[BSidesCF 2019]Mixer
- CBC整块替换
题目给出必须要以admin的身份登陆才可以,然后又提示cookie里有内容
我们在cookie中找到了user的值
但是一开始并没看出来是怎么加密的cookie
在删除了cookie的前两位后,报错
Uh oh, something went wrong: data not multiple of block length
发现这是cbc加密
加密前的明文是
{"first_name":"sdsad","last_name":"asdasd","is_admin":0}'
由于cbc是16字节为一块,所以我们需要构造
{"first_name":"A
1.00000000000000
","last_name":"x
xxx","is_admin":
0}
要求
第二组是1.00000000000000,因为我们最后要进行替换
最后一组是0}因为最后要构造闭合,这个要加在1.00000000000000后面,不能出错
所以最后构造出的其实就是
{"first_name":"A
1.00000000000000
","last_name":"x
xxx","is_admin":
1.00000000000000
0}
然后我们用first_name=A1.00000000000000 last_name=xxxx登陆,拿到user的cookie
deda993429b496ae1b10f1b6145f9b40e15c8ab134a0f4b2cad7ec5bf8f5cc35e14765a09e74ee11fb9b62993ff49132ce89bfc14c4061821533da5b49c661db0ee57d3e817f405dbaccd07283c2ff6e
然后利用简单的python脚本拼接出伪造的user
cookie = "deda993429b496ae1b10f1b6145f9b40e15c8ab134a0f4b2cad7ec5bf8f5cc35e14765a09e74ee11fb9b62993ff49132ce89bfc14c4061821533da5b49c661db0ee57d3e817f405dbaccd07283c2ff6e"
fake_cookie = cookie[:-32]+cookie[32:64]+cookie[-32:]
print(fake_cookie)
得到伪造的cookie
deda993429b496ae1b10f1b6145f9b40e15c8ab134a0f4b2cad7ec5bf8f5cc35e14765a09e74ee11fb9b62993ff49132ce89bfc14c4061821533da5b49c661dbe15c8ab134a0f4b2cad7ec5bf8f5cc350ee57d3e817f405dbaccd07283c2ff6e
得到flag