Created
December 29, 2017 21:34
-
-
Save BZHugs/5aab8f96299b524406535e0d950f3c9e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashpumpy | |
| import requests | |
| import urllib2 | |
| ''' | |
| Hash length extension attack | |
| http://35.198.133.163:1337/files/952bb2a215b032abe27d24296be099dc3334755c/?f=sample.gif -> HTTP 200 | |
| 952bb2a215b032abe27d24296be099dc3334755c = sample.gif | |
| ae3d232d2bec408b79b68ba6a57cf05399060509 = dont.gif | |
| ? = flag | |
| ''' | |
| know_file="sample.gif" | |
| search_file = "flag" | |
| def check(url): | |
| r = requests.get(url, allow_redirects=False) | |
| return r.status_code == 200 | |
| for key_length in range(0, 100): | |
| new_hash, msg = hashpumpy.hashpump("952bb2a215b032abe27d24296be099dc3334755c", "f="+know_file, "&f="+search_file, key_length) | |
| print key_length, new_hash, urllib2.quote(msg) | |
| msg = urllib2.quote(msg).replace('%26f%3D'+search_file, "&f="+search_file).replace("f%3D"+know_file, know_file) | |
| url = "http://35.198.133.163:1337/files/{}/?f={}".format(new_hash, msg) | |
| if check(url): | |
| print "yeah :" | |
| print url | |
| break |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment