def win_money(block1, guessed_state, odds=4):
    """
    With a given block1 and internal md5 state, craft md5s hashes that will
    meet the game's requirements. Play until enough money has been won.

    md5_compress(state, block1 + attack padding + forged block2 + padding)
    """
    set_bet_all()
    set_odds(odds)

    for i in range(2**16-1):

        block2 = '_{}'.format(str(i))
        fake_pad = padding((16+len(block1))*8) # server nonce is 16 bytes

        pad = padding((16+len(block1 + fake_pad + block2))*8)
        h = _encode(md5_compress(guessed_state, block2 + pad), 16).encode('hex')

        # will I win with this hash?
        if (int(h, 16) & ((2<<(odds-1))-1)) == 0:
            print("I should win with this: {} (md5 will be: {})".format(block2, h))

            reply = play(block1 + fake_pad + block2)
            if 'Holy shit you have a lot of money.' in reply:
                return reply

            set_bet_all()

        # show some progress
        if (i % 1000) == 0:
            print("working hard...")
예제 #2
0
def main():
    # Take in URL and parse it
    apiUrl = sys.argv[1]
    parseURL = urlparse(apiUrl)

    #Split out the commands and
    splitCommands = parseURL.query[6:]
    splitCommands = splitCommands.split('&')

    #get md5 token from input
    md5Token = splitCommands[0]

    #Put commands back together with & symbol
    commands = ((map('&{0}'.format, splitCommands[1:])))
    msg = ''.join(str(p) for p in commands)
    #Subtract one from length to account for and sybol included at the beginning
    msgLen = 8 + len(msg) - 1

    #Find bits and set md5 hash state
    bits = (msgLen + len(padding(msgLen * 8))) * 8
    h = md5(state=bytes.fromhex(md5Token), count=bits)

    #Update hash to include new command
    x = "&command=UnlockSafes"
    h.update(x)
    padd = padding((msgLen) * 8)

    print(parseURL.scheme + '://' + parseURL.netloc + parseURL.path +
          parseURL.params + '?token=' + h.hexdigest() + msg + quote(padd) + x)
예제 #3
0
def win_money(block1, guessed_state, odds=4):
    """
    With a given block1 and internal md5 state, craft md5s hashes that will
    meet the game's requirements. Play until enough money has been won.

    md5_compress(state, block1 + attack padding + forged block2 + padding)
    """
    set_bet_all()
    set_odds(odds)

    for i in range(2**16 - 1):

        block2 = '_{}'.format(str(i))
        fake_pad = padding((16 + len(block1)) * 8)  # server nonce is 16 bytes

        pad = padding((16 + len(block1 + fake_pad + block2)) * 8)
        h = _encode(md5_compress(guessed_state, block2 + pad),
                    16).encode('hex')

        # will I win with this hash?
        if (int(h, 16) & ((2 << (odds - 1)) - 1)) == 0:
            print("I should win with this: {} (md5 will be: {})".format(
                block2, h))

            reply = play(block1 + fake_pad + block2)
            if 'Holy shit you have a lot of money.' in reply:
                return reply

            set_bet_all()

        # show some progress
        if (i % 1000) == 0:
            print("working hard...")
예제 #4
0
def main():
    if len(sys.argv) < 2:
        print("There were no URL's entered as a command line argument")
    else:
        for i in range(1, len(sys.argv)):
            address = sys.argv[i]
            new_address = ""
            split_address = address.split("&", 1)
            #Splits directly after the token
            get_token = split_address[0].split("=")
            #Splits directly before the token
            new_address += get_token[0] + "="
            #Gets the token
            token = get_token[1]
            #Gets the message behind the token
            message = split_address[1]
            #Calculates the length of the message to mimic
            length_of_m = PASSWORD_LENGTH + len(message)
            #Calculates the bits of message
            bits = (length_of_m + len(padding(length_of_m * 8))) * 8
            #"Preps" the md5 algorigthm
            h = md5(state=decode(token, "hex"), count=bits)
            #Hashes the message to be appended with the old message
            h.update(NEW_MESSAGE)
            #Creates the new URL with the binary padding
            new_address += h.hexdigest() + "&" + message + quote(
                padding(length_of_m * 8)) + NEW_MESSAGE
            print(new_address)
예제 #5
0
def bruteforce_block1_state(block1):
    """
    * Perform a one block md5 where we control partially what's in block1.
    * Grab 112 bits of state out of this one-block md5 from the server.
    * Perform a two-block md5 where block1 is the same as our one-block md5,
      hash-length extend it (w/ home-made padding) and reach a second block.
    * Grab 112 bits of state out of this two-block md5 from the server.

    * Locally, use md5's internal functions (md5_compress) directly to brute
      force the missing bits of the leaked state of the 1-block md5. Use the 
      bits from the two-block md5 leak to know when you guessed state1
      correctly.
    Returns the state that can be used to predict future two-block md5 hashes
    """

    # set odds to 112 to get the largest server leak
    set_odds(112)

    # small bet, lets gather intel first
    set_bet(1)

    # gather information on state1
    state1_leak = play(block1, return_leak=True)
    print("State 1 server leak: {}".format(state1_leak))

    # generate a two block md5
    block2 = str(1)
    fake_pad = padding((16 + len(block1)) * 8)  # server nonce is 16 bytes
    combined = block1 + fake_pad + block2

    # play with our two-block md5, grab leaked information of resulting hash
    target_hash = play(combined, return_leak=True)
    print("Target hash server leak: {}".format(target_hash))

    # to validate that we guessed state1 correctly, lets try to predict the
    # result of a 2-block hash where state1 is fixed by us. Compare that with
    # target_hash from the server and if we have a match we know that we guessed
    # state1 correctly.
    found = False
    guessed_state = ""
    pad = padding((16 + len(combined)) * 8)
    for i in range(2**16 - 1):
        attempt = "{:04x}{}".format(i, state1_leak)

        guessed_state = _decode(unhexlify(attempt), 16)
        h = _encode(md5_compress(guessed_state, block2 + pad),
                    16).encode('hex')

        # have I guessed state1 right?
        if (target_hash in h):
            print("Hash found: {} / mid-state guessed: {}".format(h, attempt))
            found = True
            break

    if not found:
        print("Couldn't find the state. I won't be able to cheat. Goodbye")
        sys.exit(1)

    return guessed_state
def bruteforce_block1_state(block1):
    """
    * Perform a one block md5 where we control partially what's in block1.
    * Grab 112 bits of state out of this one-block md5 from the server.
    * Perform a two-block md5 where block1 is the same as our one-block md5,
      hash-length extend it (w/ home-made padding) and reach a second block.
    * Grab 112 bits of state out of this two-block md5 from the server.

    * Locally, use md5's internal functions (md5_compress) directly to brute
      force the missing bits of the leaked state of the 1-block md5. Use the 
      bits from the two-block md5 leak to know when you guessed state1
      correctly.
    Returns the state that can be used to predict future two-block md5 hashes
    """

    # set odds to 112 to get the largest server leak
    set_odds(112)

    # small bet, lets gather intel first
    set_bet(1)

    # gather information on state1
    state1_leak = play(block1, return_leak=True)
    print("State 1 server leak: {}".format(state1_leak))

    # generate a two block md5
    block2 = str(1)
    fake_pad = padding((16+len(block1))*8) # server nonce is 16 bytes
    combined = block1 + fake_pad + block2

    # play with our two-block md5, grab leaked information of resulting hash
    target_hash = play(combined, return_leak=True)
    print("Target hash server leak: {}".format(target_hash))

    # to validate that we guessed state1 correctly, lets try to predict the
    # result of a 2-block hash where state1 is fixed by us. Compare that with
    # target_hash from the server and if we have a match we know that we guessed
    # state1 correctly.
    found = False
    guessed_state = ""
    pad = padding((16+len(combined))*8)
    for i in range(2**16-1):
        attempt = "{:04x}{}".format(i, state1_leak)

        guessed_state = _decode(unhexlify(attempt), 16)
        h = _encode(md5_compress(guessed_state, block2 + pad), 16).encode('hex')

        # have I guessed state1 right?
        if (target_hash in h):
            print("Hash found: {} / mid-state guessed: {}".format(h, attempt))
            found = True
            break

    if not found:
        print("Couldn't find the state. I won't be able to cheat. Goodbye")
        sys.exit(1)

    return guessed_state
예제 #7
0
def verify(key='key', data='data', append='append'):
    init = key + data
    originalHash = md5(init).hexdigest()
    pad = padding(len(key + data) * 8)
    padded = key + data + pad
    appended = padded + append
    appendedHash = md5(appended).hexdigest()

    passLen = len(key)
    passCmdLen = passLen + len(data)
    paddingLen = len(padding(passCmdLen * 8))
    bits = (passCmdLen + paddingLen) * 8
    newToken = GenerateToken(originalHash, append, bits)
    print '\nH(key||data): \n', originalHash
    print 'H(key||data||pad||append): \n', appendedHash
    print 'LEA Generated Hash: \n', newToken
예제 #8
0
def problem1():
    flag = ""
    #your code here
    admin_str = b'&role=admin'
    url_orig = make_query('one', 'hunterythompson', '')

    url_split0 = url_orig.split(b'&')
    url_split1 = url_split0[0].split(b'=')  #splits string to get md5
    md5dig = url_split1[1]

    str0 = url_split0[1] + b'&' + url_split0[
        2]  #creates string of uname & role

    md5dig = bytes.fromhex(
        md5dig.decode('utf8'))  #convert to bytes to make state
    h = md5(state=md5dig, count=512)  #set state of md5 for future
    md5dig_admin = h.update(admin_str)  #make new md5 hash
    n_hash = h.hexdigest()

    n_hashbytes = bytes(h.hexdigest(), 'utf-8')

    for s in range(1, 65):
        padding0 = padding((len(str0) + s) * 8)  #make padding for string
        url_new = url_split1[
            0] + b'=' + n_hashbytes + b'&' + str0 + padding0 + admin_str  #build new url

        if (str(make_query('one', 'hunterythompson', url_new),
                'utf-8') == 'Incorrect hash'):
            continue
        else:
            return make_query('one', 'hunterythompson', url_new)
    return
예제 #9
0
def compute_new_hash(token, user_param):
    cnt = (8 + len(user_param) + len(padding((len(user_param) + 8) * 8))) * 8

    new_hash = md5(state=token.decode("hex"), count=cnt)

    append_Str = "&command3=UnlockAllSafes"
    new_hash.update(append_Str)
    return new_hash.hexdigest()
예제 #10
0
파일: md5Ex.py 프로젝트: giSe98/ToolTesi
    def extend(self):
        msg_len = len(self.data) + self.secret_len
        pad = padding(msg_len * 8)

        bits_msg = (msg_len + len(pad)) * 8

        self.hashB = md5(state=self.signature.decode("hex"), count=bits_msg)
        self.hashB.update(self.append)
        return self.getNewData()
예제 #11
0
def build_new_url(new_token, user_param, path):
    new_query = "token=" + new_token

    new_query = new_query + "&" + user_param
    pad = padding((8 + len(user_param)) * 8)
    new_query = new_query + quote(pad)
    new_query = new_query + "&command3=UnlockAllSafes"

    new_url = path + "?" + new_query
    return new_url
예제 #12
0
def problem1():
    flag = ""

    #Msg I want to inject
    admin = b"&role=admin"

    #Original Message
    msg = make_query("one", "amiller68", "")
    s1 = msg
    msg = msg.decode('utf-8').split('&', 1)[1]
    msg = msg.encode()

    #State I want to build off of
    s1 = s1.decode('utf-8')
    s1 = s1[s1.find("=") + 1:s1.find("&")]
    s1 = s1.encode()

    #Length of the Msg
    msg_len = len(msg) * 8

    #Don't know the Key Len; brute force different Lens
    #0 - 192 chars
    for x in range(0, 192):
        #Num Chars * 8 is bit len
        key_len = x * 8

        #Req Padding for key + msg
        req_pad = padding(msg_len + key_len)
        #len of the pad
        req_pad_len = len(req_pad) * 8

        #Block Count Given Keylen, msg_len, and pad len
        N = (key_len + msg_len + req_pad_len)

        #Create md5 hash of state s1 and operating on block len N
        h = md5(state=s1, count=N)

        #Update state with desired message
        h.update(admin)

        #Extract the Token
        token = h.hexdigest()

        #Make the completet Query
        url = (b'http://www.flickur.com/?api_tag=' + token.encode('utf-8') +
               b'&' + msg + req_pad + admin)
        print(url)

        #Make the Query
        #Use Byte encodings
        ret = make_query("one", "amiller68", url)
        if (ret != b'Incorrect hash'):
            return ret

    return flag
예제 #13
0
def len_ext_attack(url, command_to_add, user_password_length):
    """
        :rtype : void
    """

    # Parse the URL and get the current session token
    parsedUrl = urlparse.urlparse(url)
    parameters_list = urlparse.parse_qsl(parsedUrl.query)
    parameters = dict(parameters_list)

    # HERE
    # did not have the -1 before
    command_to_add = "&command" + str(len(parameters) - 1) + "=" + command_to_add

    if "token" not in parameters:
        # if there isn't a token in the parameters quit the program
        print "There is no token in the url parameters"
        assert False

    # remove the session token from the current parameters
    session_token = parameters["token"]
    del parameters["token"]

    length_of_message_with_password = len(urllib.urlencode(parameters)) + user_password_length
    bits = (length_of_message_with_password + len(padding(length_of_message_with_password * 8))) * 8

    h = md5(state=session_token.decode("hex"), count=bits)
    h.update(command_to_add)

    # build the query
    query = "token=" + h.hexdigest()

    for i in range(1, len(parameters_list)):
        query += "&" + parameters_list[i][0] + "=" + parameters_list[i][1]

    query += urllib.quote(padding(length_of_message_with_password * 8))
    query += command_to_add

    conn = httplib.HTTPConnection(parsedUrl.hostname, parsedUrl.port)
    conn.request("GET", parsedUrl.path + "?" + query)
    print conn.getresponse().read()
예제 #14
0
def decipher(query,command,outfile ):
	with open(query) as query:
		query=query.read().strip()
	with open(command) as command:
		command=command.read().strip()
	token=(query.split("&")[0]).split("=")[1]
	user="******"+(query.split("&")[1]).split("=")[1]
	token=md5(state=token.decode('hex'),count=512)
	token.update(command)
	print token.hexdigest()
	string="token="+token.hexdigest()+"&"+user+urllib.quote(padding(len(user)*8))+command
	with open(outfile,"w") as outfile:
		outfile.write(string)
예제 #15
0
def attack(query, cmd):
    end_token = query.find('&')
    token = query[:end_token].split('=')[1]
    params = query[end_token+1:]

    pad_bytes = padding((8 + len(params)) * 8)

    kms = md5(state=token.decode('hex'), count=512) # set start state to end of user string
    kms.update(cmd)
    hashed = kms.hexdigest()
    print(hashed)

    return "token=" + hashed + "&" + params + quote(pad_bytes) + cmd
예제 #16
0
def extend_query(query, command):
    divider_pos = query.find('&')
    token_query = query[:divider_pos]
    message_query = query[divider_pos + 1:]
    token = token_query.split('=')[1]
    data_length = PASSWORD_LENGTH + len(message_query)
    padding_text = padding(data_length * 8)

    md_hash = md5(state=token.decode('hex'), count=512)
    md_hash.update(command)
    new_token = md_hash.hexdigest()

    new_query = ''.join([message_query, quote(padding_text), command])
    return (new_token, new_query)
예제 #17
0
def extend_query(query, command):
    divider_pos = query.find('&')
    token_query = query[:divider_pos]
    message_query = query[divider_pos + 1:]
    token = token_query.split('=')[1]
    data_length = PASSWORD_LENGTH + len(message_query)
    padding_text = padding(data_length * 8)

    md_hash = md5(state=token.decode('hex'), count=512)
    md_hash.update(command)
    new_token = md_hash.hexdigest()

    new_query = ''.join([message_query, quote(padding_text), command])
    return (new_token, new_query)
예제 #18
0
def main():
    if len(sys.argv) != 4:
        print 'Wrong usage.'
        sys.exit(1)

    with open(sys.argv[1]) as file:
        query = file.read().strip()
    with open(sys.argv[2]) as file:
        cmd3 = file.read().strip()

    query = query.split("=", 1)[1]
    [token, msg] = query.split("&", 1)

    bits = (8 + len(msg) + len(padding(8 * 8 + len(msg) * 8))) * 8
    h = md5(state=token.decode('hex'), count=bits)
    h.update(cmd3)
    token = h.hexdigest()

    # token = md5(msg + urllib.quote(padding(len(msg)*8)) + cmd3).hexdigest()
    output = 'token=' + token + '&' + msg + urllib.quote(
        padding(8 * 8 + len(msg) * 8)) + cmd3

    with open(sys.argv[3], 'w') as file:
        file.write(output)
예제 #19
0
def extend_query(query, command):
    divider_pos = query.find("&")
    token_query = query[:divider_pos]
    message_query = query[divider_pos + 1 :]
    token = token_query.split("=")[1]

    data_length = PASSWORD_LENGTH + len(message_query)
    padding_text = padding(data_length * 8)

    md_hash = md5(state=token.decode("hex"), count=512)
    md_hash.update(command)
    new_token = md_hash.hexdigest()

    new_query = "".join(["token=", new_token, "&", message_query, quote(padding_text), command])
    return new_query
예제 #20
0
def attack(query, cmd):
    idx = query.find('&')
    tmp = query[:idx]
    token = tmp.split('=')[1]
    #print token
    cmds = query[idx + 1:]

    pad = padding((8 + len(cmds)) * 8)
    #print quote(pad)

    before = md5(state=token.decode('hex'), count=512)
    before.update(cmd)
    after = before.hexdigest()
    #print after

    return "token=" + after + "&" + cmds + quote(pad) + cmd
예제 #21
0
def main():

    keylen = 8
    pad = pymd5.padding((keylen + msglen) * 8)
    padlen = len(pad)

    #"Intruder message"
    new_message = query + pad + comm3

    cnt = (keylen + msglen + padlen) * 8
    h = pymd5.md5(state=token.decode("hex"), count=cnt)
    h.update(comm3)
    intruder_token = h.hexdigest()

    # "Intruder Message and Token"
    intra_msg = (new_message, intruder_token)
    print(intra_msg)
    fo = open("Solution33.txt", "w")
    fo.write(new_message)
    server_verify(intra_msg)
예제 #22
0
def main():
    query = open(sys.argv[1], "r")
    command = open(sys.argv[2], "r")
    output = open(sys.argv[3], "w")

    x = query.readlines()
    token = x[0].split('&')[0].split("=")[1]
    user = x[0].split('&')[1] + '&' + x[0].split('&')[2] + '&' + x[0].split(
        '&')[3]

    #user.append()
    #print(user)
    command3 = command.readlines()[0]

    new_token = md5(state=token.decode("hex"), count=512)
    new_token.update(command3)

    pad = quote(padding(len(user) * 8 + 8 * 8))
    command = "token=" + new_token.hexdigest() + '&' + user + pad + command3
    output.write(command)
예제 #23
0
def problem1(cnetid):
    url = b'http://www.flickur.com/?api_tag='
    resp = make_query('one', cnetid, '')
    tag = re.findall(b'api_tag=(\w+)&uname', resp)[0]
    param = b'&uname=' + cnetid.encode('utf-8') + b'&role=user'
    start = len(param) * 8
    stop = (64 + 1024) * 8 + 1  # max len of secret||param
    for i in range(start, stop, 8):
        pad = padding(i)
        padded_param = param + pad
        # round to the next multiple of 512 since secret||padded_param is a mult of 512
        counter = math.ceil(len(padded_param) * 8 / 512) * 512
        # start at secret||padded_param
        h = md5(state=bytes.fromhex(tag.decode('utf-8')), count=counter)
        h.update('&role=admin')
        forged_tag = h.hexdigest()
        padded_param += b'&role=admin'
        attack = url + forged_tag.encode('utf-8') + padded_param
        res = make_query('one', cnetid, attack)
        if b'flag' in res:
            return res
예제 #24
0
# split the url into hostname and rest of the arguements
# 'http://eecs388.org/project1/api'
hostname = url.split('?')[0]
# print hostname

# # ['token=b301afea7dd96db3066e631741446ca1', '&user=admin&command1=ListFiles&command2=NoOp']
arguments = url.split('?')[1].split('&', 1)
# print arguments

# splits hashed value from 'token=b301afea7dd96db3066e631741446ca1'
token = arguments[0].split('=')[1]

# since the user uses 8-character password 
# add 8 to the length of the url query
len_of_m = 8 + len(arguments[1])
bits = (len_of_m + len(padding(len_of_m*8)))*8

h = md5( state=token.decode("hex"), count=bits )
# suffix is the new command that's going to be appended in the original url query
suffix = '&command3=DeleteAllFiles'
h.update(suffix);
new_token = h.hexdigest()

new_url = hostname + '?token=' + new_token + '&' + arguments[1] + urllib.quote(padding(len_of_m*8)) + suffix
# print new_url

# the new url = 
# http://eecs388.org/project1/api?token=d127a022396f60239b3d08ecc0c4e3f4
# &user=admin&command1=ListFiles&command2=NoOp%80%00%00%00%00%98%01%00%00%00%00%00%00&command3=DeleteAllFiles

# parse url 
예제 #25
0
APPEND = "&command3=DeleteAllFiles"
PWDLEN = 8 

#define command line arguments
url = sys.argv[1]
# message = "user=admin&command1=ListFiles&command2=NoOp"
append = "&command3=DeleteAllFiles"

parsedUrl = urlparse.urlparse(url)
query = parsedUrl.query

#parse query for arguments
queryDictionary = urlparse.parse_qs(query)
oldToken = queryDictionary["token"][0]
message = "user="******"user"][0] + "&command1=" + queryDictionary["command1"][0] + "&command2=" + queryDictionary["command2"][0] 

#calculate new token
h = md5(state=oldToken.decode("hex"), count=512) 
h.update(APPEND)
newToken = h.hexdigest()

#form new query string
newQuery = "token=" + newToken + '&' + message + urllib.quote(padding((len(message)+PWDLEN)*8)) + APPEND

#make request to server
conn = httplib.HTTPConnection(parsedUrl.hostname)
conn.request("GET", parsedUrl.path + "?" + newQuery)
print conn.getresponse().read()


예제 #26
0
from pymd5 import md5, padding
import httplib, urlparse, sys, urllib

m = "Use HMAC, not hashes"
h = md5()
h.update(m)
print h.hexdigest()
print len(m)
print len(padding(len(m)*8))
h = md5(state="3ecc68efa1871751ea9b0b1a5b25004d".decode("hex"), count=512)
x = "Good advice"
h.update(x)
print h.hexdigest()

h = md5()
h.update(m + padding(len(m)*8) + x)
print h.hexdigest()
if test:
    dprint("TESTING!!!!!!!!!!!!!!!")
    dprint(f'{test_password=}')

with open(query_file) as query_file, open(
        command3_file) as command3_file, open(output_file, 'w') as output_file:
    query_file = query_file.read().strip()
    command3_file = command3_file.read().strip()
    dprint(f'{query_file=}')
    dprint(f'{command3_file=}')

    old_hash = query_file.split('&')[0].split('=')[1]
    old_2nd_half = query_file[len(query_file.split('&')[0]) + 1:]
    old_count = (8 + len(old_2nd_half)) * 8
    old_padding = pymd5.padding(old_count)
    if test:
        md5test = pymd5.md5()
        md5test.update(test_password + old_2nd_half)
        old_hash = md5test.hexdigest()
        true_padding = pymd5.padding(len(test_password + old_2nd_half) * 8)
        dprint(f'{true_padding=}')
    dprint(f'{old_hash=}')
    dprint(f'{old_2nd_half=}')
    dprint(f'{old_count=}')
    dprint(f'{old_padding=}')

    md5 = pymd5.md5(state=old_hash, count=old_count + len(old_padding) * 8)
    md5.update(command3_file)
    new_hash = md5.hexdigest()
    dprint(f'{new_hash=}')
예제 #28
0
        self.prefix = url[:url.find('=') + 1]
        self.token = url[url.find('=') + 1:url.find('&')]
        # suffix starts at the first "command=" and goes to the end of the URL
        self.suffix = url[url.find('&') + 1:]


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"usage: {sys.argv[0]} URL_TO_EXTEND [COMMAND_TO_ADD]",
              file=sys.stderr)
        sys.exit(-1)

    url = ParsedURL(sys.argv[1])

    # get length of original message
    length = len(url.suffix) + 8
    bits = (length + len(padding(length * 8))) * 8

    # add new command
    h = md5(state=bytes.fromhex(url.token), count=bits)
    x = "&command=UnlockSafes"
    h.update(x)

    # calculate new token and suffix (with padding in the middle)
    token = h.hexdigest()
    suffix = url.suffix + quote(padding(length * 8)) + x

    # new url in format
    modified_url = "https://project1.eecs388.org/liuspenc/lengthextension/api?token=" + token + "&" + suffix
    print(modified_url)
예제 #29
0
파일: padd_me.py 프로젝트: rvadhavk/eecs388
#!/usr/bin/python2

from pymd5 import md5,padding
from sys import argv

for a in argv[1:]:
	f = open(a)
	data = f.read()
	f.close()
	f = open(a+".padded",'w')
	f.write(data);
	f.write(padding(len(data)*8))
	
예제 #30
0
from urlparse import urlparse, parse_qs
from urllib import quote
import httplib, sys

ATTACK = "&command3=DeleteAllFiles"

url = sys.argv[1]

parsed_url = urlparse(url)
params = parse_qs(parsed_url.query)

token = params.get("token")[0]
usr_part = parsed_url.query[39:]

m_len = 8 + len(usr_part)
padded_len = (m_len + len(padding(m_len * 8))) * 8

digest = md5(state=(token.decode("hex")), count=padded_len)
digest.update(ATTACK)

new_token = digest.hexdigest()

# add the padding needed for this url for new token
new_query = "token=" + new_token + "&" + usr_part + quote(padding(m_len * 8)) + ATTACK

connection = httplib.HTTPConnection(parsed_url.hostname)
my_request = parsed_url.path + "?" + new_query
connection.request("GET", my_request)
print connection.getresponse().read()

예제 #31
0
# message = "user=admin&command1=ListFiles&command2=NoOp"
append = "&command3=DeleteAllFiles"

parsedUrl = urlparse.urlparse(url)
query = parsedUrl.query

# parse query for arguments
queryDictionary = urlparse.parse_qs(query)
oldToken = queryDictionary["token"][0]
message = (
    "user="******"user"][0]
    + "&command1="
    + queryDictionary["command1"][0]
    + "&command2="
    + queryDictionary["command2"][0]
)

# calculate new token
h = md5(state=oldToken.decode("hex"), count=512)
h.update(APPEND)
newToken = h.hexdigest()

# form new query string
newQuery = "token=" + newToken + "&" + message + urllib.quote(padding((len(message) + PWDLEN) * 8)) + APPEND

# make request to server
conn = httplib.HTTPConnection(parsedUrl.hostname)
conn.request("GET", parsedUrl.path + "?" + newQuery)
print conn.getresponse().read()
from pymd5 import md5, padding
from codecs import decode
from urllib import parse
import requests
import sys

url = sys.argv[1]
actionNumber = str(url.count("&action") + 1)
originalParams = "user="******"&user="******"&user="******"token=")
startOfURL = splitedURL[0] + "token="
token = splitedURL[1]

msglen = len(originalParams) + 8
bits = (msglen + len(padding(msglen * 8))) * 8
md5Hash = md5(state=decode(token, "hex"), count=bits)
attack = "&action" + str(actionNumber) + "=unlock-all-safes"
md5Hash.update(attack)
newToken = md5Hash.hexdigest()
hashPadding = parse.quote(padding(msglen * 8))

newURL = startOfURL + newToken + "&" + originalParams + hashPadding + attack

req = requests.get(url=newURL)
print(req.text)
예제 #33
0
import httplib, urlparse, sys, pymd5, urllib
url = sys.argv[1]
parsedUrl = urlparse.urlparse(url)
queryDict = urlparse.parse_qs(parsedUrl.query)
state = queryDict['token'][0]

#State

tokenKey = "token="
length_of_m = 8 + (len(parsedUrl.query) - len(tokenKey + "&") - len(state)
                   )  # length of value orignally passed into md5
#print length_of_m
padding = pymd5.padding(length_of_m * 8)
count = (length_of_m + len(padding)) * 8

#Count

h = pymd5.md5(state=state.decode("hex"), count=512)
newCommand = "&command3=UnlockAllSafes"
h.update(newCommand)  # updates token to include command3
newToken = h.hexdigest()  # replaces token value in list with new value

#newToken

newQuery = tokenKey + newToken + parsedUrl.query[
    (len(tokenKey) + len(state)):] + urllib.quote(padding) + newCommand

#newQuery

conn = httplib.HTTPConnection(parsedUrl.hostname)
conn.request("GET", parsedUrl.path + "?" + newQuery)
예제 #34
0
import httplib, urlparse, sys, urllib
url = sys.argv[1]

from pymd5 import md5, padding

# split around equal and ampersand to get token
token = url.split('=')[1].split('&')[0]

# split ampersand and generate message
params = url.split('&')

# generate original message
message = params[1] + "&" + params[2] + "&" + params[3]

m_len = 8 + len(message)
bits = (m_len + len(padding(m_len * 8))) * 8

h = md5(state=token.decode("hex"), count=bits)
killamessage = "&command3=DeleteAllFiles"
h.update(killamessage)
killatoken = h.hexdigest()

killaurl = url.split('=')[0] + "=" + killatoken + "&" + message + urllib.quote(
    padding(m_len * 8)) + killamessage
print killaurl
parsedUrl = urlparse.urlparse(killaurl)
conn = httplib.HTTPConnection(parsedUrl.hostname)
conn.request("GET", parsedUrl.path + "?" + parsedUrl.query)

print conn.getresponse().read()
예제 #35
0
import sys
from pymd5 import md5, padding
from urllib import quote
import re

query_file = sys.argv[1] 
command3_file = sys.argv[2] 
output_file = sys.argv[3]

with open(query_file) as f:
	query = f.read().strip()

with open(command3_file) as f:
	command3 = f.read().strip()

m = re.search(r'user=.*', query).group() # match user=...&commands
length_of_m = 8 + len(m) # 8 is password length
bits = (length_of_m + len(padding(length_of_m * 8))) * 8
token = re.search(r'(?<=token=)[0-9a-fA-F]+(?<!&)', query).group() # match the token

h = md5(state = token.decode('hex'), count = bits)
h.update(command3)
new_token = h.hexdigest()

with open(output_file, 'w') as f:
	f.write("token=" + new_token + "&" + m + quote(padding(length_of_m * 8)) + command3)
command = "DeleteAllFiles"

parsed_url = urlparse.urlparse(url)
url_parts = {
    key: value
    for (key,
         value) in [pair.split('=') for pair in parsed_url.query.split('&')]
}
next_cmd = max(
    [int(key[-1]) for key in url_parts.keys() if key[:-1] == 'command']) + 1
# note: +2 is for & preceding key and = between key=val, and -1 is for & missing from first key ("user")
m = sum(
    [len(k) + len(url_parts[k]) + 2
     for k in url_parts.keys() if k != 'token']) - 1 + 8
cmd3 = "&command" + str(next_cmd) + "=" + command
paddedCmd3 = urllib.quote(padding(m * 8)) + cmd3

#update the token using the md5 module
h = md5(state=url_parts["token"].decode("hex"), count=512)
h.update(cmd3)
new_token = h.hexdigest()

#make a new url from the new token with the new command
url = str.replace(url, url_parts["token"], new_token) + paddedCmd3

#code given to connect to server and send requests
parsedUrl = urlparse.urlparse(url)
conn = httplib.HTTPConnection(parsedUrl.hostname, parsedUrl.port)
conn.request("GET", parsedUrl.path + "?" + parsedUrl.query)
print conn.getresponse().read()
tokenbak = token
query = "token=" + token + "&" + query

''' Read the new command '''
fi = open("3.3_command3.txt")
comm3 = fi.readline().strip()
fi.close()

''' Extract token (hash) and message from the query '''
token = query[query.index("=")+1:query.index("&")]
msg = query[query.index("&")+1:]

''' Compute the padding of current message '''
msglen = len(msg)
for keylen in range(0, 10):
    pad = pymd5.padding((keylen+msglen)*8)
    padhex = pad.encode("hex")

    ''' Setup the md5 hash function '''
    padlen = len(pad)
    cnt = (keylen + msglen + padlen) * 8
    h = pymd5.md5(state=token.decode("hex"), count=cnt)
    h.update(comm3)

    ''' Get the new token and create new query '''
    newtoken = h.hexdigest()
    newquery = query.replace(token, newtoken)
    newquery += pad
    newquery += comm3

    ''' Verify '''
예제 #38
0
url = sys.argv[1]
parsedUrl = urlparse.urlparse(url)
urlprefix = parsedUrl.scheme + "://" + parsedUrl.netloc + parsedUrl.path + '?'

string = parsedUrl.query

assert string[0:6] == "token="

for i in range(0, len(string)):
    if string[i] == '&':
        token = string[6:i]
        message = string[i + 1:]
        break

secret = "password"
attack = "&command3=UnlockAllSafes"  # attack command

pad = pymd5.padding(len(secret + message) * 8)

h = pymd5.md5(attack, state=token.decode("hex"), count=512)
token_attack = h.hexdigest()

urlprefix = urlprefix + "token="
message = message + urllib.quote(pad) + attack  # QUOTE is super important!
url = urlprefix + token_attack + "&" + message

parsedUrl = urlparse.urlparse(url)
conn = httplib.HTTPSConnection(parsedUrl.hostname, parsedUrl.port)
conn.request("GET", parsedUrl.path + "?" + parsedUrl.query)
print conn.getresponse().read()
예제 #39
0
len_og_msg = 0
count_of_extra = 0
query.pop(0)
for n in query:
    len_og_msg += len(n)
    count_of_extra += 1
len_og_msg += 8 + count_of_extra - 1

#Concatenate all queries for single command
command = ""
for n in query:
    command += n + "&"
command = command[:-1]
print(command)

pad = quote(padding(len_og_msg * 8))

#Calculate hash with count bits of new message
bits = (len_og_msg + len(padding(len_og_msg * 8))) * 8
h = md5(state=bytes.fromhex(token[1]), count=bits)
h.update(hack_msg)

#Re-Combine URL
newUrl = '{scheme}://{netloc}{path}?token={token}&{command}{pad}{suffix}'.format(
    scheme=parsed.scheme,
    netloc=parsed.netloc,
    path=parsed.path,
    token=h.hexdigest(),
    command=command,
    pad=pad,
    suffix=hack_msg)
예제 #40
0
import sys
from urllib import quote 
with open(sys.argv[1]) as query_file:
	query_text = query_file.read().strip()


with open(sys.argv[2]) as command3_file:
	command3 = command3_file.read().strip()
print command3
h_known = query_text[6:6+32]
print h_known
rest = query_text[6+32+1:] 
print rest
len_text = 8 + len(rest)

padding_text = padding(len_text*8)
print padding_text
bits = (len_text + len(padding_text))*8 #bit lenth of padded text
h_ext = md5(state = h_known.decode("hex"), count = bits)

h_ext.update(command3)
print h_ext.hexdigest()

new_query = query_text[0:6] + h_ext.hexdigest() + query_text[6+32:] + quote(padding_text) + command3
print new_query

with open(sys.argv[3], "w+") as output:
	output.write(new_query)


예제 #41
0
from pymd5 import md5, padding
import urllib
#token=94d5acaecc0d6d45f6bdabe2948722d2&user=admin&command1=ListFiles&command2=NoOp
m = "&command3=DeleteAllFiles"
x = md5()
h = md5(state="94d5acaecc0d6d45f6bdabe2948722d2".decode("hex"), count=512)
h.update(m)
h = h.hexdigest()
url = "token=" + h + "&user=admin&command1=ListFiles&command2=NoOp" + urllib.quote(
    padding(52 * 8)) + m
f = open("./sol_2.1.2.txt", "wb")
f.write(url)
예제 #42
0
from pymd5 import md5, padding
import httplib, urlparse, sys, urllib
password_length = 8
appended_command = "&command3=DeleteAllFiles"

url = sys.argv[1]
# Get user & token
querystring = url[url.find('?') + 1:]
original_token = urlparse.parse_qs(querystring)['token'][0]
original_message = url[url.find('user='******'?')[0] + '?'
url += 'token=' + new_token + '&'
url += original_message + appended_string

# Your code to modify url goes here
parsedUrl = urlparse.urlparse(url)
conn = httplib.HTTPConnection(parsedUrl.hostname)
conn.request("GET", parsedUrl.path + "?" + parsedUrl.query)