1

i'm having some trouble decrypting a string that was encrypted using openssl. I don't have access to change the encryption code, but i do have read access:

Encrypt code (unable to modify)

<?php 
$key = hex2bin("24a5d2b96b9aee2fb515c94fb36da508");
$encryptTxt = openssl_encrypt(
    "txt to encrypt",
    'AES-128-ECB',
    $key
);
?>

<a href="decrypt.php?un=<?php echo bin2hex(base64_decode($encryptTxt)) ?>">link</a>

Here is how I have attempted to decrypt:

decrypt.php


$ciphertext = $_GET['un'];

$cipher = "aes-128-ecb";
$key = hex2bin("24a5d2b96b9aee2fb515c94fb36da508");

$original_plaintext = openssl_decrypt($ciphertext, $cipher, $key);
echo "text= " . $original_plaintext;

The decrypted text is not returned on the decrypt page

oewebby
  • 37
  • 6
  • Works for me. Sounds like a WSOD is obscuring the actual error. https://stackoverflow.com/questions/845021/how-can-i-get-useful-error-messages-in-php – Sammitch Jun 19 '20 at 18:51
  • 1
    Also ECB is a hilariously bad cipher mode. See the image at the bottom of this wiki section: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB) – Sammitch Jun 19 '20 at 18:53
  • @Sammitch when you say it works for you, do you mean it actually decrypts or that you see an error? I'll see if my error reporting needs some tweaking if so – oewebby Jun 19 '20 at 19:17
  • @Sammitch re: ECB, i hear you, and thanks for that link - nice visual way to see what's going on. Fortunately the data being passed is not sensitive, it's more of a cosmetic situation i'm dealing with – oewebby Jun 19 '20 at 19:20

1 Answers1

1

SOLVED: I updated decrypt.php to the following and it returned the decrypted text

$ciphertext = $_GET['un'];
$ciphertext = hex2bin($ciphertext);
$ciphertext = base64_encode($ciphertext);

$cipher = "aes-128-ecb";
$key = hex2bin("24a5d2b96b9aee2fb515c94fb36da508");

$original_plaintext = openssl_decrypt($ciphertext, $cipher, $key);
echo "text= " . $original_plaintext;
oewebby
  • 37
  • 6
  • 1
    Ah, I assumed that it was a problem with the crypto, I didn't even see the encoding. If you pass `OPENSSL_RAW_DATA` as the 4th parameted to encrypt/decrypt you can skip the base64 encode/decode steps. – Sammitch Jun 19 '20 at 22:36