文章插图
由解密算法可知:
A=B^C
由 ^ 运算的性质我们可以知道:
A=B^C、B=A^C、C=A^B
这是最关键的一点,我们可以推导出三者做异或运算的结果是0
C=A^B
C^C=A^B^C=0
也就是说,我们修改了B的值,就一定会影响到A
B^X^C=A^X
换句话说,我们只要给B异或了X,A的值也会改变为他之前的值异或X的结果
一 道CTF的例子
NPUCTF2020_web
源码:
<?phpexp:
error_reporting(0);
include('config.php'); # $key,********$file1*********
define("METHOD", "aes-128-cbc"); //定义加密方式
define("SECRET_KEY", $key); //定义密钥
define("IV","6666666666666666"); //定义初始向量 16个6
define("BR",'<br>');
if(!isset($_GET['source']))header('location:./index.php?source=1');
#var_dump($GLOBALS); //听说你想看这个?
function aes_encrypt($iv,$data)
{
echo "--------encrypt---------".BR;
echo 'IV:'.$iv.BR;
return base64_encode(openssl_encrypt($data, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)).BR;
}
function aes_decrypt($iv,$data)
{
return openssl_decrypt(base64_decode($data),METHOD,SECRET_KEY,OPENSSL_RAW_DATA,$iv) or die('False'); #不返回密文,解密成功返回1,解密失败返回False
}
if($_GET['method']=='encrypt')
{
$iv = IV;
$data = https://www.isolves.com/it/aq/hk/2020-07-11/$file1;
echo aes_encrypt($iv,$data);
} else if($_GET['method']=="decrypt")
{
$iv = @$_POST['iv'];
$data = https://www.isolves.com/it/aq/hk/2020-07-11/@$_POST['data'];
echo aes_decrypt($iv,$data);
}
echo "我摊牌了,就是懒得写前端".BR;
if($_GET['source']==1)highlight_file(__FILE__);
?>
# coding:utf-8iv由三部分组成:
import requests
import base64
# b'\x97.\xda\xb8\xa5Pt\x95\xae\x9b\xf5\xbf\xe2\x8b.<'
CYPHERTEXT = base64.b64decode("ly7auKVQCZWum/W/4osuPA==")
# initialization vector
IV = "6666666666666666"
# PKCS7 16个字节为1组
N = 16
# intermediaryValue ^ IV = plainText
inermediaryValue = https://www.isolves.com/it/aq/hk/2020-07-11/""
plainText = ""
# 爆破时不断需要更改的iv
iv = ""
URL = "http://webdog.popscat.top/index.php?method=decrypt&source=1"
def xor(a, b):
"""
用于输出两个字符串对位异或的结果
"""
return "".join([chr(ord(a[i]) ^ ord(b[i])) for i in range(len(a))])
for step in range(1, N + 1):
padding = chr(step) * (step - 1)
print(step,end=",")
for i in range(0, 256):
print(i)
"""
待爆破位置 chr(0)*(N-step)
正在爆破位置 chr(i)
使 iv[N-step+1:] ^ inermediaryValue = https://www.isolves.com/it/aq/hk/2020-07-11/padding 的 xor(padding,inermediaryValue)
"""
iv = chr(0)*(N-step)+chr(i)+xor(padding,inermediaryValue)
data = https://www.isolves.com/it/aq/hk/2020-07-11/{
"data": "ly7auKVQCZWum/W/4osuPA==",
"iv": iv
}
r = requests.post(URL,data = https://www.isolves.com/it/aq/hk/2020-07-11/data)
if r.text !="False":
inermediaryValue = https://www.isolves.com/it/aq/hk/2020-07-11/xor(chr(i),chr(step)) + inermediaryValue
print(inermediaryValue)
break
plainText = xor(inermediaryValue,IV)
print(plainText)
得到 FlagIsHere.php,访问之:
F7LMTk/3nKSVUoSQuOS/dA==
<?php
#error_reporting(0);
include('config.php'); //**************$file2********last step!!
define("METHOD", "aes-128-cbc");
define("SECRET_KEY", "6666666");
session_start();
function get_iv(){ //生成随机初始向量IV
$random_iv='';
for($i=0;$i<16;$i++){
$random_iv.=chr(rand(1,255));
}
return $random_iv;
}
$lalala = 'piapiapiapia';
if(!isset($_SESSION['Identity'])){
$_SESSION['iv'] = get_iv();
$_SESSION['Identity'] = base64_encode(openssl_encrypt($lalala, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $_SESSION['iv']));
}
echo base64_encode($_SESSION['iv'])."<br>";
if(isset($_POST['iv'])){
$tmp_id = openssl_decrypt(base64_decode($_SESSION['Identity']), METHOD, SECRET_KEY, OPENSSL_RAW_DATA, base64_decode($_POST['iv']));
推荐阅读
- kali新手常见工具分享:OSNIT跟踪工具——Trape
- 浙江独有名茶——平水珠茶
- Linux世界——ssh登录安全简单介绍
- 关注_湖北省地理标志大会暨品牌培育创新大赛优秀奖项目——大悟绿茶
- 湖北省地理标志大会暨品牌培育创新大赛优秀奖项目——大悟绿茶
- 内网渗透测试——端口转发与内网代理渗透测试实验报告
- 特产早知道——大悟绿茶
- CSRF 十大常见web漏洞——跨站点请求伪造
- 22 「网络安全」安全设备篇——抗DDOS异常流量清洗系统
- 《挚友》语音版_柔肩扛重任巾帼显担当——扶残路上的“女中豪杰”侯银霞
