You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
### Test case 1.5 – Like Test case 1 but the ViewState cookie isn't sent by the server
45
+
### Test case 1.5 – Like Test case 1 but the ViewState hidden field isn't sent by the server
46
46
47
-
Developers can **remove ViewState** from becoming part of an HTTP Request (the user won't receive this cookie).\
47
+
Developers can **remove ViewState** from the **server response**(the user won't receive this hidden field).\
48
48
One may assume that if **ViewState** is **not present**, their implementation is **secure** from any potential vulnerabilities arising with ViewState deserialization.\
49
49
However, that is not the case. If we **add ViewState parameter** to the request body and send our serialized payload created using ysoserial, we will still be able to achieve **code execution** as shown in **Case 1**.
50
50
@@ -77,50 +77,48 @@ You can try to use [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/N
--encrypteddata : __VIEWSTATE parameter value of the target application
80
-
--modifier : __VIWESTATEGENERATOR parameter value
80
+
--modifier : __VIEWSTATEGENERATOR parameter value
81
81
```
82
82
83
-
[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) is another tool which can identify known machineKeys. It is written in Python, so unlike Blacklist3r, there is no Windows dependency. For .NET viewstates, there is a "python blacklist3r" utility, which is the quickest way to use it.
83
+
[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) is another tool which can identify known `machineKey` values. It is written in Python, so unlike Blacklist3r, there is no Windows dependency. The old standalone `blacklist3r.py` helper was removed, so the **current** workflow is to use the main `badsecrets` CLI in URL mode:
84
84
85
-
It can either be supplied with the viewstate and generator directly:
This mode carves the response for cryptographic artifacts and tests any discovered `__VIEWSTATE` / `__VIEWSTATEGENERATOR` values against the built-in `machineKey` corpus.
95
91
96
-
Or, it can connect directly to the target URL and try to carve the viewstate out of the HTML:
92
+
If the page uses **split ViewState**, reassemble all parts before manual testing:
Concatenate `__VIEWSTATE`, `__VIEWSTATE1`, `__VIEWSTATE2`, and so on in order. Modern `badsecrets` already handles `__VIEWSTATEFIELDCOUNT` reassembly automatically.
106
102
107
-
To search for vulnerable viewstates at scale, in conjunction with subdomain enumeration, the `badsecrets`[**BBOT**](exploiting-__viewstate-parameter.md) module can be used:
103
+
If the application **doesn't render `__VIEWSTATE`at all**, don't stop there: modern `badsecrets` can also test `WebResource.axd` and `ScriptResource.axd` tokens (`ASPNET_Resource`) against known `machineKey` values, which is useful when the page only exposes ASP.NET resource URLs.
108
104
109
-
```
105
+
To search for vulnerable targets at scale, in conjunction with subdomain enumeration, the `badsecrets`[**BBOT**](https://github.com/blacklanternsecurity/bbot) module can be used:
In cases where `_VIEWSTATEGENERATOR` parameter **isn't sent**by the server you **don't**need to **provide**the `--generator` parameter **but these ones**:
121
+
Recent `ysoserial.net` documentation explicitly notes that `--generator` is mainly useful for **.NET <= 4.0**/ legacy mode. When `__VIEWSTATEGENERATOR` is **not**exposed, or the target runs **.NET 4.5+**, use the real page and app paths instead:
124
122
125
123
```bash
126
124
--apppath="/" --path="/hello.aspx"
@@ -169,13 +167,13 @@ We can force the usage of ASP.NET framework by specifying the below parameter in
169
167
<httpRuntimetargetFramework="4.5" />
170
168
```
171
169
172
-
Alternatively, this can be done by specifying the below option inside the `machineKey`paramter of web.config file.
170
+
Alternatively, this can be done by specifying the below option inside the `machineKey`parameter of the `web.config` file.
173
171
174
172
```bash
175
173
compatibilityMode="Framework45"
176
174
```
177
175
178
-
As in the previous the **value is encrypted.** Then, to send a **valid payload the attacker need the key**.
176
+
As in the previous case, the **value is encrypted**. To send a **valid payload**, the attacker **needs the key**.
179
177
180
178
You can try to use [**Blacklist3r(AspDotNetWrapper.exe)**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key being used:
For a more detailed description for IISDirPath and TargetPagePath [refer here](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
191
189
192
-
Or, with [**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) (with a generator value):
190
+
Or, with [**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets), let URL mode carve the page and test the captured ViewState / generator automatically:
@@ -221,9 +219,9 @@ You need to use one more parameter in order to create correctly the payload:
221
219
222
220
### Result of a Successful Exploitation <ahref="#poc"id="poc"></a>
223
221
224
-
For all the test cases, if the ViewState YSoSerial.Net payload works **successfully** then the server responds with “**500 Internal server error**” having response content “**The state information is invalid for this page and might be corrupted**” and we get the OOB reques.
222
+
For all the test cases, if the ViewState YSoSerial.Net payload works **successfully** then the server often responds with a `500 Internal Server Error` containing text such as `The state information is invalid for this page and might be corrupted`, while the **out-of-band request still fires**.
225
223
226
-
Check for [further information here](<https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/deserialization/[**https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)/README.md>)
224
+
For more background on this behavior, review the [NotSoSecure writeup](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/).
227
225
228
226
### Dumping ASP.NET Machine Keys via Reflection (SharPyShell/SharePoint ToolShell)
229
227
@@ -246,24 +244,26 @@ public void Page_Load(object sender, EventArgs e)
246
244
</script>
247
245
```
248
246
249
-
Requestingthepageprintsthe**ValidationKey**, **DecryptionKey**, theencryptionalgorithmandtheASP.NETcompatibilitymode. Thesevaluescannowbefedstraightinto**ysoserial.net**tocreateavalid, signed `__VIEWSTATE` gadget:
247
+
Requestingthepageprintsthe**ValidationKey**, **DecryptionKey**, theencryptionalgorithmandtheASP.NETcompatibilitymode. Thesevaluescannowbefedstraightinto**ysoserial.net**tocreateavalid, signed `__VIEWSTATE` gadget. For**modern**targetsprefertherealpath-basedderivation:
Use `--generator` and `--islegacy` onlywhenyouknowthepageisusingthe **legacy** signinglogic (**.NET <= 4.0**). Ifyouneedtheexactflagcombinationsafterobtainingthekeys, checkthe [sister page about exploiting ViewState when the secret is known](exploiting-__viewstate-knowing-the-secret.md).
0 commit comments