哈希扩展长度攻击

0x00 起于一道CTF

这是一道好题！学了一种新的攻击方法，顺带知道了hash的实现。只不过现在这种攻击方法也只活在ctf中了

首先是改包能够看到源码

flag = “XXXXXXXXXXXXXXXXXXXXXXX”;

$secret = “XXXXXXXXXXXXXXX”; // This secret is 15 characters long for security!

$username = $_POST[“username”];

$password = $_POST[“password”];

if (!empty($_COOKIE[“getmein”])) {

if (urldecode($username) === “admin” && urldecode($password) != “admin”) {

if ($COOKIE[“getmein”] === md5($secret . urldecode($username . $password))) {echo “Congratulations! You are a registered user.\n”;

die (“The flag is “. $flag);}

else {

die (“Your cookies don’t match up! STOP HACKING THIS SITE.”);

}}

else {

die (“You are not an admin! LEAVE.”);}}

setcookie(“sample-hash”, md5($secret . urldecode(“admin” . “admin”)), time() + (60 * 60 * 24 * 7));

if (empty($_COOKIE[“source”])) {

setcookie(“source”, 0, time() + (60 * 60 * 24 * 7));}

else {

if ($_COOKIE[“source”] != 0) {

echo “”; // This source code is outputted here}}

要显示出flag就得要通过这个逻辑：$COOKIE[“getmein”] === md5($secret . urldecode($username . $password)

问题在于不知道secret的值是多少，爆破几乎是不可能的，这里就要用到哈希扩展长度攻击

0x01什么是哈希扩展长度攻击

已知：salt的MD5值，但是不知道str1本身的值

我们可以知道salt+padding+任意字符的md5值

因为md5的实现中64轮变换每次都是用的上次变换的结果，通过md5可以反向算出最后一次变换的四个值，之后加入到变换函数中，在后面添加任意数据。这样在不知道salt本身值的情况下也能算出salt+padding+任意数据的md5值了

我们需要知道md5的实现过程才能理解这种攻击方式

hash的实现

首先对消息进行分组，每组64个字节，不足64个字节的部分用padding补齐，其中，第一个补充的字节是0x80，之后的都是0x00，padding的最后8个字节用来表示需要哈希的消息长度

defpadding(self,n,sz=None):

ifszisNone:

sz=n

pre=64–8

sz=struct.pack(“Q”,sz*8)

pad=‘\x80‘

n+=1

ifn%64<=pre:

pad+=‘\x00‘*(pre–n%64)

pad+=sz

else:

pad+=‘\x00‘*(pre+64–n%64)

pad+=sz

returnpad

#最后八个字节为数据长度

defpad(self,msg):

returnmsg+self.padding(len(msg))

。

之后开始对每组消息进行压缩，经过64轮的数学变换（位运算的与或非异或、按位左移右移、按位无符号左移右移、进制转换、sin、和0xFF、0xFFFFFFF做与运算保证位数不变等等）每一次变换压缩的结果被当成下一轮变换压缩的初始值。最开始的初始值是由文档规定好的。最后的结果拼在一起就是128位的md5值

四个定义好的变换函数：

F(X,Y,Z) =(X&Y)|((~X)&Z)

G(X,Y,Z) =(X&Z)|(Y&(~Z))

H(X,Y,Z) =X^Y^Z

I(X,Y,Z)=Y^(X|(~Z))

（&是与，|是或，~是非，^是异或）

四个定义好的初始值：

A=0x01234567，B=0x89abcdef，C=0xfedcba98，D=0x76543210。

变换函数

defXX(func,a,b,c,d,x,s,ac):

res=0L

res=res+a+func(b,c,d)

res=res+x

res=res+ac

res=res&0xffffffffL

res=_rotateLeft(res,s)

res=res&0xffffffffL

res=res+b

returnres&0xffffffffL

defmd5_compress(self,buf):

iflen(buf)!=64:

raiseValueError,“Invalidbufferoflength%d:%s”%(len(buf),repr(buf))

inp=struct.unpack(“I”*16,buf)

a,b,c,d=self.A,self.B,self.C,self.D

#开始进行64轮数学变换,四大轮，每轮16次

#Round1.

S11,S12,S13,S14=7,12,17,22

a=XX(F,a,b,c,d,inp[0],S11,0xD76AA478L)#1

d=XX(F,d,a,b,c,inp[1],S12,0xE8C7B756L)#2

c=XX(F,c,d,a,b,inp[2],S13,0x242070DBL)#3

b=XX(F,b,c,d,a,inp[3],S14,0xC1BDCEEEL)#4

a=XX(F,a,b,c,d,inp[4],S11,0xF57C0FAFL)#5

d=XX(F,d,a,b,c,inp[5],S12,0x4787C62AL)#6

c=XX(F,c,d,a,b,inp[6],S13,0xA8304613L)#7

b=XX(F,b,c,d,a,inp[7],S14,0xFD469501L)#8

a=XX(F,a,b,c,d,inp[8],S11,0x698098D8L)#9

d=XX(F,d,a,b,c,inp[9],S12,0x8B44F7AFL)#10

c=XX(F,c,d,a,b,inp[10],S13,0xFFFF5BB1L)#11

b=XX(F,b,c,d,a,inp[11],S14,0x895CD7BEL)#12

a=XX(F,a,b,c,d,inp[12],S11,0x6B901122L)#13

d=XX(F,d,a,b,c,inp[13],S12,0xFD987193L)#14

c=XX(F,c,d,a,b,inp[14],S13,0xA679438EL)#15

b=XX(F,b,c,d,a,inp[15],S14,0x49B40821L)#16

#Round2.

S21,S22,S23,S24=5,9,14,20

a=XX(G,a,b,c,d,inp[1],S21,0xF61E2562L)#17

d=XX(G,d,a,b,c,inp[6],S22,0xC040B340L)#18

c=XX(G,c,d,a,b,inp[11],S23,0x265E5A51L)#19

b=XX(G,b,c,d,a,inp[0],S24,0xE9B6C7AAL)#20

a=XX(G,a,b,c,d,inp[5],S21,0xD62F105DL)#21

d=XX(G,d,a,b,c,inp[10],S22,0x02441453L)#22

c=XX(G,c,d,a,b,inp[15],S23,0xD8A1E681L)#23

b=XX(G,b,c,d,a,inp[4],S24,0xE7D3FBC8L)#24

a=XX(G,a,b,c,d,inp[9],S21,0x21E1CDE6L)#25

d=XX(G,d,a,b,c,inp[14],S22,0xC33707D6L)#26

c=XX(G,c,d,a,b,inp[3],S23,0xF4D50D87L)#27

b=XX(G,b,c,d,a,inp[8],S24,0x455A14EDL)#28

a=XX(G,a,b,c,d,inp[13],S21,0xA9E3E905L)#29

d=XX(G,d,a,b,c,inp[2],S22,0xFCEFA3F8L)#30

c=XX(G,c,d,a,b,inp[7],S23,0x676F02D9L)#31

b=XX(G,b,c,d,a,inp[12],S24,0x8D2A4C8AL)#32

#Round3.

S31,S32,S33,S34=4,11,16,23

a=XX(H,a,b,c,d,inp[5],S31,0xFFFA3942L)#33

d=XX(H,d,a,b,c,inp[8],S32,0x8771F681L)#34

c=XX(H,c,d,a,b,inp[11],S33,0x6D9D6122L)#35

b=XX(H,b,c,d,a,inp[14],S34,0xFDE5380CL)#36

a=XX(H,a,b,c,d,inp[1],S31,0xA4BEEA44L)#37

d=XX(H,d,a,b,c,inp[4],S32,0x4BDECFA9L)#38

c=XX(H,c,d,a,b,inp[7],S33,0xF6BB4B60L)#39

b=XX(H,b,c,d,a,inp[10],S34,0xBEBFBC70L)#40

a=XX(H,a,b,c,d,inp[13],S31,0x289B7EC6L)#41

d=XX(H,d,a,b,c,inp[0],S32,0xEAA127FAL)#42

c=XX(H,c,d,a,b,inp[3],S33,0xD4EF3085L)#43

b=XX(H,b,c,d,a,inp[6],S34,0x04881D05L)#44

a=XX(H,a,b,c,d,inp[9],S31,0xD9D4D039L)#45

d=XX(H,d,a,b,c,inp[12],S32,0xE6DB99E5L)#46

c=XX(H,c,d,a,b,inp[15],S33,0x1FA27CF8L)#47

b=XX(H,b,c,d,a,inp[2],S34,0xC4AC5665L)#48

#Round4.

S41,S42,S43,S44=6,10,15,21

a=XX(I,a,b,c,d,inp[0],S41,0xF4292244L)#49

d=XX(I,d,a,b,c,inp[7],S42,0x432AFF97L)#50

c=XX(I,c,d,a,b,inp[14],S43,0xAB9423A7L)#51

b=XX(I,b,c,d,a,inp[5],S44,0xFC93A039L)#52

a=XX(I,a,b,c,d,inp[12],S41,0x655B59C3L)#53

d=XX(I,d,a,b,c,inp[3],S42,0x8F0CCC92L)#54

c=XX(I,c,d,a,b,inp[10],S43,0xFFEFF47DL)#55

b=XX(I,b,c,d,a,inp[1],S44,0x85845DD1L)#56

a=XX(I,a,b,c,d,inp[8],S41,0x6FA87E4FL)#57

d=XX(I,d,a,b,c,inp[15],S42,0xFE2CE6E0L)#58

c=XX(I,c,d,a,b,inp[6],S43,0xA3014314L)#59

b=XX(I,b,c,d,a,inp[13],S44,0x4E0811A1L)#60

a=XX(I,a,b,c,d,inp[4],S41,0xF7537E82L)#61

d=XX(I,d,a,b,c,inp[11],S42,0xBD3AF235L)#62

c=XX(I,c,d,a,b,inp[2],S43,0x2AD7D2BBL)#63

b=XX(I,b,c,d,a,inp[9],S44,0xEB86D391L)#64

self.A=(self.A+a)&0xffffffffL

self.B=(self.B+b)&0xffffffffL

self.C=(self.C+c)&0xffffffffL

self.D=(self.D+d)&0xffffffffL

0x02回到题目

这个时候我们通过脚本构造payload，padding的值得是64位

脚本如下

# coding:utf-8
#这是个哈希扩展攻击的payload生成脚本
#python 本文件名字.py salt的md5 附加的值 salt的长度

import sys
import struct
import hashlib
import binascii

#每轮中用到的数学变换函数。L为循环左移，
def F(x, y, z):
    return (x & y) | ((~x) & z)
def G(x, y, z):
    return (x & z) | (y & (~z))
def H(x, y, z):
    return x ^ y ^ z
def I(x, y, z):
    return y ^ (x | (~z))

#注意左移之后可能会超过32位，所以要和0xffffffff做与运算，确保结果为32位。
def _rotateLeft(x, n):
    return (x << n) | (x >> (32 - n))
#变换函数
def XX(func, a, b, c, d, x, s, ac):
    res = 0L
    res = res + a + func(b, c, d)
    res = res + x
    res = res + ac
    res = res & 0xffffffffL
    res = _rotateLeft(res, s)
    res = res & 0xffffffffL
    res = res + b

    return res & 0xffffffffL

# 主类
class md5():
    #初始化向量，这是标准里定死的
    def __init__(self):
        self.A, self.B, self.C, self.D = (0x67452301L, 0xefcdab89L, 0x98badcfeL, 0x10325476L)

    def md5_compress(self, buf):
        if len(buf) != 64:
            raise ValueError, "Invalid buffer of length %d: %s" % (len(buf), repr(buf))
        inp = struct.unpack("I" * 16, buf)
        a, b, c, d = self.A, self.B, self.C, self.D

        #开始进行64轮数学变换,四大轮，每轮16次
        # Round 1.
        S11, S12, S13, S14 = 7, 12, 17, 22

        a = XX(F, a, b, c, d, inp[0], S11, 0xD76AA478L)  # 1
        d = XX(F, d, a, b, c, inp[1], S12, 0xE8C7B756L)  # 2
        c = XX(F, c, d, a, b, inp[2], S13, 0x242070DBL)  # 3
        b = XX(F, b, c, d, a, inp[3], S14, 0xC1BDCEEEL)  # 4
        a = XX(F, a, b, c, d, inp[4], S11, 0xF57C0FAFL)  # 5
        d = XX(F, d, a, b, c, inp[5], S12, 0x4787C62AL)  # 6
        c = XX(F, c, d, a, b, inp[6], S13, 0xA8304613L)  # 7
        b = XX(F, b, c, d, a, inp[7], S14, 0xFD469501L)  # 8
        a = XX(F, a, b, c, d, inp[8], S11, 0x698098D8L)  # 9
        d = XX(F, d, a, b, c, inp[9], S12, 0x8B44F7AFL)  # 10
        c = XX(F, c, d, a, b, inp[10], S13, 0xFFFF5BB1L)  # 11
        b = XX(F, b, c, d, a, inp[11], S14, 0x895CD7BEL)  # 12
        a = XX(F, a, b, c, d, inp[12], S11, 0x6B901122L)  # 13
        d = XX(F, d, a, b, c, inp[13], S12, 0xFD987193L)  # 14
        c = XX(F, c, d, a, b, inp[14], S13, 0xA679438EL)  # 15
        b = XX(F, b, c, d, a, inp[15], S14, 0x49B40821L)  # 16

        # Round 2.
        S21, S22, S23, S24 = 5, 9, 14, 20

        a = XX(G, a, b, c, d, inp[1], S21, 0xF61E2562L)  # 17
        d = XX(G, d, a, b, c, inp[6], S22, 0xC040B340L)  # 18
        c = XX(G, c, d, a, b, inp[11], S23, 0x265E5A51L)  # 19
        b = XX(G, b, c, d, a, inp[0], S24, 0xE9B6C7AAL)  # 20
        a = XX(G, a, b, c, d, inp[5], S21, 0xD62F105DL)  # 21
        d = XX(G, d, a, b, c, inp[10], S22, 0x02441453L)  # 22
        c = XX(G, c, d, a, b, inp[15], S23, 0xD8A1E681L)  # 23
        b = XX(G, b, c, d, a, inp[4], S24, 0xE7D3FBC8L)  # 24
        a = XX(G, a, b, c, d, inp[9], S21, 0x21E1CDE6L)  # 25
        d = XX(G, d, a, b, c, inp[14], S22, 0xC33707D6L)  # 26
        c = XX(G, c, d, a, b, inp[3], S23, 0xF4D50D87L)  # 27
        b = XX(G, b, c, d, a, inp[8], S24, 0x455A14EDL)  # 28
        a = XX(G, a, b, c, d, inp[13], S21, 0xA9E3E905L)  # 29
        d = XX(G, d, a, b, c, inp[2], S22, 0xFCEFA3F8L)  # 30
        c = XX(G, c, d, a, b, inp[7], S23, 0x676F02D9L)  # 31
        b = XX(G, b, c, d, a, inp[12], S24, 0x8D2A4C8AL)  # 32

        # Round 3.
        S31, S32, S33, S34 = 4, 11, 16, 23

        a = XX(H, a, b, c, d, inp[5], S31, 0xFFFA3942L)  # 33
        d = XX(H, d, a, b, c, inp[8], S32, 0x8771F681L)  # 34
        c = XX(H, c, d, a, b, inp[11], S33, 0x6D9D6122L)  # 35
        b = XX(H, b, c, d, a, inp[14], S34, 0xFDE5380CL)  # 36
        a = XX(H, a, b, c, d, inp[1], S31, 0xA4BEEA44L)  # 37
        d = XX(H, d, a, b, c, inp[4], S32, 0x4BDECFA9L)  # 38
        c = XX(H, c, d, a, b, inp[7], S33, 0xF6BB4B60L)  # 39
        b = XX(H, b, c, d, a, inp[10], S34, 0xBEBFBC70L)  # 40
        a = XX(H, a, b, c, d, inp[13], S31, 0x289B7EC6L)  # 41
        d = XX(H, d, a, b, c, inp[0], S32, 0xEAA127FAL)  # 42
        c = XX(H, c, d, a, b, inp[3], S33, 0xD4EF3085L)  # 43
        b = XX(H, b, c, d, a, inp[6], S34, 0x04881D05L)  # 44
        a = XX(H, a, b, c, d, inp[9], S31, 0xD9D4D039L)  # 45
        d = XX(H, d, a, b, c, inp[12], S32, 0xE6DB99E5L)  # 46
        c = XX(H, c, d, a, b, inp[15], S33, 0x1FA27CF8L)  # 47
        b = XX(H, b, c, d, a, inp[2], S34, 0xC4AC5665L)  # 48

        # Round 4.
        S41, S42, S43, S44 = 6, 10, 15, 21

        a = XX(I, a, b, c, d, inp[0], S41, 0xF4292244L)  # 49
        d = XX(I, d, a, b, c, inp[7], S42, 0x432AFF97L)  # 50
        c = XX(I, c, d, a, b, inp[14], S43, 0xAB9423A7L)  # 51
        b = XX(I, b, c, d, a, inp[5], S44, 0xFC93A039L)  # 52
        a = XX(I, a, b, c, d, inp[12], S41, 0x655B59C3L)  # 53
        d = XX(I, d, a, b, c, inp[3], S42, 0x8F0CCC92L)  # 54
        c = XX(I, c, d, a, b, inp[10], S43, 0xFFEFF47DL)  # 55
        b = XX(I, b, c, d, a, inp[1], S44, 0x85845DD1L)  # 56
        a = XX(I, a, b, c, d, inp[8], S41, 0x6FA87E4FL)  # 57
        d = XX(I, d, a, b, c, inp[15], S42, 0xFE2CE6E0L)  # 58
        c = XX(I, c, d, a, b, inp[6], S43, 0xA3014314L)  # 59
        b = XX(I, b, c, d, a, inp[13], S44, 0x4E0811A1L)  # 60
        a = XX(I, a, b, c, d, inp[4], S41, 0xF7537E82L)  # 61
        d = XX(I, d, a, b, c, inp[11], S42, 0xBD3AF235L)  # 62
        c = XX(I, c, d, a, b, inp[2], S43, 0x2AD7D2BBL)  # 63
        b = XX(I, b, c, d, a, inp[9], S44, 0xEB86D391L)  # 64

        self.A = (self.A + a) & 0xffffffffL
        self.B = (self.B + b) & 0xffffffffL
        self.C = (self.C + c) & 0xffffffffL
        self.D = (self.D + d) & 0xffffffffL
        # print 'A=%s\nB=%s\nC=%s\nD=%s\n' % (hex(self.A), hex(self.B), hex(self.C), hex(self.D))

    #padding，即补位:首字节为\x80
    def padding(self, n, sz = None):
        if sz is None:
            sz = n
        pre = 64 - 8
        sz = struct.pack("Q", sz * 8)
        pad = '\x80'
        n += 1
        if n % 64 <= pre:
            pad += '\x00' * (pre - n % 64)
            pad += sz
        else:
            pad += '\x00' * (pre + 64 - n % 64)
            pad += sz
        return pad
    #最后八个字节为数据长度
    def pad(self, msg):
        return msg + self.padding(len(msg))

    def md5_iter(self, padding_msg):
        assert len(padding_msg) % 64 == 0
        for i in range(0, len(padding_msg), 64):
            block = padding_msg[i:i + 64]
            self.md5_compress(padding_msg[i:i + 64])

    def digest(self):
        return struct.pack('<IIII', self.A, self.B, self.C, self.D)

    def hexdigest(self):
        return binascii.hexlify(self.digest()).decode()

    def my_md5(self, msg):
        padding_msg = self.pad(msg)
        self.md5_iter(padding_msg)
        return self.hexdigest()  # 通过md5值，逆向算出最后一轮的magic number

    def compute_magic_number(self, md5str):
        self.A = struct.unpack("I", md5str[0:8].decode('hex'))[0]
        self.B = struct.unpack("I", md5str[8:16].decode('hex'))[0]
        self.C = struct.unpack("I", md5str[16:24].decode('hex'))[0]
        self.D = struct.unpack("I", md5str[24:32].decode('hex'))[0]
        # print '\nA=%s\nB=%s\nC=%s\nD=%s\n' % (hex(self.A), hex(self.B), hex(self.C), hex(self.D))

    def extension_attack(self, md5str, str_append, lenth):
        self.compute_magic_number(md5str)
        p = self.padding(lenth)
        padding_msg = self.padding( len(str_append), lenth + len(p) + len(str_append) )
        # url = repr(padding_msg.replace(' ', ''))
        # print 'padding:%r' % (padding_msg)
        self.md5_iter(str_append + padding_msg)
        return self.hexdigest()

if __name__ == "__main__":
    m = md5()
    if 1:
        lenth = int(raw_input(u'salt的hash长度：'))
        md5 = raw_input(u'salt的hash值：')
        value = raw_input(u'附加值：')
        print u'md5(salt + padding + 附加值):' + m.extension_attack(md5, value, lenth)
        #这个是padding的值，得看情况，实在不行就手动算。salt长度 + padding = 64
        print ur'padding+附加值:' + r'%08' + r'%00' * (64 - 1 - lenth - 8) + r'%' + str(hex(lenth * 8)).replace(r'0x','') + r'%00' * 7 + value

    else:
        print m.my_md5("123456")
        src = m.pad(sys.argv[1]) + sys.argv[2]
        print 'md5 padding ->', m.my_md5(src)
还有一个python扩展hashpumpy，但是我折腾好一阵都安装不上，那个更好用，自己写也是无奈之举

根据源代码，username必须是admin，这样的话password必须是admin+padding+附加值

这样的话post上去的就是

username=admin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00asd

在数据包里设置cookies:getmein=bf3b234ff0410ee4ec09b470e314d8c9

就成功绕过验证了

这里面直接给出的salt的MD5值其实是secret+adminadmin的MD5，所以salt的长度得是25，最后补位的时候要注意，实在不行自己手动构造padding。但是salt+padding+附加值的MD5没问题

0x03后记

中途也是踩了好多坑

首先是MD5的实现过程和漏洞原理，看了好一阵才明白，还好

之后就是脚本的实现，hashpumpy到最后都没装上，只能自己写。MD5的python实现是从网上找的，也花了不少时间改。

最后是payload的问题，忘了题目给的MD5是secret+adminadmin的md5，结果脚本跑的是secret本身，和它的不一致，有歧义。当时太晚了神志不太清醒还以为是脚本写错了，卡了好长时间，最后手动padding才知道不是自己的问题

发布于 2018-09-11

tags:

{ 加密 }

{ 哈希 }