POC详情: 5c745c662b0127664f84cbcd902199c036de9ca8

来源
https://github.com/blacklanternsecurity/dp_cryptomg
关联漏洞
标题: ASP.NET AJAX和Sitefinity Progress Telerik UI 安全漏洞 (CVE-2017-9248)
描述:ASP.NET AJAX是一个用于ASP.NET的控件;Sitefinity是一个开源的用于构建企业网站以及企业内部网络的平台。Progress Telerik UI是美国Telerik公司开发的一个用于处理AJAX的ASP.NET控件的UI(用户界面)。 ASP.NET AJAX R2 2017 SP1之前的版本和Sitefinity 10.0.6412.0之前的版本中的Progress Telerik UI的Telerik.Web.UI.dll存在安全漏洞,该漏洞源于程序没有正确的保护Telerik.
描述
Another tool for exploiting CVE-2017-9248, a cryptographic weakness in Telerik UI for ASP.NET AJAX dialog handler.
介绍
# dp_cryptomg

[![Black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
![License](https://img.shields.io/badge/license-GPLv3-FF8400.svg)

Another tool for exploiting CVE-2017-9248, a cryptographic weakness in Telerik UI for ASP.NET AJAX dialog handler. Exploitation leads to access to a file manager utility capable up uploading arbitrary files, usually leading to remote code execution.

The vulnerability is caused by an information leak via error messages during decryption of the Telerik "DialogParameters", which are a series of encrypted configuration values. These values are provided to the user, and then echoed back to the server as user-input. The leaked info about the decryption process allow for systemtic discovery of the `Telerik.Web.UI.DialogParametersEncryptionKey`. For a deep-dive into the vulnerability and how the tool works, visit our blog post at: [https://blog.blacklanternsecurity.com/p/yet-another-telerik-ui-revisit](https://blog.blacklanternsecurity.com/p/yet-another-telerik-ui-revisit).

![dp_cryptomg_Trim](https://user-images.githubusercontent.com/24899338/193930865-20e6ac1e-fdeb-4435-8415-fda74e2ade05.gif)

# Acknowledgements

* The original tool for exploiting CVE-2017-9248 [dp_crypto](https://github.com/bao7uo/dp_crypto) was invaluable for building this one. Not to mention, it's netted us plenty of RCEs over the years :)

* Research by SR Labs in their blog post [Achieving Telerik Remote Code Execution 100 Time Faster](https://www.srlabs.de/bites/telerik-100-times-faster) was the basis for the technique used in this tool and inspired us to create it

# Usage

Example (Basic usage):


```
python3 dp_cryptomg.py http://example.com/Telerik.Web.UI.DialogHandler.aspx
```
Example (Setting custom key length and using a proxy)

```
python3 dp_cryptomg.py -l 40 -p http://127.0.0.1:8080  http://example.com/Telerik.Web.UI.DialogHandler.aspx
```

usage: dp_cryptomg.py [-h] [-d] [-c COOKIE] [-k KNOWN_KEY] [-v VERSION] [-l LENGTH] [-p PROXY] [-s] [-S] url

```
positional arguments:
  url                   The target URL

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           Enable debugging mode
  -c COOKIE, --cookie COOKIE
                        Add optional cookie header to every request
  -k KNOWN_KEY, --known-key KNOWN_KEY
                        The partial or complete known key, in HEX format
  -v VERSION, --version VERSION
                        Specify the Telerik version, if known
  -l LENGTH, --length LENGTH
                        The length of the key, if known
  -p PROXY, --proxy PROXY
                        Optionally set an HTTP proxy
  -s, --simple          Turn off the fancy interface
  -S, --super-simple    Turn off the fancy interface and show minimal output
```

# Features
- Increased speed over previous tools
- Capable of recovering key from both the `Telerik.Web.UI.DialogHandler.aspx` and the `Telerik.Web.UI.SpellCheckHandler.axd` endpoints
- Built in HTTP proxy support
- Capable of adding a custom cookie header to each request

# Important Notes
- If they key length is not the default length of 48, you must manually specify the length with the -l parameter
- If you experience issues with the "fancy" interface, you can disable it with the -s or -S options. This will also slightly increase the speed of the exploitation process.

# References

- CVE-2017-9248 - [https://nvd.nist.gov/vuln/detail/CVE-2017-9248](https://nvd.nist.gov/vuln/detail/CVE-2017-9248)
- Telerik Knowledge Base Cryptographic Weakness - [https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-cryptographic-weakness](https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-cryptographic-weakness)
- dp_crypto - [https://github.com/bao7uo/dp_crypto](https://github.com/bao7uo/dp_crypto)
- Telerik 100 Times Faster - [https://www.srlabs.de/bites/telerik-100-times-faster](https://www.srlabs.de/bites/telerik-100-times-faster)
- Pwning Web Applications via Telerik Web UI - [https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html](https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html)
文件快照

 [4.0K]  /data/pocs/5c745c662b0127664f84cbcd902199c036de9ca8
├── [5.0K]  dp_cryptomg.py
├── [4.8K]  dp_manual_crypt.py
├── [4.0K]  lib
│   ├── [1.7K]  constants.py
│   ├── [ 16K]  dpcryptolib.py
│   ├── [   0]  __init__.py
│   ├── [5.6K]  simpleterminalview.py
│   └── [ 13K]  terminalview.py
├── [ 34K]  LICENSE
├── [ 19K]  poetry.lock
├── [ 526]  pyproject.toml
├── [4.1K]  README.md
├── [ 968]  requirements.txt
└── [1.7K]  test_manual_crypt.py

1 directory, 13 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。