Custom Base64 ?
#1
Hey !

I registered cause I saw a similar topic and well you guys cracked it out ...

I've been working on a pentest here, after founding couple SQLI and XSS I'm now working on the some kind of token you pass through cookies, and well you're then considered logged in if you have a correct one

after a quick test with Burp Sequencer it seems quite random but i'm sure it's not

it a two parter that goes like this : someB64lookingchars*somemore*

both sometimes end up with one or two dots(.)

both contains a-zA-Z0-9, but first one sometimes contains _ or -

both have a major repetitive part

I believe it to be custom alphabet Base64, cause when I decode it I get each time same structure(for the second part, and nothing for the first), but with weird chars

I coded in py something trying each alphabet possibility and lookinf for a coherent one, but it's a very time consuming solution, maybe a year I don't know .... so if you have better solution for me I take it !!!

Sample of first part 

Code:
AQIC5wM2LY4SfcwSi-WAEW4nRPOBFUSCATEDsaE9zUTc-LM.
AQIC5wM2LY4SfcxA0BdpH9sdVrQ5WOBFUSCATEDo468Puh0.
AQIC5wM2LY4SfcwONGMDb6_0exML9OBFUSCATEDShVd0OYI.
AQIC5wM2LY4Sfcxw01hmll4OBFUSCATEDBQWr1kbi3_VtDY.


Sample of second part


Code:
AAJTSQACMDIAAlNLABIxMjk1NjAxMjg1NDcOBFUSCATEDlMxAAIwMQ.
AAJTSQACMDIAAlNLABQtMjU4NDYxNzM0MTBOFUSCATEDOQACUzEAAjAx
AAJTSQACMDIAAlNLABQtODU0ODI5MjYwMTOBFUSCATEDNAACUzEAAjAx
AAJTSQACMDIAAlNLABM2MTE1NTQ4NjMxNTOBFUSCATEDAAJTMQACMDE
AAJTSQACMDIAAlNLABQtODU1OTEyOTgwMzOBFUSCATEDOAACUzEAAjAx
AAJTSQACMDIAAlNLABQtMzE3MDY4NjUyNTOBFUSCATEDMQACUzEAAjAx
AAJTSQACMDIAAlNLABQtMzI4Mjc0NjEwODOBFUSCATEDMwACUzEAAjAx


Decoded sample second part

Code:
 ☻SI ☻02 ☻SK ¶-HERE_GOES_PURE_INTS ☻S1 ☻01

and it's urlencoded version in case you can't see thoses beautifull smyleys Smile

Code:
%00%02SI%00%0202%00%02SK%00%14-HERE_GOES_PURE_INTS%00%02S1%00%0201


HERE_GOES_PURE_INTS is if it's unclear, 19 numbers like 65923230900000144855

I Obfuscated part of each sample for the forum rules

thanks




PYTHON CUSTOM B64 BRUTEFORCE

Code:
import string,base64,sys,re,time

alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

total = list("0")

lout = list("OOOO")

open('C:\Users\John\Desktop\pouet.txt', 'w').close()
open('C:\Users\John\Desktop\pouet2.txt', 'w').close()

file1 =  open('C:\Users\John\Desktop\pouet.txt', 'a+')
file2 =  open('C:\Users\John\Desktop\pouet2.txt', 'a+')

def dec(txt1,custom):

out = ""

for v in txt1: out += str(custom[string.find(Base64,v)])

out = base64.b64decode(out+"=")

if out != lout[0]:

un = re.search('([\a-zA-Z0-9\&~#"\'\{\(\[\-\]\)\}\$\]\+=\*/_,\.;:!<>\s @%]+){19,}',out)

if un:  
file2.write (out+"  :::::  "+custom+"\r\n")
total[0] = int(total[0])+1

else:  
file1.write (out+"  :::::  "+custom+"\r\n")




lout[0] = out


def dept(a1,t1,c1):

i = 0
for x in a1:
a2 = list(a1)
e1 = a2[i]
del a2[i]
if len(a2) > 0:
dept(a2,str(t1)+str(e1),c1)
else:

w = (t1+e1)[::-1]
c1.append(w)
sys.stdout.write(str(total[0])+" - "+w+"\r")
sys.stdout.flush()    

#if int(total[0]) > 2: sys.exit(str(total[0])+" :::::::::: ok :::::::::::::::   ")
dec("AAJTSQACMDIAAlNLABM3NTM2NzA0NTgzNDc5Nzg2NTg1AAJTMQACMDE",w)

i += 1

c1 = list()
dept(alphabet[::-1],"",c1)

sys.exit("out")


Messages In This Thread
Custom Base64 ? - by alert - 09-12-2015, 04:59 PM
RE: Custom Base64 ? - by alert - 09-15-2015, 03:03 PM