Prerequisites:
The attack is almost similar to ECB Byte at a time attack, and the exploit script will also be the same in both cases. They only differ in their computations, since in CBC mode plaintext is XORed with the ciphertext of the previous block, but we don't have to worry about it in our attack, since the server does the job. You can read about the attack in detail here
Check out an example for this attack here