+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: Custom Base64 ? (/thread-4670.html)
Custom Base64 ? - alert - 09-12-2015
Hey !
I registered cause I saw a similar topic and well you guys cracked it out ...
I've been working on a pentest here, after founding couple SQLI and XSS I'm now working on the some kind of token you pass through cookies, and well you're then considered logged in if you have a correct one
after a quick test with Burp Sequencer it seems quite random but i'm sure it's not
it a two parter that goes like this : someB64lookingchars*somemore*
both sometimes end up with one or two dots(.)
both contains a-zA-Z0-9, but first one sometimes contains _ or -
both have a major repetitive part
I believe it to be custom alphabet Base64, cause when I decode it I get each time same structure(for the second part, and nothing for the first), but with weird chars
I coded in py something trying each alphabet possibility and lookinf for a coherent one, but it's a very time consuming solution, maybe a year I don't know .... so if you have better solution for me I take it !!!
Sample of first part
Code:
AQIC5wM2LY4SfcwSi-WAEW4nRPOBFUSCATEDsaE9zUTc-LM.
AQIC5wM2LY4SfcxA0BdpH9sdVrQ5WOBFUSCATEDo468Puh0.
AQIC5wM2LY4SfcwONGMDb6_0exML9OBFUSCATEDShVd0OYI.
AQIC5wM2LY4Sfcxw01hmll4OBFUSCATEDBQWr1kbi3_VtDY.Sample of second part
Code:
AAJTSQACMDIAAlNLABIxMjk1NjAxMjg1NDcOBFUSCATEDlMxAAIwMQ.
AAJTSQACMDIAAlNLABQtMjU4NDYxNzM0MTBOFUSCATEDOQACUzEAAjAx
AAJTSQACMDIAAlNLABQtODU0ODI5MjYwMTOBFUSCATEDNAACUzEAAjAx
AAJTSQACMDIAAlNLABM2MTE1NTQ4NjMxNTOBFUSCATEDAAJTMQACMDE
AAJTSQACMDIAAlNLABQtODU1OTEyOTgwMzOBFUSCATEDOAACUzEAAjAx
AAJTSQACMDIAAlNLABQtMzE3MDY4NjUyNTOBFUSCATEDMQACUzEAAjAx
AAJTSQACMDIAAlNLABQtMzI4Mjc0NjEwODOBFUSCATEDMwACUzEAAjAxDecoded sample second part
Code:
☻SI ☻02 ☻SK ¶-HERE_GOES_PURE_INTS ☻S1 ☻01and it's urlencoded version in case you can't see thoses beautifull smyleys
Code:
%00%02SI%00%0202%00%02SK%00%14-HERE_GOES_PURE_INTS%00%02S1%00%0201HERE_GOES_PURE_INTS is if it's unclear, 19 numbers like 65923230900000144855
I Obfuscated part of each sample for the forum rules
thanks
PYTHON CUSTOM B64 BRUTEFORCE
Code:
import string,base64,sys,re,time
alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
total = list("0")
lout = list("OOOO")
open('C:\Users\John\Desktop\pouet.txt', 'w').close()
open('C:\Users\John\Desktop\pouet2.txt', 'w').close()
file1 = open('C:\Users\John\Desktop\pouet.txt', 'a+')
file2 = open('C:\Users\John\Desktop\pouet2.txt', 'a+')
def dec(txt1,custom):
out = ""
for v in txt1: out += str(custom[string.find(Base64,v)])
out = base64.b64decode(out+"=")
if out != lout[0]:
un = re.search('([\a-zA-Z0-9\&~#"\'\{\(\[\-\]\)\}\$\]\+=\*/_,\.;:!<>\s @%]+){19,}',out)
if un:
file2.write (out+" ::::: "+custom+"\r\n")
total[0] = int(total[0])+1
else:
file1.write (out+" ::::: "+custom+"\r\n")
lout[0] = out
def dept(a1,t1,c1):
i = 0
for x in a1:
a2 = list(a1)
e1 = a2[i]
del a2[i]
if len(a2) > 0:
dept(a2,str(t1)+str(e1),c1)
else:
w = (t1+e1)[::-1]
c1.append(w)
sys.stdout.write(str(total[0])+" - "+w+"\r")
sys.stdout.flush()
#if int(total[0]) > 2: sys.exit(str(total[0])+" :::::::::: ok ::::::::::::::: ")
dec("AAJTSQACMDIAAlNLABM3NTM2NzA0NTgzNDc5Nzg2NTg1AAJTMQACMDE",w)
i += 1
c1 = list()
dept(alphabet[::-1],"",c1)
sys.exit("out")RE: Custom Base64 ? - alert - 09-15-2015
....
well now i'm trying to decode just the first few letter "AAJTSQA" since I have 3 time a A i'm saving some precious time ...
Now in the millions of result i'm looking for some known syntax but till now nothing coherent ...
what if thoses special chars in with the normal alphabet are made for a special backe end like Java or something like that ? is it possible ?