安全文库

HASH扩展攻击


起因

一道ctf题

$flag = "XXXXXXXXXXXXXXXXXXXXXXX"; $secret = "XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!  $username = $_POST["username"]; $password = $_POST["password"];  if (!empty($_COOKIE["getmein"])) {     if (urldecode($username) === "admin" && urldecode($password) != "admin") {         if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {             echo "Congratulations! You are a registered user./n";             die ("The flag is ". $flag);         }         else {             die ("Your cookies don't match up! STOP HACKING THIS SITE.");         }     }     else {         die ("You are not an admin! LEAVE.");     } }  setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));  if (empty($_COOKIE["source"])) {     setcookie("source", 0, time() + (60 * 60 * 24 * 7)); } else {     if ($_COOKIE["source"] != 0) {         echo ""; // This source code is outputted here     } }

这里的关键绕过是这一句:
if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password)))

cookie['getmein']===$secret . urldecode($username . $password)
的md5加密,而这里的secret是不可知的,但却知道他的长度,这里我们就涉及到hash扩展攻击。

MD5加密原理

MD5会把原数据分成512为一块的许多块,最后一块加上64字节来表示他的长度,一共构成512*n个字节然后再对这N个512数据块进行N次加密计算(因为过程较复杂,此处不做详解,下文称为复杂计算),虽然此处加密过程很复杂,但是整个加密过程很容易理解,如下:

加密过程

现在我们知道的是
secretusernamepassword这个数据,那么我们怎么进行攻击呢,我们看一下这个数据的16进制
HASH扩展攻击
算一下,22个字符,512/8=64,64/16=4,我们需要4排数据然后最后给一个整个数据长度,22=0x14,然后md5计算是小端存储,所以我们修改如下图
HASH扩展攻击
secretusernamepassword转16进制
0x736563726574757365726e616d657617373776f7264
然后填充成
0x736563726574757365726e616d6570617373776f726480000000000000000000000000000000000000000000000000000000000000000000b000000000000000
md5(‘secretusernamepassword’)==3105ff5f8723abe628d54387f2de5641
可以倒推出这个时候的ABCD1:
A=5fff0531
B=e6ab2387
C=8743d528
D=4156def2
现在如果我们继续加数据
0x736563726574757365726e616d6570617373776f726480000000000000000000000000000000000000000000000000000000000000000000b00000000000000072747576
现在我们已知前面512位计算出来的ABCD1,现在我们去掉前面直接用运算出来的ABCD1运算后面0x72747576得到的结果应该和加密全部的结果是一样的
0X72747576会被自动填充为
0x72747576800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002002000000000000
'secretusernamepassword'+'/x80'+'/x00'*33+'/xb0'+'/x00'*7+'/x72/x74/x75/x76'
直接md5加密结果为8e847c325fb05c60d437b23dc38ea6da
使用ABCD1手动加密0X72747576
A=327c848e,B=605cb05f,C=3db237d4,D=daa68ec3
md5:8e847c325fb05c60d437b23dc38ea6da
可以看到相同

攻击流程

既然如初,我们只要知道一个hash值,知道原来数据的数据长度,那么我们就可以算出
原数据+填充数据到512+任意内容的hash值
那么我们来看代码
他是直接用secret+username+password输入的是username和password,那么我们直接得出cookie里面的hash值,拿出这个hash值,倒推出这个ABCD1,然后用这个ABCD1对任意值加密,得出来hash值就是这个任意值附加在
secret+username+password+填充字节+任意值的hash
like this:
HASH扩展攻击
加密代码(引用现成代码)

#!/usr/bin/env python # -*- coding: utf-8 -*- # @Author:DshtAnger # theory reference: #   blog: #       http://blog.csdn.net/adidala/article/details/28677393 #       http://blog.csdn.net/forgotaboutgirl/article/details/7258109 #       http://blog.sina.com.cn/s/blog_6fe0eb1901014cpl.html #   RFC1321: #       https://www.rfc-editor.org/rfc/pdfrfc/rfc1321.txt.pdf ############################################################################## import sys def genMsgLengthDescriptor(msg_bitsLenth):     '''     ---args:             msg_bitsLenth : the bits length of raw message     --return:             16 hex-encoded string , i.e.64bits,8bytes which used to describe the bits length of raw message added after padding     '''     return __import__("struct").pack(">Q", msg_bitsLenth).encode("hex")   def reverse_hex_8bytes(hex_str):     '''     --args:             hex_str: a hex-encoded string with length 16 , i.e.8bytes     --return:             transform raw message descriptor to little-endian     '''     hex_str = "%016x" % int(hex_str, 16)     assert len(hex_str) == 16     return __import__("struct").pack("<Q", int(hex_str, 16)).encode("hex")   def reverse_hex_4bytes(hex_str):     '''     --args:             hex_str: a hex-encoded string with length 8 , i.e.4bytes     --return:             transform 4 bytes message block to little-endian     '''     hex_str = "%08x" % int(hex_str, 16)     assert len(hex_str) == 8     return __import__("struct").pack("<L", int(hex_str, 16)).encode("hex")   def deal_rawInputMsg(input_msg):     '''     --args:             input_msg : inputed a ascii-encoded string     --return:             a hex-encoded string which can be inputed to mathematical transformation function.     '''     ascii_list = [x.encode("hex") for x in input_msg]     length_msg_bytes = len(ascii_list)     length_msg_bits = len(ascii_list) * 8     # padding     ascii_list.append('80')     while (len(ascii_list) * 8 + 64) % 512 != 0:         ascii_list.append('00')     # add Descriptor     ascii_list.append(reverse_hex_8bytes(genMsgLengthDescriptor(length_msg_bits)))     return "".join(ascii_list)   def getM16(hex_str, operatingBlockNum):     '''     --args:             hex_str : a hex-encoded string with length in integral multiple of 512bits             operatingBlockNum : message block number which is being operated , greater than 1     --return:             M : result of splited 64bytes into 4*16 message blocks with little-endian      '''     M = [int(reverse_hex_4bytes(hex_str[i:(i + 8)]), 16) for i in          xrange(128 * (operatingBlockNum - 1), 128 * operatingBlockNum, 8)]     return M   # 定义函数,用来产生常数T[i],常数有可能超过32位,同样需要&0xffffffff操作。注意返回的是十进制的数 def T(i):     result = (int(4294967296 * abs(__import__("math").sin(i)))) & 0xffffffff     return result   # 定义每轮中用到的函数 # RL为循环左移,注意左移之后可能会超过32位,所以要和0xffffffff做与运算,确保结果为32位 F = lambda x, y, z: ((x & y) | ((~x) & z)) G = lambda x, y, z: ((x & z) | (y & (~z))) H = lambda x, y, z: (x ^ y ^ z) I = lambda x, y, z: (y ^ (x | (~z))) RL = L = lambda x, n: (((x << n) | (x >> (32 - n))) & (0xffffffff))   def FF(a, b, c, d, x, s, ac):     a = (a + F((b), (c), (d)) + (x) + (ac) & 0xffffffff) & 0xffffffff;     a = RL((a), (s)) & 0xffffffff;     a = (a + b) & 0xffffffff     return a   def GG(a, b, c, d, x, s, ac):     a = (a + G((b), (c), (d)) + (x) + (ac) & 0xffffffff) & 0xffffffff;     a = RL((a), (s)) & 0xffffffff;     a = (a + b) & 0xffffffff     return a   def HH(a, b, c, d, x, s, ac):     a = (a + H((b), (c), (d)) + (x) + (ac) & 0xffffffff) & 0xffffffff;     a = RL((a), (s)) & 0xffffffff;     a = (a + b) & 0xffffffff     return a   def II(a, b, c, d, x, s, ac):     a = (a + I((b), (c), (d)) + (x) + (ac) & 0xffffffff) & 0xffffffff;     a = RL((a), (s)) & 0xffffffff;     a = (a + b) & 0xffffffff     return a   def show_md5(A, B, C, D):     return "".join(["".join(__import__("re").findall(r"..", "%08x" % i)[::-1]) for i in (A, B, C, D)])   def run_md5(A=0x67452301, B=0xefcdab89, C=0x98badcfe, D=0x10325476, readyMsg=""):     a = A     b = B     c = C     d = D      for i in xrange(0, len(readyMsg) / 128):         M = getM16(readyMsg, i + 1)         for i in xrange(16):             exec "M" + str(i) + "=M[" + str(i) + "]"         # First round         a = FF(a, b, c, d, M0, 7, 0xd76aa478L)         d = FF(d, a, b, c, M1, 12, 0xe8c7b756L)         c = FF(c, d, a, b, M2, 17, 0x242070dbL)         b = FF(b, c, d, a, M3, 22, 0xc1bdceeeL)         a = FF(a, b, c, d, M4, 7, 0xf57c0fafL)         d = FF(d, a, b, c, M5, 12, 0x4787c62aL)         c = FF(c, d, a, b, M6, 17, 0xa8304613L)         b = FF(b, c, d, a, M7, 22, 0xfd469501L)         a = FF(a, b, c, d, M8, 7, 0x698098d8L)         d = FF(d, a, b, c, M9, 12, 0x8b44f7afL)         c = FF(c, d, a, b, M10, 17, 0xffff5bb1L)         b = FF(b, c, d, a, M11, 22, 0x895cd7beL)         a = FF(a, b, c, d, M12, 7, 0x6b901122L)         d = FF(d, a, b, c, M13, 12, 0xfd987193L)         c = FF(c, d, a, b, M14, 17, 0xa679438eL)         b = FF(b, c, d, a, M15, 22, 0x49b40821L)         # Second round         a = GG(a, b, c, d, M1, 5, 0xf61e2562L)         d = GG(d, a, b, c, M6, 9, 0xc040b340L)         c = GG(c, d, a, b, M11, 14, 0x265e5a51L)         b = GG(b, c, d, a, M0, 20, 0xe9b6c7aaL)         a = GG(a, b, c, d, M5, 5, 0xd62f105dL)         d = GG(d, a, b, c, M10, 9, 0x02441453L)         c = GG(c, d, a, b, M15, 14, 0xd8a1e681L)         b = GG(b, c, d, a, M4, 20, 0xe7d3fbc8L)         a = GG(a, b, c, d, M9, 5, 0x21e1cde6L)         d = GG(d, a, b, c, M14, 9, 0xc33707d6L)         c = GG(c, d, a, b, M3, 14, 0xf4d50d87L)         b = GG(b, c, d, a, M8, 20, 0x455a14edL)         a = GG(a, b, c, d, M13, 5, 0xa9e3e905L)         d = GG(d, a, b, c, M2, 9, 0xfcefa3f8L)         c = GG(c, d, a, b, M7, 14, 0x676f02d9L)         b = GG(b, c, d, a, M12, 20, 0x8d2a4c8aL)         # Third round         a = HH(a, b, c, d, M5, 4, 0xfffa3942L)         d = HH(d, a, b, c, M8, 11, 0x8771f681L)         c = HH(c, d, a, b, M11, 16, 0x6d9d6122L)         b = HH(b, c, d, a, M14, 23, 0xfde5380c)         a = HH(a, b, c, d, M1, 4, 0xa4beea44L)         d = HH(d, a, b, c, M4, 11, 0x4bdecfa9L)         c = HH(c, d, a, b, M7, 16, 0xf6bb4b60L)         b = HH(b, c, d, a, M10, 23, 0xbebfbc70L)         a = HH(a, b, c, d, M13, 4, 0x289b7ec6L)         d = HH(d, a, b, c, M0, 11, 0xeaa127faL)         c = HH(c, d, a, b, M3, 16, 0xd4ef3085L)         b = HH(b, c, d, a, M6, 23, 0x04881d05L)         a = HH(a, b, c, d, M9, 4, 0xd9d4d039L)         d = HH(d, a, b, c, M12, 11, 0xe6db99e5L)         c = HH(c, d, a, b, M15, 16, 0x1fa27cf8L)         b = HH(b, c, d, a, M2, 23, 0xc4ac5665L)         # Fourth round         a = II(a, b, c, d, M0, 6, 0xf4292244L)         d = II(d, a, b, c, M7, 10, 0x432aff97L)         c = II(c, d, a, b, M14, 15, 0xab9423a7L)         b = II(b, c, d, a, M5, 21, 0xfc93a039L)         a = II(a, b, c, d, M12, 6, 0x655b59c3L)         d = II(d, a, b, c, M3, 10, 0x8f0ccc92L)         c = II(c, d, a, b, M10, 15, 0xffeff47dL)         b = II(b, c, d, a, M1, 21, 0x85845dd1L)         a = II(a, b, c, d, M8, 6, 0x6fa87e4fL)         d = II(d, a, b, c, M15, 10, 0xfe2ce6e0L)         c = II(c, d, a, b, M6, 15, 0xa3014314L)         b = II(b, c, d, a, M13, 21, 0x4e0811a1L)         a = II(a, b, c, d, M4, 6, 0xf7537e82L)         d = II(d, a, b, c, M11, 10, 0xbd3af235L)         c = II(c, d, a, b, M2, 15, 0x2ad7d2bbL)         b = II(b, c, d, a, M9, 21, 0xeb86d391L)          A += a         B += b         C += c         D += d          A = A & 0xffffffff         B = B & 0xffffffff         C = C & 0xffffffff         D = D & 0xffffffff          a = A         b = B         c = C         d = D         print "%x,%x,%x,%x" % (a, b, c, d)      return show_md5(a, b, c, d) samplehash="571580b26c65f306376d4f64e53cb5c7"  s1=0x5fff0531 s2=0xe6ab2387 s3=0x8743d528 s4=0x4156def2 secret = 'secretusernamepassword'  test=secret+'/x80'+'/x00'*33+'/xb0'+'/x00'*7+'/x72/x74/x75/x76' s = deal_rawInputMsg(test) inp = s[len(s)/2:] print test+'/n' print '----------------------------------------------------------' print s print '----------------------------------------------------------' print inp print '----------------------------------------------------------' print "md5:"+run_md5(s1,s2,s3,s4,inp)