哈希长度拓展攻击

源码

<?php
error_reporting(0);

$key = getKey();
$username = $_POST['username'];
$data = $_POST['data'];
$sign = $_COOKIE["sign"];
if (!empty($sign)) {
    if ($username === "jwt") {
        if ($sign === md5($key . $username . $data)) {
            if (strpos($data, 'sec')) {
                $flag = file_get_contents('/flag');
                echo $flag;
            } else echo "数据似乎没有被恶意篡改，但服务器接收到的数据中不包含sec";
        } else echo "检测到当前用户的数据被恶意篡改";
    } else echo "看起来你并不是用户jwt";
} else echo "检测到sign为空, 可能需要刷新一下浏览器";
?> 

思路

有关哈希长度拓展攻击的原理可参考：

https://www.yuque.com/shiyizhesonder/sonder39/zn5eggm5d2hr51dm

拦截请求并更改为POST , 传入如下参数即可绕过，也可尝试其它绕过方法

POST / HTTP/1.1
Host: ctf.seek2.top:32802
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sign=550fe9819127d62dcdef634c9a6b7453
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 145

username=jwt&data=data%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%C0%00%00%00%00%00%00%00sec

其中 payload 可以通过工具 hash-ext-attack 得到

Sonder39@Sonder  /d/hash-ext-attack 
$ python hash_ext_attack.py
2024-03-05 23:39:19.106 | DEBUG    | common.md5_manual:__init__:17 - init......
请输入已知明文：jwtdata
请输入已知hash：5a18d02b1f8da8d5f70a4cba720dfafd
请输入扩展字符: sec
请输入密钥长度：17
2024-03-05 23:40:17.805 | INFO     | __main__:run:69 - 已知明文：b'jwtdata'
2024-03-05 23:40:17.810 | INFO     | __main__:run:70 - 已知hash：b'5a18d02b1f8da8d5f70a4cba720dfafd'
2024-03-05 23:40:17.816 | INFO     | __main__:run:72 - 新明文：b'jwtdata\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00sec'
2024-03-05 23:40:17.822 | INFO     | __main__:run:73 - 新明文(url编码)：jwtdata%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%C0%00%00%00%00%00%00%00sec
2024-03-05 23:40:17.828 | INFO     | __main__:run:75 - 新hash: 550fe9819127d62dcdef634c9a6b7453