher_raw))
#a:2:{s:8:"username";s:5:"zdmin";s:8:"password";s:5:"12345"}
#s:2:{s:8:"userna
#me";s:5:"zdmin";
#s:8:"password";s
#:3:"12345";}
xor_cipher = cipher[0:9] +  chr(ord(cipher[9]) ^ ord('z') ^ ord('a')) + cipher[10:]  #请根据你的输入自行更改，原理看上面的介绍
xor_cipher=urllib.quote(base64.b64encode(xor_cipher))
print "反转后的cipher：" + xor_cipher

第二步: 第一步执行完，得到一个base64之后的字符串，代入下边的脚本，然后替换cookie中的iv为以下脚本输出的新的iv值。

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date    : 2018-03-15 11:56:20
# @Author  : csu_vc(s4ad0w.protonmail.com)
# @Link    : http://blog.csdn.net/csu_vc
import base64
import urllib
cipher = 't8hxonGnYZs19dVMEzqeZm1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjU6IjEyMzQ1Ijt9'#填写提交后所得的无法反序列化密文
iv = 'DbVDXiIkUNkqwCARqqpYew%3D%3D'#一开始提交的iv
cipher = urllib.unquote(cipher)
cipher = base64.b64decode(cipher)
iv = base64.b64decode(urllib.unquote(iv))
newIv = ''
right = 'a:2:{s:8:"userna'#被损坏前正确的明文
for i in range(16):
    newIv += chr(ord(right[i])^ord(iv[i])^ord(cipher[i])) #这一步相当于把原来iv中不匹配的部分修改过来
print urllib.quote(base64.b64encode(newIv))

原文作者: Tianji

原文链接: https://www.tiandiwuji.top/posts/62655/

发表日期: May 8th 2018, 3:50:54 pm

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  bypassaslr_return2plt
• Previous Post
  misc思路

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. CBC翻转攻击



• Archive
• Tag
• Cate

Total : 77

2099

• 01/01day-day-up

2019

• 04/18AtomicInteger代码阅读
• 03/06算法刷刷刷
• 02/24java-面试准备
• 01/15dubbo-problem
• 01/12Thinkphp5.0.*之RCE漏洞分析

2018

• 12/2835c3ctf
• 12/27java开发小记
• 12/21软件安装相关问题
• 12/16内存取证分析
• 12/15xmasctf
• 12/10hxp-ctf
• 12/05php调试分析
• 12/05php7.2内核调试环境搭建
• 12/04linux-优化实战笔记
• 12/02RealWorldFinal
• 12/01pwnable.tw练习
• 11/29bctf2018
• 11/28安全域划分的相关问题
• 11/25code-breaking
• 11/19lctf-2018
• 11/11hctf2018
• 11/04SROP-study
• 11/02tcache-study
• 10/23hitcon-复现
• 10/17hack-lu
• 10/01netty入门到精通-初识NIO
• 09/26php-项目结构
• 09/26jvm-深入拆解java虚拟机
• 09/22anheng
• 09/21pwnable.kr_刷刷刷
• 09/20dubbo项目结构
• 09/20zookeeper安装-启动
• 09/20dubbo-启动
• 09/18casw-2018
• 09/18渗透测试-vulnhub-acid
• 09/08noxctf-writeup
• 09/05lamp && lnmp以apt-get的方式安装
• 09/04websec.fr-writeup
• 09/02TokyoWesterns CTF
• 08/06how2heap-分析总结
• 08/060ctf2018-babyheap
• 08/03ctfzone-ctf
• 07/30real-world-ctf
• 07/30ISITDTU-CTF
• 07/23巅峰极客ctf
• 07/18php-命令执行
• 07/17RSA学习
• 07/17ssti
• 07/15php命令执行函数
• 06/30web安全备忘录
• 06/26googlectf2018
• 06/24linux常见文件的作用
• 06/21sctf2018
• 06/14python多线程和lock和Rlock
• 06/08linux格式化字符串漏洞
• 06/08pwn备忘录
• 06/08sqlmap使用
• 06/04linux安全备忘录
• 06/04LRE_PAYLOAD绕过open_basedir
• 05/29mysql忘记密码/修改密码
• 05/29docker使用手册
• 05/29linux使用相关
• 05/28suctf2018
• 05/22phpinfo解读
• 05/22rctf2018学习笔记
• 05/21bypassaslr_return2plt
• 05/08cbc翻转
• 05/07misc思路
• 04/24常用shell命令及相关工具（shell+python+tools）
• 04/24parse_url + curl
• 04/20ddctf2018
• 04/18PHP代码审计归纳
• 03/27xss
• 03/27url相对路径和绝对路径
• 03/26python3和python2 base64的问题
• 03/21sql注入大全

pwn ctf web安全 ctf_php_debug 置顶 工具手册 dubbo jvm linux 运维 mysql php python python安全 前端 zookeeper 渗透测试 安全体系建设



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

安全

