用於簽名 cookie 的 XOR 字節和字符串
[英]XOR'ing bytes and string for signing cookie
問題描述
我正在嘗試解決 penesterlab 的練習。 簡而言之,這些是我需要做的步驟:
- 以“管理員”身份登錄
- 解碼cookie,提取簽名
- 用“rator”對簽名進行異或
- 使用此值作為用戶名登錄
- 解碼新cookie,提取簽名
- 將簽名與“管理員”連接以獲取 cookie
- 將 cookie 發送到應用程序
我被困在xoring。 如果我對 b"administ" 和 "\\00\\00\\00\\00\\00\\00\\00\\00" 進行異或,我會得到預期的結果,但是當對 b"strator" 和簽名進行異或時,我得到:'·gæ¿pk= \\x91' 我認為這是不正確的。 有人可以幫我找到正確的方向嗎?
#cookie: YWRtaW5pc3QtLcUGktACaz2R
#decoded = administ--k=
#curl 'http://ptl-a696a9c3-4f721187.libcurl.so/login.php' --data-raw 'username=administ&password=Password1'
import requests
import base64
session = requests.Session()
#print(session.cookies.get_dict())
URL = 'http://ptl-a696a9c3-4f721187.libcurl.so/'
#USERNAME = 'administ'
PASSWORD = 'Password1'
def login(username):
payload = {
'action': 'login',
'username': username,
'password': PASSWORD
}
response = session.post('http://ptl-a696a9c3-4f721187.libcurl.so/login.php', data=payload)
cookie = session.cookies.get_dict()['auth'].rstrip("\'")
return cookie
#print(cookie)#['auth'].rstrip("\'"))
cookie = login("administ")
signature = base64.b64decode(cookie).split(b"--")[1]
def byte_xor(a,b):
xored = []
for i in range(max(len(a), len(b))):
xored_value = a[i%len(a)] ^ b[i%len(b)]
xored.append(chr(xored_value))
return ''.join(xored)
username2 = (byte_xor(b"rator\00\00\00", signature))
cookie2 = login(username2)
signature2 = base64.b64decode(cookie2).split(b"--")[1]
print(base64.b64encode("administrator--{signature2}="))
我還嘗試了其他兩個功能但沒有成功:
def byte_xor(a,b):
xored = []
for i in range(max(len(a), len(b))):
xored_value = a[i%len(a)] ^ b[i%len(b)]
xored.append(chr(xored_value))
return ''.join(xored)
def bxor(b1, b2): # use xor for bytes
parts = []
for b1, b2 in zip(b1, b2):
parts.append(bytes([b1 ^ b2]))
return b''.join(parts)
我做得更好,一切似乎都有效,但 cookie 仍然不好:
#YWRtaW5pc3QtLcUGktACaz2R
#decoded = administ--k=
#curl 'http://ptl-a696a9c3-4f721187.libcurl.so/login.php' --data-raw 'username=administ&password=Password1'
import requests
import base64
import sys
session = requests.Session()
#print(session.cookies.get_dict())
URL = 'http://ptl-a696a9c3-4f721187.libcurl.so/'
#USERNAME = 'administ'
PASSWORD = 'Password1'
def login(username):
payload = {
'action': 'login',
'username': username,
'password': PASSWORD
}
response = session.post('http://ptl-a696a9c3-4f721187.libcurl.so/login.php', data=payload)
cookie = session.cookies.get_dict()['auth'].rstrip("\'")
return cookie
#print(cookie)#['auth'].rstrip("\'"))
cookie = login("administ")
signature = base64.b64decode(cookie).split(b"--")[1]
def bxor(b1, b2): # use xor for bytes
result = []
for b1, b2 in zip(b1, b2):
result.append(b1 ^ b2)
return result
username2 = bxor(bytearray('rator\00\00\00', encoding='utf8'), signature)
characters = [chr(n) for n in username2]
#print(characters)
username3 =''.join(characters)
print(username3)
cookie2 = login(username3)
print(cookie2)
signature2 = base64.b64decode(cookie2 + "==").split(b"--")[1]
cookie_final = base64.b64encode(b"administrator--")+base64.b64encode(signature2)
print(cookie_final)
1 個解決方案
解決方案1
0 2021-11-14 05:25:05
天哪,我做到了!
#WRtaW5pc3QtLcUGktACaz2R
#decoded = administ--k=
#curl 'http://ptl-a696a9c3-4f721187.libcurl.so/login.php' --data-raw 'username=administ&password=Password1'
import requests
import base64
import sys
session = requests.Session()
#print(session.cookies.get_dict())
URL = 'http://ptl-a696a9c3-4f721187.libcurl.so/'
#USERNAME = 'administ'
PASSWORD = 'Password1'
def login(username):
payload = {
'action': 'login',
'username': username,
'password': PASSWORD
}
response = session.post('http://ptl-a696a9c3-4f721187.libcurl.so/login.php', data=payload)
cookie = session.cookies.get_dict()['auth'].rstrip("\'")
return cookie
#print(cookie)#['auth'].rstrip("\'"))
cookie = login("administ")
signature = base64.b64decode(cookie).split(b"--")[1]
def encrypt2(var, key, byteorder=sys.byteorder):
key, var = key[:len(var)], var[:len(key)]
int_var = int.from_bytes(var, byteorder)
int_key = int.from_bytes(key, byteorder)
int_enc = int_var ^ int_key
return int_enc.to_bytes(len(var), byteorder)
username2 = encrypt2(b"rator\00\00\00", signature)
cookie2 = login(username2).replace("%2B", "+")
signature2 = base64.b64decode(cookie2 + "==").split(b"--")[1]
print(base64.b64encode(b"administrator--"+signature2))
Python - 以最有效的方式對“字節”中的每個字節進行“xor”
[英]Python - “xor”ing each byte in “bytes” in the most efficient way
字節對象以“ repr格式”存儲為b'foo',而不是encode()-轉換為字符串-如何解決?
[英]Bytes object stored in “repr format” as b'foo' instead of encode()-ing to string — how to fix?
^ 不支持的操作數類型:'bytes' 和 'bytes' with XOR
[英]unsupported operand type(s) for ^: 'bytes' and 'bytes' with XOR
crcmod的xorOut參數的行為與手動異或的行為不同
[英]crcmod's xorOut parameter does not behave the same as manually xor'ing
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.