Extracting Source Code from Pre-Compiled ASP.Net applications
In a recent assignment, I found a Path Traversal vulnerability in an ASP.Net based web application. Naturally, the first thing I went after was the web.config
file. Extracted the DB credentials from connection string, but the MSSQL port was not open. And did some more post-exploitation enumeration. What I also do with Path Traversal is try to read the source code for finding other vulnerabilities and things like checking if SQL queries are parameterized, the restrictions implemented on file uploads, etc.
I tried to read the source code this time too. I read the source for an .aspx
file, cool. But when I tried to read it’s .aspx.cs
file, I got the ‘file not found’ error. What? With ASP.Net Webforms applications, there always is an .aspx
file and a related .aspx.cs
file. After bit of fiddling around, I figured out that there is a concept in ASP.Net called ‘Pre-Compilation’ being used here. Let me explain the whole concept and how I was able to extract the source code with a small example.
What is Pre-Compilation?
Pre-Compilation is an ASP.Net feature in which a website, when being published, can get all of its logical code (the CS files) ‘compiled’ into a binary (DLL file). So a website with files like this:
Will look like this after pre-compilation:
Where did all the CS files go? Into the DLL files in the bin
directory:
You can read about Pre-Compilation in details from Microsoft Docs.
Using Path Traversal to read DLL files
So we know that the DLL files contains all the source code we want to read. Question is how would we know what is the name of the DLL file we want to read? In the ASPX file, we do specify the codebehind
parameter that defines the name of the associated CS file. What would happen to this parameter in pre-compiled applications? Let’s see.
Let us consider the following example where we have a Path Traversal vulnerability:
Notice here that we don’t have any codebehind
parameter. But we can notice that the inherits
parameter do mention the name of the DLL file. Once we have this name, we can download the DLL file too:
Reversing DLL to extract source code
The last step here is to extract the source code from this DLL file. To do that, we can use a .Net decompiler like JetBrains dotPeek. Once we open the file in dotPeek, we can easily get the source code:
Related Posts
A possibility of Account Takeover in Medium
There are times when you discover something that is very common and ordinary which just blows your mind and you start thinking, “How come I didn’t knew this before!
Read moreAttacking Kerberos: Resource Based Constrained Delegation
Now that we are done with Unconstrained and Constrained Delegations, it is time for the finale. In this blog we’ll discuss Resource Based Constrained Delegation (RBCD).
Read moreAttacking Kerberos: Constrained Delegation
In the last blog, we discussed Unconstrained Delegation in detail. We also saw how dangerous Unconstrained Delegation can get. Unconstrained Delegation was the very first implementation of Delegations, introduced back in Windows Server 2000.
Read more