Extracting Source Code from Pre-Compiled ASP.Net applications
In a recent assignment, I found a Path Traversal vulnerability in an ASP.Net based web application. Naturally, the first thing I went after was the
web.config file. Extracted the DB credentials from connection string, but the MSSQL port was not open. And did some more post-exploitation enumeration. What I also do with Path Traversal is try to read the source code for finding other vulnerabilities and things like checking if SQL queries are parameterized, the restrictions implemented on file uploads, etc.
I tried to read the source code this time too. I read the source for an
.aspx file, cool. But when I tried to read it’s
.aspx.cs file, I got the ‘file not found’ error. What? With ASP.Net Webforms applications, there always is an
.aspx file and a related
.aspx.cs file. After bit of fiddling around, I figured out that there is a concept in ASP.Net called ‘Pre-Compilation’ being used here. Let me explain the whole concept and how I was able to extract the source code with a small example.
What is Pre-Compilation?
Pre-Compilation is an ASP.Net feature in which a website, when being published, can get all of its logical code (the CS files) ‘compiled’ into a binary (DLL file). So a website with files like this:
Will look like this after pre-compilation:
Where did all the CS files go? Into the DLL files in the
You can read about Pre-Compilation in details from Microsoft Docs.
Using Path Traversal to read DLL files
So we know that the DLL files contains all the source code we want to read. Question is how would we know what is the name of the DLL file we want to read? In the ASPX file, we do specify the
codebehind parameter that defines the name of the associated CS file. What would happen to this parameter in pre-compiled applications? Let’s see.
Let us consider the following example where we have a Path Traversal vulnerability:
Notice here that we don’t have any
codebehind parameter. But we can notice that the
inherits parameter do mention the name of the DLL file. Once we have this name, we can download the DLL file too:
Reversing DLL to extract source code
The last step here is to extract the source code from this DLL file. To do that, we can use a .Net decompiler like JetBrains dotPeek. Once we open the file in dotPeek, we can easily get the source code:
Now that we are done with Unconstrained and Constrained Delegations, it is time for the finale. In this blog we’ll discuss Resource Based Constrained Delegation (RBCD).Read more