Extracting Source Code from Pre-Compiled ASP.Net applications

In a recent assignment, I found a Path Traversal vulnerability in an ASP.Net based web application. Naturally, the first thing I went after was the web.config file. Extracted the DB credentials from connection string, but the MSSQL port was not open. And did some more post-exploitation enumeration. What I also do with Path Traversal is try to read the source code for finding other vulnerabilities and things like checking if SQL queries are parameterized, the restrictions implemented on file uploads, etc.

I tried to read the source code this time too. I read the source for an .aspx file, cool. But when I tried to read it’s .aspx.cs file, I got the ‘file not found’ error. What? With ASP.Net Webforms applications, there always is an .aspx file and a related .aspx.cs file. After bit of fiddling around, I figured out that there is a concept in ASP.Net called ‘Pre-Compilation’ being used here. Let me explain the whole concept and how I was able to extract the source code with a small example.

What is Pre-Compilation?

Pre-Compilation is an ASP.Net feature in which a website, when being published, can get all of its logical code (the CS files) ‘compiled’ into a binary (DLL file). So a website with files like this:

alter-text

Will look like this after pre-compilation:

alter-text

Where did all the CS files go? Into the DLL files in the bin directory:

alter-text

You can read about Pre-Compilation in details from Microsoft Docs.

Using Path Traversal to read DLL files

So we know that the DLL files contains all the source code we want to read. Question is how would we know what is the name of the DLL file we want to read? In the ASPX file, we do specify the codebehind parameter that defines the name of the associated CS file. What would happen to this parameter in pre-compiled applications? Let’s see.

Let us consider the following example where we have a Path Traversal vulnerability:

alter-text

Notice here that we don’t have any codebehind parameter. But we can notice that the inherits parameter do mention the name of the DLL file. Once we have this name, we can download the DLL file too:

alter-text

Reversing DLL to extract source code

The last step here is to extract the source code from this DLL file. To do that, we can use a .Net decompiler like JetBrains dotPeek. Once we open the file in dotPeek, we can easily get the source code:

alter-text

comments powered by Disqus

Related Posts

A possibility of Account Takeover in Medium

There are times when you discover something that is very common and ordinary which just blows your mind and you start thinking, “How come I didn’t knew this before!

Read more

Attacking Kerberos: Resource Based Constrained Delegation

Now that we are done with Unconstrained and Constrained Delegations, it is time for the finale. In this blog we’ll discuss Resource Based Constrained Delegation (RBCD).

Read more

Attacking Kerberos: Constrained Delegation

In the last blog, we discussed Unconstrained Delegation in detail. We also saw how dangerous Unconstrained Delegation can get. Unconstrained Delegation was the very first implementation of Delegations, introduced back in Windows Server 2000.

Read more