-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlen_ext_attack.py
More file actions
65 lines (44 loc) · 1.59 KB
/
Copy pathlen_ext_attack.py
File metadata and controls
65 lines (44 loc) · 1.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/python3
# Run me like this:
# $ python3 len_ext_attack.py "http://cpsc4200.mpese.com/uniqname/lengthextension/api?token=...."
# or select "Length Extension" from the VS Code debugger
import sys
from urllib.parse import quote
from pysha256 import sha256, padding
class URL:
def __init__(self, url: str):
# prefix is the slice of the URL from "http://" to "token=", inclusive.
self.prefix = url[:url.find('=') + 1]
self.token = url[url.find('=') + 1:url.find('&')]
# suffix starts at the first "command=" and goes to the end of the URL
self.suffix = url[url.find('&') + 1:]
def __str__(self) -> str:
return f'{self.prefix}{self.token}&{self.suffix}'
def __repr__(self) -> str:
return f'{type(self).__name__}({str(self).__repr__()})'
def main():
if len(sys.argv) < 2:
print(f"usage: {sys.argv[0]} URL_TO_EXTEND", file=sys.stderr)
sys.exit(-1)
url = URL(sys.argv[1])
#
# TODO: Modify the URL
#
print(url.token)
print(url.suffix)
orig_msg = url.suffix.encode()
secret_length = 8
orig_len = len(orig_msg) + secret_length
padded_message = orig_msg + padding(orig_len)
padded_len = len (padded_message)
h1 = sha256(state=bytes.fromhex(url.token), count=padded_len)
x = "&command=UnlockSafes"
h1.update(x.encode())
# print(h2.hexdigest())
newToken = h1.hexdigest()
url.token = newToken # + padding and suffix?
url.suffix += quote(padding(orig_len)) + quote(x)
print(newToken)
print(url)
if __name__ == '__main__':
main()