WordPress密碼哈希破解

// wp_hash_test.php

<?php

class PasswordHash {
    var $itoa64;

    function PasswordHash()
    {
        $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
    }

    function encode64($input, $count)
    {
        $output = '';
        $i = 0;
        do {
            $value = ord($input[$i++]);
            $output .= $this->itoa64[$value & 0x3f];
            if ($i < $count)
                $value |= ord($input[$i]) << 8;
            $output .= $this->itoa64[($value >> 6) & 0x3f];
            if ($i++ >= $count)
                break;
            if ($i < $count)
                $value |= ord($input[$i]) << 16;
            $output .= $this->itoa64[($value >> 12) & 0x3f];
            if ($i++ >= $count)
                break;
            $output .= $this->itoa64[($value >> 18) & 0x3f];
        } while ($i < $count);

        return $output;
    }

    function crypt_private($password, $salt)
    {
        $count = 8192;

        $hash = md5($salt . $password, TRUE);
        do {
            $tmp = $hash . $password;
            $hash = md5($tmp, TRUE);
        } while (--$count);

        $output = '$P$B';
        $output .= $salt;
        $output .= $this->encode64($hash, 16);

        return $output;
    }

    function HashPassword($password, $salt)
    {
        $hash = $this->crypt_private($password, $salt);
        return $hash;
    }
}

//for test from WordPress v4.1
//$P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/

$passwordValue = "123123";
$saltValue = "YEYcHEj3";

$wp_hasher = new PasswordHash();
$sigPassword = $wp_hasher->HashPassword($passwordValue, $saltValue);

echo "生成的密碼hash爲:".$sigPassword."\n";
echo '正確的密碼hash爲:$P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/'."\n";

?>

// main.c

#include <stdio.h>
#include <string.h>

/* build.sh
 * gcc -c md5.c -o md5.o
 * gcc -c wordpress.c -o wordpress.o
 * gcc -c main.c -o main.o
 * gcc -o wp_hash main.o md5.o wordpress.o
 */

/* wordpress.c */
extern int wordpress( unsigned char * salt, unsigned char *passwd, int count, unsigned char *code );

int main(int argc, char* argv[])
{
    if (3 != argc)
    {
        printf("usage: ./wp_hash DICFILE 'WORDPRESS_HASH'\n");
        printf("example: ./wp_hash pwd.txt '$P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/'\n");
        return -1;
    }

    char* filename = argv[1];
    char* hash = argv[2];

    char salt[9];
    memcpy(salt, hash+4, 8);
    salt[8] = '\0';

    printf("hash = [%s]\n", hash);
    printf("salt = [%s]\n", salt);

    const int MAX_LINE_LEN = 512;  // 單行所允許的最大長度
    char szLineBuf[MAX_LINE_LEN];
    FILE *fp = fopen(filename, "rb");
    if (fp)
    {
        while ( NULL != fgets(szLineBuf, sizeof(szLineBuf), fp) )
        {
            szLineBuf[strlen(szLineBuf)-1] = '\0';
            if ( '\r' == szLineBuf[strlen(szLineBuf)-1] )
            {
                szLineBuf[strlen(szLineBuf)-1] = '\0';
            }

            unsigned char code[40];
            wordpress((unsigned char*)salt, (unsigned char*)szLineBuf, 8192, code);

            if ( 0 == strcmp(hash, (const char*)code) )
            {
                printf("\nFounded!!! [%s]\n", szLineBuf);
                break;
            }
            else
            {
                printf("*");
            }
        }
        fclose(fp);
    }

    printf("\nDone\n");
    return 0;
}

// md5.c

#include <stdio.h>
#include <memory.h>
#include <string.h>

#define UINT4 unsigned int

#define F(x,y,z) ((x & y) | (~x & z))
#define G(x,y,z) ((x & z) | (y & ~z))
#define H(x,y,z) (x^y^z)
#define I(x,y,z) (y ^ (x | ~z))
#define ROTATE_LEFT(x,n) ((x << n) | (x >> (32-n)))

#define FF(a,b,c,d,x,s,ac) \
{ \
  a += F(b,c,d) + x + ac; \
  a = ROTATE_LEFT(a,s); \
  a += b; \
}
#define GG(a,b,c,d,x,s,ac) \
{ \
  a += G(b,c,d) + x + ac; \
  a = ROTATE_LEFT(a,s); \
  a += b; \
}
#define HH(a,b,c,d,x,s,ac) \
{ \
  a += H(b,c,d) + x + ac; \
  a = ROTATE_LEFT(a,s); \
  a += b; \
}
#define II(a,b,c,d,x,s,ac) \
{ \
  a += I(b,c,d) + x + ac; \
  a = ROTATE_LEFT(a,s); \
  a += b; \
}

/* MD5 context. */
typedef struct {
    UINT4 state[4];                                   /* state (ABCD) */
    UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
    unsigned char buffer[64];                         /* input buffer */
} MD5_CTX;

void MD5Init(MD5_CTX *context);
void MD5Update(MD5_CTX *context,unsigned char *input,unsigned int inputlen);
void MD5Final(MD5_CTX *context,unsigned char digest[16]);
void MD5Transform(unsigned int state[4],unsigned char block[64]);
void MD5Encode(unsigned char *output,unsigned int *input,unsigned int len);
void MD5Decode(unsigned int *output,unsigned char *input,unsigned int len);

unsigned char PADDING[]= {0x80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
                         };

void MD5Init(MD5_CTX *context)
{
    context->count[0] = 0;
    context->count[1] = 0;
    context->state[0] = 0x67452301;
    context->state[1] = 0xEFCDAB89;
    context->state[2] = 0x98BADCFE;
    context->state[3] = 0x10325476;
}

void MD5Update(MD5_CTX *context,unsigned char *input,unsigned int inputlen)
{
    unsigned int i = 0,index = 0,partlen = 0;
    index = (context->count[0] >> 3) & 0x3F;
    partlen = 64 - index;
    context->count[0] += inputlen << 3;
    if(context->count[0] < (inputlen << 3))
        context->count[1]++;
    context->count[1] += inputlen >> 29;

    if(inputlen >= partlen)
    {
        memcpy(&context->buffer[index],input,partlen);
        MD5Transform(context->state,context->buffer);
        for(i = partlen; i+64 <= inputlen; i+=64)
            MD5Transform(context->state,&input[i]);
        index = 0;
    }
    else
    {
        i = 0;
    }
    memcpy(&context->buffer[index],&input[i],inputlen-i);
}

void MD5Final(MD5_CTX *context,unsigned char digest[16])
{
    unsigned int index = 0,padlen = 0;
    unsigned char bits[8];
    index = (context->count[0] >> 3) & 0x3F;
    padlen = (index < 56)?(56-index):(120-index);
    MD5Encode(bits,context->count,8);
    MD5Update(context,PADDING,padlen);
    MD5Update(context,bits,8);
    MD5Encode(digest,context->state,16);
}

void MD5Encode(unsigned char *output,unsigned int *input,unsigned int len)
{
    unsigned int i = 0,j = 0;
    while(j < len)
    {
        output[j] = input[i] & 0xFF;
        output[j+1] = (input[i] >> 8) & 0xFF;
        output[j+2] = (input[i] >> 16) & 0xFF;
        output[j+3] = (input[i] >> 24) & 0xFF;
        i++;
        j+=4;
    }
}

void MD5Decode(unsigned int *output,unsigned char *input,unsigned int len)
{
    unsigned int i = 0,j = 0;
    while(j < len)
    {
        output[i] = (input[j]) |
                    (input[j+1] << 8) |
                    (input[j+2] << 16) |
                    (input[j+3] << 24);
        i++;
        j+=4;
    }
}

void MD5Transform(unsigned int state[4],unsigned char block[64])
{
    unsigned int a = state[0];
    unsigned int b = state[1];
    unsigned int c = state[2];
    unsigned int d = state[3];
    unsigned int x[64];

    MD5Decode(x,block,64);

    FF(a, b, c, d, x[ 0], 7, 0xd76aa478);
    FF(d, a, b, c, x[ 1], 12, 0xe8c7b756);
    FF(c, d, a, b, x[ 2], 17, 0x242070db);
    FF(b, c, d, a, x[ 3], 22, 0xc1bdceee);
    FF(a, b, c, d, x[ 4], 7, 0xf57c0faf);
    FF(d, a, b, c, x[ 5], 12, 0x4787c62a);
    FF(c, d, a, b, x[ 6], 17, 0xa8304613);
    FF(b, c, d, a, x[ 7], 22, 0xfd469501);
    FF(a, b, c, d, x[ 8], 7, 0x698098d8);
    FF(d, a, b, c, x[ 9], 12, 0x8b44f7af);
    FF(c, d, a, b, x[10], 17, 0xffff5bb1);
    FF(b, c, d, a, x[11], 22, 0x895cd7be);
    FF(a, b, c, d, x[12], 7, 0x6b901122);
    FF(d, a, b, c, x[13], 12, 0xfd987193);
    FF(c, d, a, b, x[14], 17, 0xa679438e);
    FF(b, c, d, a, x[15], 22, 0x49b40821);

    GG(a, b, c, d, x[ 1], 5, 0xf61e2562);
    GG(d, a, b, c, x[ 6], 9, 0xc040b340);
    GG(c, d, a, b, x[11], 14, 0x265e5a51);
    GG(b, c, d, a, x[ 0], 20, 0xe9b6c7aa);
    GG(a, b, c, d, x[ 5], 5, 0xd62f105d);
    GG(d, a, b, c, x[10], 9,  0x2441453);
    GG(c, d, a, b, x[15], 14, 0xd8a1e681);
    GG(b, c, d, a, x[ 4], 20, 0xe7d3fbc8);
    GG(a, b, c, d, x[ 9], 5, 0x21e1cde6);
    GG(d, a, b, c, x[14], 9, 0xc33707d6);
    GG(c, d, a, b, x[ 3], 14, 0xf4d50d87);
    GG(b, c, d, a, x[ 8], 20, 0x455a14ed);
    GG(a, b, c, d, x[13], 5, 0xa9e3e905);
    GG(d, a, b, c, x[ 2], 9, 0xfcefa3f8);
    GG(c, d, a, b, x[ 7], 14, 0x676f02d9);
    GG(b, c, d, a, x[12], 20, 0x8d2a4c8a);

    HH(a, b, c, d, x[ 5], 4, 0xfffa3942);
    HH(d, a, b, c, x[ 8], 11, 0x8771f681);
    HH(c, d, a, b, x[11], 16, 0x6d9d6122);
    HH(b, c, d, a, x[14], 23, 0xfde5380c);
    HH(a, b, c, d, x[ 1], 4, 0xa4beea44);
    HH(d, a, b, c, x[ 4], 11, 0x4bdecfa9);
    HH(c, d, a, b, x[ 7], 16, 0xf6bb4b60);
    HH(b, c, d, a, x[10], 23, 0xbebfbc70);
    HH(a, b, c, d, x[13], 4, 0x289b7ec6);
    HH(d, a, b, c, x[ 0], 11, 0xeaa127fa);
    HH(c, d, a, b, x[ 3], 16, 0xd4ef3085);
    HH(b, c, d, a, x[ 6], 23,  0x4881d05);
    HH(a, b, c, d, x[ 9], 4, 0xd9d4d039);
    HH(d, a, b, c, x[12], 11, 0xe6db99e5);
    HH(c, d, a, b, x[15], 16, 0x1fa27cf8);
    HH(b, c, d, a, x[ 2], 23, 0xc4ac5665);

    II(a, b, c, d, x[ 0], 6, 0xf4292244);
    II(d, a, b, c, x[ 7], 10, 0x432aff97);
    II(c, d, a, b, x[14], 15, 0xab9423a7);
    II(b, c, d, a, x[ 5], 21, 0xfc93a039);
    II(a, b, c, d, x[12], 6, 0x655b59c3);
    II(d, a, b, c, x[ 3], 10, 0x8f0ccc92);
    II(c, d, a, b, x[10], 15, 0xffeff47d);
    II(b, c, d, a, x[ 1], 21, 0x85845dd1);
    II(a, b, c, d, x[ 8], 6, 0x6fa87e4f);
    II(d, a, b, c, x[15], 10, 0xfe2ce6e0);
    II(c, d, a, b, x[ 6], 15, 0xa3014314);
    II(b, c, d, a, x[13], 21, 0x4e0811a1);
    II(a, b, c, d, x[ 4], 6, 0xf7537e82);
    II(d, a, b, c, x[11], 10, 0xbd3af235);
    II(c, d, a, b, x[ 2], 15, 0x2ad7d2bb);
    II(b, c, d, a, x[ 9], 21, 0xeb86d391);

    state[0] += a;
    state[1] += b;
    state[2] += c;
    state[3] += d;
}


void MD5(unsigned char * buf, unsigned int len, unsigned char *out, int type)
{
    int i;
    MD5_CTX md5;
    unsigned char digest[16];

    char hex[]="0123456789abcdef";
    char HEX[]="0123456789ABCDEF";

    MD5Init(&md5);
    MD5Update(&md5, buf,len);
    MD5Final(&md5, digest);

    if (type == 0)
    {
        for (i = 0; i < 16; i++)
        {
            out[i+i]   = hex[digest[i] >> 4];
            out[i+i+1] = hex[digest[i] & 0x0f];
        }
    }
    else if (type == 1)
    {
        for (i = 0; i < 16; i++)
        {
            out[i+i]   = HEX[digest[i] >> 4];
            out[i+i+1] = HEX[digest[i] & 0x0f];
        }
    }
    out[i+i] = '\0';
}

// wordpress.c

#include <stdio.h>
#include <string.h>

/* md5.c */
extern void MD5(unsigned char * buf, unsigned int len, unsigned char *out, int type);

#define WORDPRESS_MD5_CHAR_NUM 16

unsigned char base64Char[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

void fast_md5_to_unsigned_char(unsigned char *hash) // todo: fix bug
{
    int i;
    unsigned char md5[17];

    for (i = 0; i < 16; i++)
    {
        if (hash[2*i] >= '0' && hash[2*i] <= '9')
            md5[i] = (hash[2*i] - '0') << 4;
        else if (hash[2*i] >= 'a' && hash[2*i] <= 'f')
            md5[i] = (hash[2*i] - 'a') <<4;

        if (hash[2*i+1] >= '0' && hash[2*i+1] <= '9')
            md5[i] = md5[i] | ((hash[2*i+1] - '0') & 0x0f);
        else if (hash[2*i+1] >= 'a' && hash[2*i+1] <= 'f')
            md5[i] = md5[i] | ((hash[2*i+1] - 'a') & 0x0f);
    }
    md5[16] = '\0';

    for (i = 0; i < 16; i++)
        hash[i] = md5[i];
    hash[16] = '\0';
}

// 616263 -> abc
// 4297f44b13955235245b2497399d7a93 -> ?
void md5_to_unsigned_char(unsigned char *hash)
{
    int i;
    unsigned char md5[17];
    for (i = 0; i < 16; ++i)
    {
        char temp[3];
        temp[0] = hash[i*2+0];
        temp[1] = hash[i*2+1];
        temp[2] = '\0';
        int hex;
        sscanf(temp, "%x", &hex);
        md5[i] = hex;
    }
    md5[16] = '\0';
    //strcpy((char*)hash, (const char*)md5); // bug because of 00
    for (i = 0; i < 16; i++)
        hash[i] = md5[i];
    hash[16] = '\0';
}

void fast_base64Encode(unsigned char *md5, unsigned char *result) // todo: fix bug
{
    int num_24bits = 5;
    int i;

    for (i = 0; i < num_24bits; ++i)
    {
        result[4 * i + 0] = base64Char[(md5[3 * i] >> 2) & 0x3F];
        result[4 * i + 1] = base64Char[(((md5[3 * i] & 0x3) << 4) | (md5[3 * i + 1] >> 4)) & 0x3F];
        result[4 * i + 2] = base64Char[((md5[3 * i + 1] << 2) | (md5[3 * i + 2] >> 6)) & 0x3F];
        result[4 * i + 3] = base64Char[md5[3 * i + 2] & 0x3F];
    }
    result[20] = base64Char[md5[15] >> 2];
    result[21] = base64Char[(md5[15] << 4) & 0x3F];

    result[22] = '\0';
}

void base64Encode(unsigned char *md5, unsigned char *result)
{
    char buf_t[32];
    int index_t = 0;
    int value;

    int i;
    for (i = 0; i < 16; )
    {
        value = (int)md5[i++];
        buf_t[index_t++] = base64Char[value & 0x3f];
        if (i < 16)
            value |= ((int)md5[i] << 8);
        buf_t[index_t++] = base64Char[(value >> 6) & 0x3f];
        if (i++ >= 16)
            break;
        if (i < 16)
            value |= ((int)md5[i] << 16);
        buf_t[index_t++] = base64Char[(value >> 12) & 0x3f];
        if (i++ >= 16)
            break;
        buf_t[index_t++] = base64Char[(value >> 18) & 0x3f];
    }

    memcpy(result, buf_t, index_t);
}

int wordpress( unsigned char * salt, unsigned char *passwd, int count, unsigned char *code )
{
    int i, j;
    char symbol;
    unsigned char buffer[100];
    unsigned char base64_code[23];

    int len = strlen( (char *)passwd );

    //first time use md5 function with salt
    strcpy( (char *)buffer, (char *)salt );
    strcat( (char *)buffer, (char *)passwd );

    MD5( buffer, strlen( (char *)buffer), buffer, 0 );
    md5_to_unsigned_char( buffer );

    //count times md5 function
    for (i = 0; i < count; i++)
    {
        memcpy( (void *)&buffer[WORDPRESS_MD5_CHAR_NUM], passwd, len );

        MD5( buffer, WORDPRESS_MD5_CHAR_NUM + len, buffer, 0 );
        md5_to_unsigned_char( buffer );
    }

    base64Encode( buffer, base64_code );

    strcpy( (char *)code, "$P$" );
    code[3] = 'B';
    code[4] = '\0';

    strcat( (char *)code, (char *)salt);
    memcpy( (void *)&code[12], base64_code, 22);

    return 0;
}

// crack_wp_hash.sh

#!/bin/bash

hash=$1
pass=$2

for n in $(cat $hash)
do
    echo "./wp_hash $pass '$n'"
    `./wp_hash $pass $n >> crack_results.txt`
done

echo


發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章