The Hash like md5 has four state variables and multiple rounds which in each round based on previous values and variables, formulas generate a new state variables and change them. Also it has four initialize state value as default.
In this Algorithm each round is for every character of inputs which at the end output produced by hex and concatenation of final state variable.
But there are some flaw in the algorithm such as not using length of input and …
This means if we know the state variable value for some string s, we can continue the rounds and produce the output of s+x for any x. this attack mentioned as hash length extension attack.
It’s obvious that we can obtain state variable’ value from HASH(s). The reader should notice that in the bhe.jsBig Endian byte order has been used.
So we have:
Hash(s+x, default initialize state value) = Hash(s, state value of hash(s))
based on what discussed earlier and some knowledge about HMAC our scenario is:
HMAC(message)= Hash(secret + message)
which page name will be used as message. As you saw we have valid HMAC for empty(NULL) page name, so:
HMAC("") = Hash(secret)
HMAC("flag") = Hash(s, state value of HMAC(""))
In order to obtain the proper HMAC i wrote a python script but it can be done by changing default value in js too.
def convert2be(s):#convert to big endian byte order
for x in inp:
by executing the script we have the following HMAC: