vulnerable_api.py

# This code simulates a vulnerable API susceptible to the padding oracle attack
# - The encryption algorithm used is AES in CBC mode with PKCS7 padding.
# - The interaction with the vulnerable API is by a "request" function. Specifically, the function returns True if a given payload can be decrypted and False otherwise.  
#
# author: @davimoreno
#

from Cryptodome.Cipher import AES
from Cryptodome.Random import get_random_bytes
from Cryptodome.Util.Padding import unpad

import binascii

key = b"1234567812345678"  # key
iv = b"abcdefghijklmnop" # iv
message = b"Hello, there. The angel from my nightmare. The shadow in the background of the morgue."
payload = "6162636465666768696a6b6c6d6e6f703adb5ef92d512dd533c9cf649e8eecef2ddf1bbfa06b5e2dfcb8d2852001ba387ada878834bb9962d3d80a65cc42c2a571275c6d05212e6a82c79ca5d03dc3b90059d43ce9c1cbf045632d14f82209cb52efc7c7fc385fb6d8cbb2ec76904aef"

def pad(data):
    # PKCS7 padding to ensure block size is 16 bytes.
    pad_length = 16 - (len(data) % 16)
    return data + bytes([pad_length] * pad_length)

def encrypt(message, key):
    #iv = get_random_bytes(16)
    iv = b"abcdefghijklmnop"
    cipher = AES.new(key, AES.MODE_CBC, iv)
    ciphertext = cipher.encrypt(pad(message))
    
    return iv, ciphertext
    
def decrypt(ciphertext, key, iv):
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted_data = cipher.decrypt(ciphertext)
    
    plaintext = unpad(decrypted_data, AES.block_size)
    
    return plaintext

def request(payload):
    payload_bytes = binascii.unhexlify(payload)
    iv = payload_bytes[:16]
    ciphertext = payload_bytes[16:]
    
    try:
        message = decrypt(ciphertext, key, iv)
        return True
    except:
        return False
        
def main():
#    iv, ciphertext = encrypt(message, key)
#    payload = (iv + ciphertext).hex()

    print(pad(message))
    print(request(payload))

if __name__ == '__main__':
    main()