原理:
http://www.freebuf.com/articles/web/111927.html
https://blog.csdn.net/blues1021/article/details/45165777
在web的信息传输中,经常会有cookie值等,这其中运用了deflate压缩算法。当我们可以控制输入、且可以观察到输出时,我们就可以一位一位的暴力输入,观察输出的长度是否变化。在尝试过程中,长度缩小,说明该位爆破成功,可以进入下一位的爆破,从而得到想要的信息。
题目链接:
https://github.com/sonickun/ctf-crypto-writeups/blob/master/2016/hack.lu-ctf/cornelius1/server.rb
题目分析:
def get_auth(user) data = [user, "flag:"+File.read("flag.key").strip] json = JSON.dump(data) zip = Zlib.deflate(json) return Base64.strict_encode64(encrypt(zip)) end
这里是deflate压缩,且data的后一段字符前缀是flag:
所以,如果我们的user前缀也是flag:,那么会出现信息压缩,就可以从下一位开始爆破,出现一个短一点的说明爆破正确
扫描二维码关注公众号,回复:
1569175 查看本文章
题解链接:
http://73spica.tech/blog/hack-lu-ctf-2016-write-up-cornelius1/
https://ctf.rip/hack-lu-ctf-2016-cornelius1-crypto-challenge/
https://github.com/sonickun/ctf-crypto-writeups/blob/master/2016/hack.lu-ctf/cornelius1/solver.py
#!/usr/bin/python import requests, string url = "https://cthulhu.fluxfingers.net:1505/" user = "flag:" suffix1 = "BCDEFGHIJKL" s = requests.Session() baseline = [] while True: for i in range(50): r = s.get(url, params={'user':user+"#"+suffix1}) auth = r.cookies['auth'] baseline.append(len(auth)) before = len(user) for c in string.printable: userfield = user+c+suffix1 r = s.get(url, params={'user':userfield}) auth = r.cookies['auth'] if len(auth) < baseline[i]: user += c break if len(user) == before: print "[*] Flag: flag{"+user.replace('flag:','')+"}" quit()
贴了一个最好理解的代码放在这,来自第二个链接