Exploit AES-ECB in json.dump() [closed]

Çağlar Arlı - 4 Views

Exploit AES-ECB in json.dump() [closed]

I want to exploit this python code (pycryptodome library is used) using the known-plaintext vulnerability of AES in ECB mode:

def get_user_token(name):
    cipher = AES.new(key=key, mode=AES.MODE_ECB)

    name = name.encode('utf-8').decode('latin-1')
    print('before tokenize name: ' + name)

    token = json.dumps({
        "username": name,
        "admin": False
    })
    print('after: ' + str(token))

    toenc = pad(token.encode(), AES.block_size)  # toenc is byte type

    print(insert_space_every_16(toenc.replace(b' ', b'_')))
    print(print_hex_blocks(bytes.hex(toenc)))
    enc_token = cipher.encrypt(toenc)

    return f"{base64.b64encode(enc_token).decode()}"

How can I exploit this code in order to obtain a ciphertext with "admin": True? There is a problem with the escaping of the function json.dump() which does not allow characters like \x00, \x01, ..., \x0f.

The idea is to obtain a block with True}\x0b....\x0b and then paste it at the end.

P	S	Ç	P	C	C	P
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Annanowa

Exploit AES-ECB in json.dump() [closed]

Exploit AES-ECB in json.dump() [closed]

Son Yazılar

Son Yorumlar