def decrypt(self, c):
c = PKCS7(c, 16)
c_block = []
cipher = AES.new(self.key, AES.MODE_ECB)
for i in range(len(c) // 16):
c_block.append(c[16 * i:16 * (i + 1)])
plaintext = b""
for i in range(len(c_block) - 1):
plaintext_i = xor(cipher.decrypt(c_block[i]), self.iv)
plaintext += plaintext_i
self.iv = c_block[i]
return plaintext
def encrypt(
self,
m,
):
m = PKCS7(m, 16)
m_block = []
cipher = AES.new(self.key, AES.MODE_ECB)
for i in range(len(m) // 16):
m_block.append(m[16 * i:16 * (i + 1)])
encode = b""
for i in range(len(m_block) - 1):
encode_i = cipher.encrypt(xor(self.iv, m_block[i]))
encode += encode_i
self.iv = encode_i
return encode
def encrypt_oracle(s):
s = PKCS7(s + suffix_r, 16)
cipher = AES.new(key, AES.MODE_ECB)
return cipher.encrypt(s)
def encrypt(string):
assert b"=" not in string or b";" not in string
string = prepend + string + append
string = PKCS7(string, 16)
cipher = AES.new(key, AES.MODE_CBC, iv)
return cipher.encrypt(string)
def encrypt_profile(profile):
profile = PKCS7(profile, 16)
cipher = AES.new(key, AES.MODE_ECB)
return cipher.encrypt(profile)
cipher = AES.new(key, AES.MODE_ECB)
return cipher.encrypt(profile)
def check_role(en_profile):
cipher = AES.new(key, AES.MODE_ECB)
text = cipher.decrypt(en_profile)
text = unPad(text)
role = parse_routine(text)[1][2][1]
if role == b"admin":
print("Log in as admin!")
else:
print("Log in as user!")
if __name__ == '__main__':
key = urandom(16)
email = b"0" * 13
profile = profile_for(email)
e_profile = encrypt_profile(profile)
print("[*] Log in with user : %s" % email)
print("[*] Attack to get admin role.......")
fake_email = b"0" * 10 + PKCS7(b"admin", 16)
fake_profile = profile_for(fake_email)
e_profile_f = encrypt_profile(fake_profile)
e_admin = e_profile[:32] + e_profile_f[16:32]
print("[*] Server check role .......")
check_role(e_admin)
def encrypt_oracle(s):
s = random_prefix + s + targets_bytes
s = PKCS7(s, 16)
cipher = AES.new(key, AES.MODE_ECB)
return cipher.encrypt(s)
def discover_padding_length(r, c_block, padding_validation):
padding = 0
for i in range(15, -1, -1):
r0 = r[:i] + bytes([r[i] ^ 1]) + r[i + 1:]
if padding_validation(r0 + c_block):
return padding
padding += 1
if __name__ == '__main__':
key = urandom(16)
iv = urandom(16)
cipher = AES.new(key, AES.MODE_CBC, iv)
c = cipher.encrypt(PKCS7(b"0" * 31, 16))
''' break D(ci) from c and padding oracle '''
ci = c[:16]
Dci = b""
R0 = urandom(15)
''' choose random R to R+C is valid padding '''
for bytess in range(256):
R = R0 + bytes([bytess])
if padding_validation(R + ci):
break
padding_length = discover_padding_length(R, ci, padding_validation)
print("Padding length for the first R : %d" % padding_length)
''' find Dci'''
for i in range(padding_length):
Dci += bytes([R[-i - 1] ^ padding_length])
for i in range(padding_length + 1, 17, 1):