旧版本的ASP.NET易受Padding Oracle攻击。仍然可以通过一些调整来强制执行“旧”行为。我在
blog
样本代码打开了
GitHub
.
我们将攻击VIEWSTATE区域。首先,需要禁用ViewState签名。为此,请确保web.config文件中有以下设置:
以及一个易受Padding Oracle攻击的示例.ashx文件:
using System;
using System.Linq;
using System.Reflection;
using System.Web;
using System.Web.Security;
using System.Text;
public class EncryptionHandler : IHttpHandler
{
static readonly byte[] secret = Encoding.UTF8.GetBytes("Some text to break.");
public void ProcessRequest(HttpContext context)
{
var viewState = context.Request.Form["VIEWSTATE"];
if (viewState == null) {
viewState = MachineKey.Encode(secret, MachineKeyProtection.Encryption);
context.Response.ContentType = "text/html";
context.Response.Write("
" +"" +
"
");return;
}
var v = MachineKey.Decode(viewState, MachineKeyProtection.Encryption);
context.Response.ContentType = "text/plain";
if (v.SequenceEqual(secret)) {
context.Response.Write("I know the secret");
} else {
context.Response.Write("Something is wrong with my secret.");
}
}
public bool IsReusable {
get {
return false;
}
}
}
现在,基于HTTP代码(密码无效时为HTTP 500),您可以尝试攻击该站点(如前所述
here
1070
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
