|
| 1 | +import urllib.parse |
| 2 | +import base64 |
| 3 | + |
| 4 | + |
| 5 | +def repeating_key_xor(text, key): |
| 6 | + return fixed_xor(text, expand_str(key, len(text))) |
| 7 | + |
| 8 | + |
| 9 | +def fixed_xor(one, two): |
| 10 | + ''' |
| 11 | + Returns XOR combination of two equal length bytestrings. |
| 12 | + :param one: Bytes |
| 13 | + :param two: Bytes |
| 14 | + :return: Bytes |
| 15 | + ''' |
| 16 | + |
| 17 | + result = b'' |
| 18 | + |
| 19 | + # print(len(one)) |
| 20 | + # test equal len |
| 21 | + if len(one) != len(two): |
| 22 | + raise ValueError('Parameter lengths are not equal.', len(one), len(two), one, two) |
| 23 | + # xor byte by byte |
| 24 | + |
| 25 | + for i in range(len(one)): |
| 26 | + # print(one, one[i], type(one[i])) |
| 27 | + xor_result = one[i] ^ two[i] |
| 28 | + result += bytes([xor_result]) |
| 29 | + # result += format(one[i] ^ two[i], 'x') |
| 30 | + # print(result, type(result)) |
| 31 | + |
| 32 | + # print('fixed_xor:', type(result), result) |
| 33 | + return result |
| 34 | + |
| 35 | + |
| 36 | +def expand_str(text, length): |
| 37 | + return (text * (length // len(text) + 1))[:length] |
| 38 | + |
| 39 | + |
| 40 | + |
| 41 | + |
| 42 | +# encoded_json = b'{"bgcolor":"#ffffff","showpassword":"no"}' |
| 43 | +encoded_json = '{"showpassword":"no","bgcolor":"#ffffff"}' |
| 44 | +cookie_url_encoded = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D' |
| 45 | + |
| 46 | +cookie_b64 = urllib.parse.unquote(cookie_url_encoded) |
| 47 | +print('cookie_b64', cookie_b64) |
| 48 | + |
| 49 | +cookie_xor = base64.b64decode(cookie_b64) |
| 50 | + |
| 51 | +print(cookie_xor) |
| 52 | + |
| 53 | +print('length encoded_json', len(encoded_json)) |
| 54 | +print('length cookie_xor', len(cookie_xor)) |
| 55 | + |
| 56 | +solution = [] |
| 57 | + |
| 58 | +for i in range(len(encoded_json)): |
| 59 | + # print(i, cookie_xor[i], encoded_json[i], ord(encoded_json[i])) |
| 60 | + for key in range(256): |
| 61 | + # print(chr(key)) |
| 62 | + # print(cookie_xor[i] ^ key) |
| 63 | + if cookie_xor[i] ^ key == ord(encoded_json[i]): |
| 64 | + print(i, cookie_xor[i]) |
| 65 | + solution.append(chr(key)) |
| 66 | + break |
| 67 | + |
| 68 | +print(solution) |
| 69 | +solution_str = ''.join(solution) |
| 70 | +print(solution_str) |
| 71 | +print(repr(solution_str)) |
| 72 | + |
| 73 | +print('\nNow modify cookie\n') |
| 74 | + |
| 75 | +xor_key = b'qw8J' |
| 76 | + |
| 77 | + |
| 78 | +# evil_encoded_json = '{"bgcolor":"#ffffff","showpassword":"yes"}' |
| 79 | +evil_encoded_json = b'{"showpassword":"yes","bgcolor":"#ffffff"}' |
| 80 | +# xor, b64, urlencode |
| 81 | + |
| 82 | +evil_xor = repeating_key_xor(evil_encoded_json, xor_key) |
| 83 | +evil_b64 = base64.b64encode(evil_xor) |
| 84 | +print(evil_b64) |
| 85 | +# evil_urlencode = urllib.parse.quote(evil_b64) |
| 86 | +# print(evil_urlencode) |
| 87 | + |
0 commit comments