-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathp51.py
More file actions
50 lines (42 loc) · 1.04 KB
/
p51.py
File metadata and controls
50 lines (42 loc) · 1.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import aes
import os
import string
import util
import zlib
key = os.urandom(16)
sessionId = 'TmV2ZXIgcmV2ZWFsIHRoZSBXdS1UYW5nIFNlY3JldCE='
def oracle(p):
nonce = util.randomUint64()
def format_request(p):
return '''POST / HTTP/1.1
Host: hapless.com
Cookie: sessionid=%s
Content-Length: %d
%s''' % (sessionId, len(p), p)
return len(aes.encrypt_ctr(zlib.compress(format_request(p)), key, nonce))
def argmin_strict(lens):
'Returns index of smallest length or None if there is a tie'
mi = 0
tie = False
for i in range(1, len(lens)):
if lens[i] < lens[mi]:
mi = i
tie = False
elif lens[i] == lens[mi]:
tie = True
if not tie:
return mi
def guessSessionId():
base = "Cookie: sessionid="
charset = string.ascii_lowercase + string.ascii_uppercase + string.digits + '+/=' + '\n'
# While not at end of cookie:
while base[-1] != '\n':
print(base)
best = argmin_strict([oracle(base + guess) for guess in charset])
if not best:
print('tie :(')
break
base += charset[best]
return base
if __name__ == "__main__":
guessSessionId()