Merge pull request #611 from blacklanternsecurity/badsecrets
Badsecrets
This commit is contained in:
Carlos Polop
GitHub
commit
8a22e8590c
@ -96,6 +96,36 @@ AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0M
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) is another tool which can identify known machineKeys. It is written in Python, so unlike Blacklist3r, there is no Windows dependency. For .NET viewstates, there is a "python blacklist3r" utility, which is the quickest way to use it.
|
||||||
|
|
||||||
|
It can either be supplied with the viewstate and generator directly:
|
||||||
|
```
|
||||||
|
pip install badsecrets
|
||||||
|
git clone https://github.com/blacklanternsecurity/badsecrets
|
||||||
|
cd badsecrets
|
||||||
|
python examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Or, it can connect directly to the target URL and try to carve the viewstate out of the HTML:
|
||||||
|
```
|
||||||
|
pip install badsecrets
|
||||||
|
git clone https://github.com/blacklanternsecurity/badsecrets
|
||||||
|
cd badsecrets
|
||||||
|
python examples/blacklist3r.py --url http://vulnerablesite/vulnerablepage.aspx
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
To search for vulnerable viewstates at scale, in conjunction with subdomain enumeration, the `badsecrets` [**BBOT**]() module can be used:
|
||||||
|
|
||||||
|
```
|
||||||
|
bbot -f subdomain-enum -m badsecrets -t evil.corp
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
If you are lucky and the key is found,you can proceed with the attack using [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**:**
|
If you are lucky and the key is found,you can proceed with the attack using [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**:**
|
||||||
|
|
||||||
```
|
```
|
||||||
@ -158,6 +188,15 @@ For a more detailed description for IISDirPath and TargetPagePath [refer here](h
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Or, with [**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) (with a generator value):
|
||||||
|
|
||||||
|
```
|
||||||
|
cd badsecrets
|
||||||
|
python examples/blacklist3r.py --viewstate JLFYOOegbdXmPjQou22oT2IxUwCAzSA9EAxD6+305e/4MQG7G1v5GI3wL7D94W2OGpVGrI2LCqEwDoS/8JkE0rR4ak0= --generator B2774415
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
Once a valid Machine key is identified, **the next step is to generate a serialized payload using** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
|
Once a valid Machine key is identified, **the next step is to generate a serialized payload using** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
|
||||||
|
|
||||||
```
|
```
|
||||||
@ -194,6 +233,7 @@ out of band request with the current username
|
|||||||
* [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
|
* [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
|
||||||
* [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)\\
|
* [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)\\
|
||||||
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
||||||
|
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
|
|||||||
@ -76,7 +76,7 @@ Everything happened before the JSF implementation could have a look at the ViewS
|
|||||||
|
|
||||||
Now, what are the ingredients for a disaster?
|
Now, what are the ingredients for a disaster?
|
||||||
|
|
||||||
* unencrypted ViewState
|
* unencrypted ViewState (or, possession of the encryption key)
|
||||||
* Gadget on the classpath of the server
|
* Gadget on the classpath of the server
|
||||||
* In case of Mojarra: ViewState configured to reside on the `client`
|
* In case of Mojarra: ViewState configured to reside on the `client`
|
||||||
* In case of MyFaces: ViewState configured to reside on the `client` **or** the `server`
|
* In case of MyFaces: ViewState configured to reside on the `client` **or** the `server`
|
||||||
@ -209,6 +209,32 @@ else:
|
|||||||
print(GREEN + "[*] Saved to : {}".format(sys.argv[2]))
|
print(GREEN + "[*] Saved to : {}".format(sys.argv[2]))
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# Known Key Detection with Badsecrets
|
||||||
|
|
||||||
|
 is a library capable of detecting the use of known cryptographic keys by looking at the products they produce, and checking against a list of known or weak keys. Its `Jsf_viewstate` module is capable of detecting Java Server Faces ViewStates created with known keys on both Mojarra and MyFaces, in addition to unprotected or compressed ViewStates.
|
||||||
|
|
||||||
|
The quickest way to use it is with the `cli.py` example tool as follows:
|
||||||
|
|
||||||
|
```
|
||||||
|
pip install badsecrets
|
||||||
|
git clone https://github.com/blacklanternsecurity/badsecrets
|
||||||
|
cd badsecrets
|
||||||
|
python examples/cli.py Ly8gp+FZKt9XsaxT5gZu41DDxO74k029z88gNBOru2jXW0g1Og+RUPdf2d8hGNTiofkD1VvmQTZAfeV+5qijOoD+SPzw6K72Y1H0sxfx5mFcfFtmqX7iN6Gq0fwLM+9PKQz88f+e7KImJqG1cz5KYhcrgT87c5Ayl03wEHvWwktTq9TcBJc4f1VnNHXVZgALGqQuETU8hYwZ1VilDmQ7J4pZbv+pvPUvzk+/e2oNeybso6TXqUrbT2Mz3k7yfe92q3pRjdxRlGxmkO9bPqNOtETlLPE5dDiZYo1U9gr8BBQ=
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
If it finds a match, it will also list the platform (Mojarra or MyFaces), the encryption algorithm in use, and whether compression was used or not, which are all essential for exploitation.
|
||||||
|
|
||||||
|
To search for vulnerable viewstates at scale, in conjunction with subdomain enumeration, the `badsecrets` [**BBOT**]() module can be used:
|
||||||
|
|
||||||
|
```
|
||||||
|
bbot -f subdomain-enum -m badsecrets -t evil.corp
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Final thoughts
|
# Final thoughts
|
||||||
|
|
||||||
Most facts about JSF ViewStates and their dangers presented in this blog post are not exactly new but it seems they were never presented in such a condensed way. It showed [once more](https://www.alphabot.com/security/blog/2017/net/How-to-configure-Json.NET-to-create-a-vulnerable-web-API.html) that seemingly harmless configuration changes can lead to serious vulnerabilities.
|
Most facts about JSF ViewStates and their dangers presented in this blog post are not exactly new but it seems they were never presented in such a condensed way. It showed [once more](https://www.alphabot.com/security/blog/2017/net/How-to-configure-Json.NET-to-create-a-vulnerable-web-API.html) that seemingly harmless configuration changes can lead to serious vulnerabilities.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user