예제 #1
0
파일: set2.py 프로젝트: rohitg15/matasano
def c13():
    input = "foo=bar&baz=qux&zap=zazzle"
    #print Profile.parse(input)


    input2 = "*****@*****.**"
    p = Profile.profile_for(input2)
    # print p , p.encode()

    # now we make role= appear at the end of a block

    legit_email = "*****@*****.**"
    lp = Profile.profile_for(legit_email)
    legit_ciphertext = Profile.encrypt(lp.encode())

    # generate a fake profile where 'admin' appears at the begining of a block
    fake_email = "A"*10 + "admin"
    fp = Profile.profile_for(fake_email)
    fake_ciphertext = Profile.encrypt(fp.encode())

    # perform a cut and paste of the ECB ciphertexts obtained above
    ciphertext = legit_ciphertext[:32] + fake_ciphertext[16:32]
    # fake_profile = Profile.decrypt(ciphertext)
    # print fake_profile
    new_profile = Profile.parse(Profile.decrypt(ciphertext))
    print new_profile
예제 #2
0
파일: set2.py 프로젝트: rohitg15/matasano
def c13_enhanced():
  """
      In this enhanced mode of c13, we search for the appropriate sizes
      of the legitimate, fake profile's.

      i denotes the size of the legitimate email id that is created so that the
        word role= is positioned at the end of a block
      j denotes the size of the fake email id that we create to position admin at the begining of a new block

      since we do not know whether the keywordsd role=, admin are part fo the cookie, we search for all possible pairs i,j and perform the
        ECB cut and paste attack performed in part 13
        for one combiantion of i,j the keyword role= would be at the end of
        a block and the fake profile's 'admin' would be at the begining of
        a block. splicing the two and decrypting, generates a counterfeit
        profile with its privilege escalated

  """
  input = "foo=bar&baz=qux&zap=zazzle"
    #print Profile.parse(input)


  input2 = "*****@*****.**"
  p = Profile.profile_for(input2)

  # now we make 'role='' appear at the end of a block
  # since we do not know where eactly it occurs in the plaintext, we
  # search for all possible sizes for the email id such that 'role=' would
  # be pushed to the end of a block
  bsize = 16
  for i in range(bsize):
    legit_email = "a"*i + "@bar.com"
    lp = Profile.profile_for(legit_email)
    legit_ciphertext = Profile.encrypt(lp.encode())
    # generate a fake profile where 'admin' appears at the begining of a block
    # search all possible sizes from 0 through bsize, so that 'admin' falls
    # at the begining of a block
    for j in range(bsize):
      fake_email = "A"*j + "admin"
      fp = Profile.profile_for(fake_email)
      fake_ciphertext = Profile.encrypt(fp.encode())

      # perform a cut and paste of the ECB ciphertexts obtained above
      ciphertext = legit_ciphertext[:32] + fake_ciphertext[16:32]
      # print fake_profile
      new_profile = Profile.parse(Profile.decrypt(ciphertext))
      print new_profile , i , j, "\n"