from base64 import b64encode, b64decode from padd0r import PaddingOracle, Encoding import requests import logging # disable logging logging.getLogger("requests").setLevel(logging.CRITICAL) logging.getLogger("urllib3").setLevel(logging.WARNING) # Set the admin cookie! admin_cookie = "" def oracle(ct): url = "http://127.0.0.1:5000/po1" data = { "auth":b64encode(ct) } text = requests.get(url, cookies=data).text # distinguish between a padding error and a valid padding # .... # dont forget to return true on a valid padding and false on a wrong padding def decrypt(cookie): # ciphertext # verbosity can be 1 or 2 # which encodings are realistic? # pass the oracle functions as parameter po = PaddingOracle(cookie, verbosity=1, encoding=Encoding.b64, oracle=oracle) po.set_output("hex") # decrypt the blocks decrypt(admin_cookie)