Web based padding oracle attack
This is a modified version of mpgn's exploit rewritten with Requests for the Padding Oracle Attack. The CBC mode must use PKCS7 for the padding block.
This exploit allow block size of 8 or 16, thus the script can be used even if the cipher use AES or DES. Tested against HTB Web Challenge.
- rewritten in Requests
- added cookie injection functionality
- added base64 convert option
- minor improvements
usage: ask-oracle.py [-h] -c CIPHER -l LENGTH_BLOCK_CIPHER --host HOST -u
URLTARGET --error ERROR [--cookie COOKIE]
[--method METHOD] [--post POST] [--cookieinj COOKIEINJ]
[--base64] [-v]Details required options:
-c cipher chain (hex)
-l length of a block, example: 8 or 16
-u UrlTarget, example: /?id=
--host hostname, example: google.ca
--error Error that the orcale gives to a wrong padding
example: HTTP codes: 200,400,500
DOM HTML : "<h1>Padding Error</h1>"Optional:
--cookie Cookie parameter, example: PHPSESSID=123abcd
--method Method of passing the ciphertext. GET POST or cookie, default GET
--post POST parameter, example 'user':'value', 'pass':'value'
--cookieinj cookie name to inject ciphertext
--base64 convert to base64