关联漏洞
标题:
ASP.NET AJAX和Sitefinity Progress Telerik UI 安全漏洞
(CVE-2017-9248)
描述:ASP.NET AJAX是一个用于ASP.NET的控件;Sitefinity是一个开源的用于构建企业网站以及企业内部网络的平台。Progress Telerik UI是美国Telerik公司开发的一个用于处理AJAX的ASP.NET控件的UI(用户界面)。 ASP.NET AJAX R2 2017 SP1之前的版本和Sitefinity 10.0.6412.0之前的版本中的Progress Telerik UI的Telerik.Web.UI.dll存在安全漏洞,该漏洞源于程序没有正确的保护Telerik.
描述
A Burp extension to detect and exploit versions of Telerik Web UI vulnerable to CVE-2017-9248.
介绍
# Telewreck
[]()
[](http://www.jython.org/)
[](https://github.com/capt-meelo/Telewreck/blob/master/LICENSE)
A Burp extension to detect and exploit versions of Telerik Web UI vulnerable to [CVE-2017-9248](https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness). This extension is based on the original exploit tool written by Paul Taylor ([@bao7uo](https://twitter.com/bao7uo)) which is available at [https://github.com/bao7uo/dp_crypto](https://github.com/bao7uo/dp_crypto). Credits and big thanks to him.
A related blog post on how to exploit web applications via Telerik Web UI can also be found [here](https://capt-meelo.github.io/pentest/2018/08/03/pwning-with-telerik.html).
### Features
* Detect vulnerable versions of Telerik Web UI during passive scans.
* Bruteforce the key and discover the "Document Manager" link just like the original exploit tool.
### Screenshots
### Installation
1. Download [telewreck.py](https://raw.githubusercontent.com/capt-meelo/Telewreck/master/telewreck.py) to your machine.
2. Install Python's **requests** module using `sudo pip install requests`.
2. On your Burp, go to _**Extender > Options**_ tab. Then under the **Python Environment** section, locate your **jython-standalone-2.7.0.jar** file (1) and the directory where Python's requests module is located (2).
3. Go to _**Extender > Extensions**_ tab, then click on the _**Add**_ button. On the new window, browse the location of **telewreck.py** and click the _**Next**_ button.
4. If there's any error, the **Telewreck** tab would appear in your Burp.
### Notes
1. This extension requires Python's **requests** module. Just run `pip install requests` to install it.
2. The text area under Telewreck tab doesn't function as a console. So, `stoud` and `stderr` outputs cannot be seen there. However, you can view them under the **Output** and **Errors** sections of the **Extender** tab.
3. Before running another bruteforce, cancel the current process first by clicking the **Cancel** button.
4. If the key can't be bruteforced, then probably the key has been set up securely and/or the application is not using a default installation of Telerik.
5. If the key can't be bruteforced and/or there are some issues, it's recommended to fall back to the original exploit tool.
### To Do
1. Locate Telerik.Web.UI.DialogHandler.aspx
<br>
<br>
_**PS:** This is my first time developing a tool so apologies for the poor coding style. Feel free to contribute and improve the development of this tool._
_**Disclaimer:** This tool is created for educational purposes only._
文件快照
[4.0K] /data/pocs/75ad3c7bbbdb731cc9586d0e0160f49fe672a552
├── [4.0K] images
│ ├── [265K] 01.png
│ ├── [235K] 02.png
│ ├── [183K] 03.png
│ ├── [313K] 04.png
│ └── [227K] 05.png
├── [1.0K] LICENSE
├── [2.9K] README.md
└── [ 17K] telewreck.py
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。