SSL 3.0 POODLE攻击信息泄露漏洞(CVE-2014-3566)

为什么80%的码农都做不了架构师？>>>   

OpenSSL 1.0.1i及之前版本中使用的SSL protocol 3.0版本中存在安全漏洞，该漏洞源于程序使用非确定性的CBC填充。攻击者可借助padding-oracle攻击利用该漏洞实施中间人攻击，获取明文数据。

 

测试代码：（1.0）

import ssl,socket,sys

SSL_VERSION={
	'SSLv3':ssl.PROTOCOL_SSLv3,
}

def check_ssl_version(version):
	try:
		https = ssl.SSLSocket(socket.socket(),ssl_version=SSL_VERSION.get(version))
		c = https.connect((ip,port))
		print version + ' Supported'
		return True
	except Exception as e:
		return False

USAGE = '==========\nKPoodle - SSL version and poodle attack vulnerability detect tool\n==========\nUsage: python kpoodle.py target port(default:443)\n\nby kingx'
try:
	ip = sys.argv[1]
except:
	print USAGE
	sys.exit()
try:
	port = int(sys.argv[2])
except:
	port = 443
try:
	report_file = sys.argv[3]
except:
	print USAGE
	sys.exit()

try:
	s = socket.socket().connect((ip,port))
except Exception as e:
	print e
	print 'Can not connect to the target!'
	sys.exit()

try:
	ssl3 = check_ssl_version('SSLv3')
	fp = open(report_file, 'a+')
	if ssl3:
		print '\nSSLv3 Poodle Vulnerable!'
		fp.write('SSLv3 Poodle Vulnerable!')
	else:
		print '\nNo SSLv3 Support!'
		fp.write('No SSLv3 Support!')
	fp.close()
except Exception as e:
	print e

 

转载于:https://my.oschina.net/665544/blog/1837082