今天上博客园,看见了关于ASP.NET的安全漏洞,内容大致是:黑客可以下载ASP.NET网站的核心文件(WEB.CONFIG),我估计还可以下载任意文件,例如数据库。
这个BUG基本上是致命的,可是博客园的描述却非常的少,我看了半天也没有明白什么意思,如何攻击,于是挖掘下去。现在把一些明细写出来。
微软原文:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
黑客如何发起攻击:
To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.