notsosecure / blacklist3r Goto Github PK
View Code? Open in Web Editor NEWproject-blacklist3r
Home Page: https://www.notsosecure.com/project-blacklist3r/
project-blacklist3r
Home Page: https://www.notsosecure.com/project-blacklist3r/
Awesome tool please add a link in the description to your blog post explaining it in detail: https://www.notsosecure.com/project-blacklist3r/
Hello,
Following this https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/ the command are not working anymore
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --purpose=viewstate --valalgo=sha1 --decalgo=aes --modifier=CA0B0334 --macdecode --legacy
AspDotNetWrapper 2.0.0.0
Copyright c 2019
ERROR(S):
Option 'valalgo' is unknown.
Option 'decalgo' is unknown.
Option 'legacy' is unknown.
-r, --keypath Machine keys file path.
-c, --encrypteddata Encrypted data value to decrypt.
-d, --decrypt (Default: false) To decrypt the encrypted data.
-f, --decryptDataFilePath file path where the decrypted information stored
-p, --purpose purpose
-m, --modifier Modifier used to encode the viewstate
-s, --macdecode Used to decide whether viewstate is MAC enabled or not
-o, --outputFile Output file path
-i, --IISDirPath Application dir path in IIS tree
-t, --TargetPagePath Target page path
-v, --antiCSRFToken Anti CSRF token
--help Display this help screen.
--version Display version information.
Required option missing!!
-------------------------
-f, --decryptDataFilePath file path where the decrpted information stored
--help Display this help screen.
--version Display version information.
I think the new version test everything, this issue is more related to the article itself :)
Hi,
First thanks a lot for this tool ๐ฏ
I have found the following key pair on this site that is not present into the MachineKeys.txt
file of the last release bundle:
Keys:
EBA4DC83EB95564524FA63DB6D369C9FBAC5F867962EAC39
.B3C2624FF313478C1E5BB3B3ED7C21A121389C544F3E38F3AA46C51E91E6ED99E1BDD91A70CFB6FCA0AB53E99DD97609571AF6186DE2E4C0E9C09687B6F579B3
.Section of the blog post with the mentioned key pair:
ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\windows\temp\test.txt" \
--path="/site/test.aspx/" \
--apppath="/directory" \
--decryptionalg="AES" \
--decryptionkey="EBA4DC83EB95564524FA63DB6D369C9FBAC5F867962EAC39" \
--validationalg="SHA1" \
--validationkey="B3C2624FF313478C1E5BB3B3ED7C21A121389C544F3E38F3AA46C51E91E6ED99E1BDD91A70CFB6FCA0AB53E99DD97609571AF6186DE2E4C0E9C09687B6F579B3"
Thanks in advance ๐
Hi, I was following the example highlighted on the article below, and I've noticed that the AspDotNetWrapper is not generating any output.
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --purpose=viewstate --valalgo=sha1 --decalgo=aes --modifier=CA0B0334 --macdecode --legacy
I downloaded the Github Project, and I built it in VS.net, but the exe is not giving me anything
I get these errors even on using previous and latest releases.
The command I used is :-
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTg0MzcxNzgzNmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFJmN0bDAwJENvbnElbnRQbGFjZUhvbGRicjEkSW1hZ2VCdXR0b24zBSZjdGwwMCRDb2250ZW50UGxhY2Vlb2xkZXlxJEltYWdlQnV0dG9uMU3je+cjx5/7z0zvwlrr8SPmt2y8== --decrypt --purpose=viewstate --modifier=CA0B0334 --macdecode --IISDirPath "/" --TargetPagePath "/Default.aspx/" -f out.txt
And got these errors :-
Unhandled Exception: System.FormatException: Invalid length for a Base-64 char array or string. at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength) at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength) at System.Convert.FromBase64String(String s) at NotSoSecure.AspDotNetWrapper.DefinePurpose.GetProtectedData(String strEncryptedText) at NotSoSecure.AspDotNetWrapper.AspDotNetWrapper.Main(String[] args)
Please note that the value of viewstate didn't contained "==". I added them by reading a post on StackOverFlow . But still got no luck with the errors.
can not found,why?
.\AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata "/wEPDwUJMzk1NzA1NjUzDxYIHgtDTElFTlRFTUFJTGUeDENMSUVOVE1PQklMRWUeCUlSRVRSWUNOVGYeDl9Jc0VtYWlsTW9iaWxlZRYCAgMPZBYIAgEPFgIeCWlubmVyaHRtbAUWSUlGTCAtIEZvcmdvdCBQYXNzd29yZGQCAw9kFgJmDxYCHwQFD0ZvcmdvdCBQYXNzd29yZGQCBw9kFggCAw8PFgIeBFRleHRlZGQCCQ8PFgIeB0VuYWJsZWRoZGQCCw8PFgIfBQUBMGRkAg0PDxYCHwUFATBkZAIJD2QWBAIBDxYCHwQFE0VudGVyIE5ldyBQYXNzd29yZC5kAgMPFgIeB1Zpc2libGVoFgJmD2QWBgIBDw8WAh8HaGRkAgMPDxYEHwZoHwdoZGQCBQ8PFgQfB2gfBmhkZGTnxJZ8skNiBSTEHo2z4QrLxX2wbCw3GoCrWrPOnOfJMg==" --decrypt --purpose=viewstate --modifier=ECA7C9A2 --macdecode --TargetPagePath "/OTPGeneration/frmOTPGeneration.aspx?RqtpAs=PM2SLMF5T" -f out.txt --IISDirPath="/"
Decryption of cookie is working but again encrypting the same file is not working(even without any modification)
Encrypt: AspDotNetWrapper.exe --keypath MachineKeys.txt -p aspxauth --cookie 490E807FAF8AA1ED00526434900ECBE308314B62C87037458E6F22980208DD7ACAC41DF05D3013D7E91DEE127E4E5A4E2499483B4BD0F5872934BBD5D1C2B81A9054A197 -a SHA1 -b 3DES --decrypt
Unhandled Exception: System.Security.Cryptography.CryptographicException: Specified initialization vector (IV) does not match the block size for this algorithm.
at System.Security.Cryptography.SymmetricAlgorithm.set_IV(Byte[] value)
at System.Web.Security.Cryptography.NetFXCryptoService.Protect(Byte[] clearData)
at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input)
at NotSoSecure.AspDotNetWrapper.EncryptDecrypt.EncryptData(String strDecryptDataFilePath)
at NotSoSecure.AspDotNetWrapper.AspDotNetWrapper.Main(String[] args)
Hello ,,
thank you very much for this software.
Does Blacklist3r for ViewState produced with (.Net < 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true ) work?
And that legacy is unknown in Blacklist3r.
Hey,
I am trying to understand the machine keys file.
is that just the machine keys or is there a way i can provide a big list of validation key and decryption keys to add to the system?
I am going through github and pulling what keys i can to help add to potential hits.
is it layed out like.
decryptionKey,validationKey
Please explain how you compile this in visual studio code. Would really help alot!
Hello - thanks for the tool, is there somewhere the specifies all of the flag options for things like "purpose" and the other flags?
Hi,
My encrypted data is 9359 chars. Command prompt only allows 8191 chars. I think there should be a parameter for --encrypteddata that takes a filepath, such as --encrypteddatapath where the program can take the encrypted data from a text file. Very cool program!
Best,
Alex
Hello,
After compiling the tool in visual studio I don't have the same option as you :
So of course, when I try with a sample command like
`AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata 195A989biBjM_NAqqiie5DnHKfcwrNGDuT-Suumqmw6oVyLSsjCFx9Emhf034TDjcuC9mfwNbi6yD-1QlbhcUAgdTOwY0o0sNbg7bJrNyUEf6ZoyYh2QAZHhmxteN_cMQJI7C1WOBEl0ocihUVhKghdxegwRURcYx2h1uMbijX3jsEf59L8Uco_PpfFLN--RtcLTKUvtZd0fH5Sgc1JQmsvTBr7IJ4Ua01I8uyEPYNXZGYvssSzJ8YN6MXioky3WBXv9NGNxDpgTpIPWGetgZ0iOSaTmqPr6sPu4ndesUV4SKsBroIP6Y38rr8LwFCZBKDK5dli4kKwmy9xeM02qshCoLf8ppeOiK2aMLfb9jqkraoss2BflD3hpDdrYHVGH7ryTWQh4HABYDC7OOMgdld3WJ1CUfJ9pmr0qnVFD4Gc --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes
I have this error:
ERROR(S):
Option 'valalgo' is unknown.
Option 'decalgo' is unknown.
Option 'legacy' is unknown.
We use the same version, any idea why I didn't have all options available ?
The maximum length of the string that you can use in command prompt is 8191 characters. I am trying to use AspDotNetWrapper, however the viewstate is over 50,000 characters long. In the case that the encrypteddata is longer than the maximum allowed length I don't know of any way to run the executable other than changing it so that a file path is accepted in place of the value itself
\
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.