Rustpad:一款功能强大的多线程Padding Oracle漏洞挖掘工具

2022-06-08 15:37:33 浏览数 (1)

关于Rustpad

Rustpad是一款功能强大的多线程Padding Oracle漏洞挖掘工具,该工具是PadBuster漏洞挖掘工具的继承者,相当于站在前人的肩膀上实现了自己的功能。该工具基于Rust开发,并且能够利用PaddingOracle漏洞在不知道加密密钥的情况下解密任意密文或加密任意明文数据。

功能介绍

1、解密任意密文 2、加密任意明文 3、块级和字节级的多线程 4、高级实时交互式用户接口 5、No-TTY支持,因此可以通过管道进行数据传输 6、进度条和自动重试 7、智能检测密码文本编码,支持:十六进制、base64、base64url 8、采用纯Rust安全开发,确保了工具的可用性

工具下载&安装

广大研究人员可以使用下列命令将该项目源码克隆至本地:

代码语言:javascript复制
git clone https://github.com/Kibouo/rustpad.git

Arch Linux【aurv1.7.3-1

代码语言:javascript复制
yay -Syu rustpad

Kali / Debian【debv1.7.3

代码语言:javascript复制
apt install ./rustpad.deb

其他操作系统平台【crates.io v1.7.3

代码语言:javascript复制
cargo install rustpad

工具使用

使用Rustpad来测试Padding Oracle漏洞其实是非常容易的,该工具只需要四个参数信息即可开始漏洞挖掘:

1、目标Oracle(--oracle) 2、需要解密的密文(--decrypt) 3、块大小(--block-size) 4、Oracle类型(Web / 脚本)

工具帮助信息

代码语言:javascript复制
; rustpad --help

rustpad

Multi-threaded Padding Oracle attacks against any service.



USAGE:

    rustpad [OPTIONS] --block-size <block_size> --decrypt <decrypt> --oracle <oracle> <SUBCOMMAND>



OPTIONS:

    -B, --block-size <block_size>

            Block size used by the cypher [possible values: 8, 16]



    -D, --decrypt <decrypt>

            Original cypher text, received from the target service, which is to be decrypted



        --delay <delay>

            Delay between requests within a thread, in milliseconds [default: 0]



    -e, --encoding <encoding>

            Specify encoding used by the oracle to encode the cypher text [default: auto]  [possible values: auto, base64, base64url, hex]



    -E, --encrypt <encrypt>

            Plain text to encrypt. Encryption mode requires a cypher text to gather necessary data



    -h, --help

            Prints help information



        --no-cache

            Disable reading and writing to the cache file



    -n, --no-iv

            Cypher text does not include an Initialisation Vector



        --no-url-encode

            Disable URL encoding and decoding of cypher text



    -O, --oracle <oracle>

            The oracle to question with forged cypher texts. This can be a URL or a shell script.

            See the subcommands `web --help` and `script --help` respectively for further help.

    -o, --output <output>

            File path to which log output will be written



    -t, --threads <threads>

            Amount of threads in the thread pool



    -V, --version

            Prints version information



    -v, --verbose

            Increase verbosity of logging





SUBCOMMANDS:

    web       Question a web-based oracle

script    Question a script-based oracle

Web模式

Web模式下,指定的目标Oracle需位于Web上。换句话说,我们的目标Oracle是一个带有URL的Web服务器。

为了保证Padding Oracle成功,如果提供了填充不正确的密文文本,那么Rustpad将会对Oracle的响应信息进行分析,并根据Oracle的行为来对自身进行自动校准。

代码语言:javascript复制
; rustpad web --help

rustpad-web

Question a web-based oracle



USAGE:

    rustpad --block-size <block_size> --decrypt <decrypt> --oracle <oracle> web [OPTIONS]



OPTIONS:

    -c, --consider-body

            Consider the response body and content length when determining the web oracle's response to (in)correct padding



    -d, --data <data>

            Data to send in a POST request



        --delay <delay>

            Delay between requests within a thread, in milliseconds [default: 0]



    -e, --encoding <encoding>

            Specify encoding used by the oracle to encode the cypher text [default: auto]  [possible values: auto, base64, base64url, hex]



    -h, --help

            Prints help information



    -H, --header <header>...

            HTTP header to send



    -k, --insecure

            Disable TLS certificate validation



    -K, --keyword <keyword>

            Keyword indicating the location of the cypher text in the HTTP request. It is replaced by the cypher text's value at runtime [default: CTEXT]



        --no-cache

            Disable reading and writing to the cache file



    -n, --no-iv

            Cypher text does not include an Initialisation Vector



        --no-url-encode

            Disable URL encoding and decoding of cypher text



    -o, --output <output>

            File path to which log output will be written



    -x, --proxy <proxy>

            Proxy server to send web requests over. Supports HTTP(S) and SOCKS5



        --proxy-credentials <proxy_credentials>

            Credentials to authenticate against the proxy server with [format: <user>:<pass>]



    -r, --redirect

            Follow 302 Redirects



    -t, --threads <threads>

            Amount of threads in the thread pool



    -T, --timeout <timeout>

            Web request timeout in seconds [default: 10]



    -A, --user-agent <user_agent>

            User-agent to identify with [default: rustpad/<version>]



    -v, --verbose

            Increase verbosity of logging





Indicate the cypher text's location! See `--keyword` for clarification.

脚本模式

脚本模式是为超级用户或CTF玩家准备的,并且能够提供一个可运行的脚本,该模式下的目标Oracle是一个本地Shell脚本。

脚本将允许我们能对本地Oracle或更特殊的服务进行漏洞测试。或者说,我们也可以使用脚本模式来自定义或扩展Rustpad的功能。

代码语言:javascript复制
; rustpad script --help

rustpad-script

Question a script-based oracle



USAGE:

    rustpad --block-size <block_size> --decrypt <decrypt> --oracle <oracle> script [OPTIONS]



OPTIONS:

        --delay <delay>

            Delay between requests within a thread, in milliseconds [default: 0]



    -e, --encoding <encoding>

            Specify encoding used by the oracle to encode the cypher text [default: auto]  [possible values: auto, base64, base64url, hex]



    -h, --help

            Prints help information



        --no-cache

            Disable reading and writing to the cache file



    -n, --no-iv

            Cypher text does not include an Initialisation Vector



        --no-url-encode

            Disable URL encoding and decoding of cypher text



    -o, --output <output>

            File path to which log output will be written



    -t, --threads <threads>

            Amount of threads in the thread pool



    -v, --verbose

            Increase verbosity of logging





Script must respond with exit code 0 for correct padding, and any other code otherwise. Cypher text is passed as the 1st argument.

即将添加的功能

1、Tab键自动补全 2、智能化URL解析 3、高级校准 4、块大小自动检测 5、改进Linux二进制文件的大小 6、.NET URL令牌编码

项目地址

https://github.com/Kibouo/rustpad

参考资料

https://github.com/AonCyberLabs/PadBuster

https://en.wiki*pedia.org/wiki/Padding_oracle_attack

0 人点赞