fuzzing

发表于 | 分类于 |

爆破md5

上来两个跳转到Challenges/m4nage.php,内容是show me your key,通过POST提交任意key=xxx得到如下:

key is not right,md5(key)==="1b4167610ba3f2ac426a68488dbd89be",and the key is ichunqiu***,the * is in [a-z0-9]

很很显然是爆破md5,不过cmd5可以直接查到,这里给出爆破脚本,得出结果:ichunqiu105


import string
import hashlib

def md5(s):
  return hashlib.md5(s).hexdigest()

payloads= string.lowercase+string.digits
for i in payloads:
  for x in payloads:
    for y in payloads:
      s = '{}{}{}'.format(i,x,y)
      line = 'ichunqiu'+s
      if md5(line)=='1b4167610ba3f2ac426a68488dbd89be':
        print md5(line),line

POST提交:key=ichunqiu105,得到下一步xx00xxoo.php

解密

给出了密文:

001396sama1tu7NrlcVn4GV+/aVTQPf29KbAbgvc32M8RdhqxcjL3zB53GZ2G0z6vgeHmER260os2fz5PfX+cT5GdFcZJgM

给出了解密脚本:

<?php
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
  $ckey_length = 4;

  $key = md5($key ? $key : UC_KEY);
  $keya = md5(substr($key, 0, 16));
  $keyb = md5(substr($key, 16, 16));
  $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length) : substr(md5(microtime()), -$ckey_length)) : '';

  $cryptkey = $keya . md5($keya . $keyc);
  $key_length = strlen($cryptkey);

  $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0) . substr(md5($string . $keyb), 0, 16) . $string;
  $string_length = strlen($string);

  $result = '';
  $box = range(0, 255);

  $rndkey = array();
  for ($i = 0; $i <= 255; $i++) {
    $rndkey[$i] = ord($cryptkey[$i % $key_length]);
  }

  for ($j = $i = 0; $i < 256; $i++) {
    $j = ($j + $box[$i] + $rndkey[$i]) % 256;
    $tmp = $box[$i];
    $box[$i] = $box[$j];
    $box[$j] = $tmp;
  }

  for ($a = $j = $i = 0; $i < $string_length; $i++) {
    $a = ($a + 1) % 256;
    $j = ($j + $box[$a]) % 256;
    $tmp = $box[$a];
    $box[$a] = $box[$j];
    $box[$j] = $tmp;
    $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
  }

  if ($operation == 'DECODE') {
    if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $keyb), 0, 16)) {
      return substr($result, 26);
    } else {
      return '';
    }
  } else {
    return $keyc . str_replace('=', '', base64_encode($result));
  }

}?>

key为ichunqiu105跑一下就行了