29Nis
Exploit AES-ECB in json.dump() [closed]
I want to exploit this python code (pycryptodome library is used) using the known-plaintext vulnerability of AES in ECB mode:
def get_user_token(name):
cipher = AES.new(key=key, mode=AES.MODE_ECB)
name = name.encode('utf-8').decode('latin-1')
print('before tokenize name: ' + name)
token = json.dumps({
"username": name,
"admin": False
})
print('after: ' + str(token))
toenc = pad(token.encode(), AES.block_size) # toenc is byte type
print(insert_space_every_16(toenc.replace(b' ', b'_')))
print(print_hex_blocks(bytes.hex(toenc)))
enc_token = cipher.encrypt(toenc)
return f"{base64.b64encode(enc_token).decode()}"
How can I exploit this code in order to obtain a ciphertext with "admin": True? There is a problem with the escaping of the function json.dump()
which does not allow characters like \x00, \x01, ..., \x0f
.
The idea is to obtain a block with True}\x0b....\x0b
and then paste it at the end.