Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keys flagged but don't seem to work #158

Open
random-robbie opened this issue Dec 18, 2024 · 5 comments
Open

Keys flagged but don't seem to work #158

random-robbie opened this issue Dec 18, 2024 · 5 comments

Comments

@random-robbie
Copy link

random-robbie commented Dec 18, 2024
edited
Loading

Hey,

During a test

i got these come back...

 __ )              |                                |
 __ \    _` |   _` |   __|   _ \   __|   __|   _ \  __|   __|
 |   |  (   |  (   | \__ \   __/  (     |      __/  |   \__ \
____/  \__,_| \__,_| ____/ \___| \___| _|    \___| \__| ____/

v0.6.21

Known Secret Found!

Detecting Module: ASPNET_Viewstate

Product Type: ASP.NET Viewstate
Product: Viewstate: y4QaoBx2GBiLVt/52Pt9Q993e/NiVmdexFdnFxyEL6X0QJRfWTKHMYiAY4bXNVWSHsvkCenKDATanKElOiq26BVrXJzhnJpAwjF35xNo9paMv5BprUY61fz8JWb1XFzVEDhv/GyDJqSndGiGKJzC+EGx/ot5o4Ig04ZSUq34ZWla2u4/CAlNxlrotQDHEVVDMmjDNUiLSY8ojc5JJJBypbje4DMJ0hfPK8ZEq5YNKmpyUcPGVqcXwSMMGgAcVI50q8+03eyhmT9TGQcFvuaESzVIsYQ5HjON0jXRpXiZ6LKuPZTV1dTZjaxWcUX757AJcaPOEN3cmjTB+x9l9QXm2vC5Etv9fad8GBoeR9DqajgAbgvbEDNxkgkc9zvIEVIy3BOPG4sQgPMoB+tSzhYw7QePlKffYAAaXocrjh6BbZdJMV7sDlhEGwlYyFSdUThvDwIP9WsWtPRSi+omZwt8+7J2HEDLij0g3F2UKDi5MLqN+OutWTiYo5i1P+ctWWiRlqd/BoHbDauRYjupQUwbvILM+rZGaPxhy/C0IZsfZALK2Gd0x4iPV44rhu1N4gIgqpKarqfwHCOX6XlJfGCihjId37tRE8MJBH0xF667CYrDIDD+8v5tTBYlihqsfUr1fyX9VnjBw6wtPB1l5DbcOSofy1nSakjuUhuuIbHaiKJFShBLu55uy4I5+ma0dSfwIpCUag== Generator: 27842C6F
Secret Type: ASP.NET MachineKey
Location: body
Secret: validationKey: 87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC validationAlgo: SHA1 encryptionKey: E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7 encryptionAlgo: AES
Severity: CRITICAL
Details: Mode [DOTNET45]

Tried to exploit the site for the client but wasn't able to.

Threw the keys in to blacklist3r (ASP version) to confirm it can decode them and got this. Which i'm thinking is this a false positive as the original blacklist3r should be able to decode the viewstate if the keys are correct.

type test.txt
87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC,E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7
E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7,87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC

bigfix@BIGFIX C:\Users\bigfix\Downloads\AspDotNetWrapper>AspDotNetWrapper.exe --keypath test.txt --encrypteddata "y4QaoBx2GBiLVt/52Pt9Q993e/NiVmdexFdnFxyEL6X0QJRfWTKHMYiAY4bXNVWSHsvkCenKDATanKElOiq26BVrXJzhnJpAwjF35xNo9paMv5BprUY61fz8JWb1XFzVEDhv/GyDJqSndGiGKJzC+EGx/ot5o4Ig04ZSUq34ZWla2u4/CAlNxlrotQDHEVVDMmjDNUi
LSY8ojc5JJJBypbje4DMJ0hfPK8ZEq5YNKmpyUcPGVqcXwSMMGgAcVI50q8+03eyhmT9TGQcFvuaESzVIsYQ5HjON0jXRpXiZ6LKuPZTV1dTZjaxWcUX757AJcaPOEN3cmjTB+x9l9QXm2vC5Etv9fad8GBoeR9DqajgAbgvbEDNxkgkc9zvIEVIy3BOPG4sQgPMoB+tSzhYw7QePlKffYAAaXocrjh6BbZdJMV7sDlhEGwlYyFSdUThvDwIP9WsWtPRSi+omZwt8+7J2HEDLij0g3F2UKDi5MLqN+OutWTiYo5i1P+ctWWiR
lqd/BoHbDauRYjupQUwbvILM+rZGaPxhy/C0IZsfZALK2Gd0x4iPV44rhu1N4gIgqpKarqfwHCOX6XlJfGCihjId37tRE8MJBH0xF667CYrDIDD+8v5tTBYlihqsfUr1fyX9VnjBw6wtPB1l5DbcOSofy1nSakjuUhuuIbHaiKJFShBLu55uy4I5+ma0dSfwIpCUag== " --decrypt --purpose=viewstate --modifier=27842C6F --macdecode


Decode process start!!

Pocessing machinekeys TripleDES,HMACSHA512: 2/2..............

Keys not found!!
@liquidsec
Copy link
Collaborator

Are you getting the same result every time, or did it only happen once?

@liquidsec
Copy link
Collaborator

I wouldn't necessarily assume BlackList3r is going to get it, there was definitely a few edge cases I got working that they didn't account for

@random-robbie
Copy link
Author

Same results every time.

Weirdly it seems that when badsecrets flags but blacklist3r does not it means the way to exploit it is a different

badsecrets only is TextFormattingRunProperties and blacklist3r is TypeConfuseDelegate when using ysoserial.

@liquidsec
Copy link
Collaborator

liquidsec commented Dec 19, 2024
edited
Loading

Does your last comment imply that you got it to work?

Is the viewstate you posted unmodified? I can't seem to get a detection working just from that.

Also, were you using it in URL mode or manually supplying the viewstate and generator?

In general, I'd say exploitation can be tricky sometimes. I still run into situations where some tiny little detail makes things not work. However, so far, I have never seen a single true false positive from badsecrets. I am sure there have been a few false negatives.

@random-robbie
Copy link
Author

I was using url mode and i'll try get a list of sites it's flagged on but blacklist3r has not to see if there is a common output that i'm missing that should be obvious on why blacklist3r isn't seeing them but badsecrets is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@random-robbie @liquidsec