ecb

2017-11-08

ECB加密

ECB模式的全称是Electronic CodeBook模式，将明文分组加密后直接成为密文分组，而密文则是由明文分组直接拼接而成。
加密模式如图:
!()[/img/ecb1.png]
那就是

分组
分组加密

密文组合
三步完成
既然如此，我们在已知一部分明文的密文的情况下，我们就可以知道任意明文的密文

实验

<?php
/**
 * Created by PhpStorm.
 * User: Da7ura_N0ir
 * Date: 2017/11/8
 * Time: 15:03
 */
function AES($data){// 要加密或解密的数据
    $privateKey = "12345678123456781234567812345678";
    // 加密密钥// MCRYPT_RIJNDAEL_128->加密算法
    $encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $privateKey, $data, MCRYPT_MODE_ECB);
    // MCRYPT_MODE_ECB->加密或解密的模式
    $encryptedData = (base64_encode($encrypted));
    return $encryptedData;
}
function DE__AES($data){
    $privateKey = "12345678123456781234567812345678";
    $encryptedData = base64_decode($data);
    $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $privateKey, $encryptedData, MCRYPT_MODE_ECB);
    $decrypted = rtrim($decrypted, "\0") ;
    return $decrypted;
}
if (@$_GET['a']=='reg'){
    setcookie('uid', AES('9'));
    setcookie('username', AES($_POST['username']));
    header("Location: http://127.0.0.1/test/ecb.php");
    exit();
}
if (@!isset($_COOKIE['uid'])||@!isset($_COOKIE['username'])){
    echo '<form method="post" action="ecb.php?a=reg">
Username:<br>
<input type="text"  name="username">
<br>
Password:<br>
<input type="text" name="password" >
<br><br>
<input type="submit" value="注册">
</form> ';
}
else{
    $uid = DE__AES($_COOKIE['uid']);
    //echo 'uid='.$uid.'<br>username='.$_COOKIE['username'].'<br>';
    if ( $uid != '4'){
        echo 'uid:' .$uid .'<br/>';
        echo 'Hi ' . DE__AES($_COOKIE['username']) .'<br/>';
        echo 'You are not administrotor!!';
    }
    else {
        echo "Hi you are administrotor!!" .'<br/>';
        echo 'Flag is ****';
    }
}
?>

这里我们在不知道秘钥privateKey的情况下，可以直接找到4的的加密密文
脚本

#coding=utf-8
import urllib
import urllib2
import base64
import cookielib
import Cookie
for num in range(1,50):
    reg_url='http://127.0.0.1/test/ecb.php?a=reg'
    index_url='http://127.0.0.1/test/ecb.php'
    cookie=cookielib.CookieJar()
    opener=urllib2.build_opener(urllib2.HTTPCookieProcessor(cookie))
    opener.addheaders.append(('User-Agent','Mozilla/5.0'))
    num=str(num)
    values={'username':'aaaaaaaaaaaaaaaa'+num,'password':'123'}
    data=urllib.urlencode(values)
    opener.open(reg_url,data)
    text=opener.open(index_url,data)
    for ck in cookie:
        if ck.name=='username':
            user_name=ck.value
    user_name = urllib.unquote(user_name)
    user_name = base64.b64decode(user_name)
    hex_name = user_name.encode('hex')
    hex_name = hex_name[len(hex_name)/2:]
    hex_name = hex_name.decode('hex')
    uid = base64.b64encode(hex_name)
    uid = urllib.quote(uid)
    for ck in cookie:
        if ck.name=='uid':
            ck.value=uid
    text=opener.open(index_url).read()
    if 'Flag' in text:
        print text
        break
    else:
       print num

我们这里是16个字节为一个组，所以我们用了16个a做前缀，后面只需要把加密结果取出来，分成两组，第二组就是我们附加的num的值，
然后再把uid修改为这个值，便可以得到

1
2
3
Hi you are administrotor!!<br/>Flag is ****