I have had many question regarding Padbusterdotnet after our previous post Investigating .NET Padding Oracle Exploitation. Here I'll try to answer some of them.
How can I download the Web.config?
Since Microsoft patches are already out now I will disclose how to download the files remotely. Padbuster v0.2 and Pudbusterdotnet cannot alone download the Web.config. For achieving this result I have made a Poc that you can find here.
Update 04/10/10: A couple of days after the release of our initial exploit Brian Holyfield added these (and more features) in Padbuster v0.3. Now Padbuster is a swiss army knife to fully exploit .NET Ajax handlers.
Read more: MINDED SECURITY BLOG
Posts
