Hi



Sharing the code could be a good idea. Maybe put it up on github or
something.





Best regards,

Erlend





On 25.04.2011 17:38, Oussama Gabi wrote:

  Yes, i've disabled the enableValidation, for the
    ViewState i added EnableViewState=flase in the dropdownList
    without any result.

    

    The server response:

    

    Status=OK - 200

    Server=ASP.NET
    Development Server/10.0.0.0

    Date=Mon, 25 Apr 2011 16:22:39 GMT

    X-AspNet-Version=2.0.50727

    Cache-Control=private

    Content-Type=text/html; charset=utf-8

    Content-Length=1331

    Connection=Close

    

    

    Thank you very much

    

    

    
      2011/4/25 Ryan Dewhurst <ryandewhurst@gmail.com>

      
        Is the ViewState and EventValidation being URL encoded when
        being sent back to the server?

        

        What is the HTTP response you are getting?

      
       

      
      
        

        Ryan Dewhurst

        

        blog www.ethicalhack3r.co.uk

        projects www.dvwa.co.uk
        | www.webwordcount.com

        twitter www.twitter.com/ethicalhack3r

        

        

        
          
            On Mon, Apr 25, 2011 at 1:15 PM, Oussama
              Gabi <oussama.gabi@gmail.com>
              wrote:

            
          
          
            
              
                Hello guys,

                  

                  I am a beginner in web application Security, so I
                  started to train on webgoat.i would like to make
                  numeric SQL injection attack but in ASP.net.

                  So I created a dropdownlist that retrieves the
                  names of cities and a gridview for display!

                  The problem is when I change the ID value with
                  tamperdata, nothing happens. I look a bit and I
                  think that's a problem with ViewState, so it's
                  impossible to make this attack in ASP.net?

                  how could circumvent this viewstate or  Disenable
                  it for testing. Or any hint!

                  

                  Thank you !

                  

                  

                  Best regards!

                  

                
                

              
            
            _______________________________________________

            The Web Security Mailing List

            

            WebSecurity RSS Feed

            http://www.webappsec.org/rss/websecurity.rss

            

            Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

            

            WASC on Twitter

            http://twitter.com/wascupdates

            

            websecurity@lists.webappsec.org

            http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

            

          
        
        

      
    
    

  
  

Sorry, I realize my comment was pretty brief. In your case, the string to be modified is part of an array of strings, so you need to look for the length field elsewhere. I've highlighted a hint below, although the formatting might not survive the email list. 0000000: ff01 0f0f 050a 3130 3131 3735 3433 3234  ......10117543240000010: 0f64 1602 0203 0f64 1602 0201 0f10 0f16  .d.....d........0000020: 061e 0d44 6174 6154 6578 7446 6965 6c64  ...DataTextField0000030: 0503 4e6f 6d1e 0e44 6174 6156 616c 7565  ..Nom..DataValue0000040: 4669 656c 6405 0849 645f 5669 6c6c 651e  Field..Id_Ville.0000050: 0b5f 2144 6174 6142 6f75 6e64 6764 1015  ._!DataBoundgd..0000060: 060a 4361 7361 626c 616e 6361 0552 6162  ..Casablanca.Rab0000070: 6174 0453 6166 6906 5461 6e67 6572 0641  at.Safi.Tanger.A0000080: 6761 6469 7205 5361 6669 6515 0603 3230  gadir.Safie...200000090: **03 3230 31** 3230 3203 3230 3303 3230  0.201.202.203.2000000a0: 3403 3230 3214 2b03 0667 6767 6767 6764  4.202.+..ggggggd00000b0: 6418 0105 0947 7269 6456 6965 7731 0f3c  d....GridView1.<00000c0: 2b00 0a01 0802 0164    The general case of reverse engineering viewstate is quite interesting. Give me a week or so and I'll write up some notes about doing this in C++ with Boost Spirit on my web site (it's actually quite fun!) --- On Thu, 4/28/11, Oussama Gabi <oussama.gabi@gmail.com> wrote: From: Oussama Gabi <oussama.gabi@gmail.com> Subject: Re: [WEB SECURITY] Numeric SQL injection ASP.NET To: "Mike" <mike@deadliestwebattacks.com> Cc: websecurity@lists.webappsec.org Date: Thursday, April 28, 2011, 2:56 AM sorry , i didn't understand , 2011/4/27 Mike <mike@deadliestwebattacks.com> Viewstate strings have a length field in the serialized form. So you'd need to append the "or 1=1" and adjust the length by 6 characters. In this simple hack, try looking for your string and a leading byte of 0x05 or 0x1e followed by a byte that indicates the length of the string. (I've greatly simplified the description of viewstate serialization. For example, lengths greater than 127 bytes require an extra step to decode.) From: Oussama Gabi <oussama.gabi@gmail.com> To: Erlend Oftedal <erlend@oftedal.no> Cc: websecurity@lists.webappsec.org Sent: Wednesday, April 27, 2011 2:47 AM Subject: Re: [WEB SECURITY] Numeric SQL injection ASP.NET Hello guys, For testing I put the enableViewStateMac to false, now there is no hash at the end of the ViewState. Then I intercept the request with BurpProxy. The ViewState code is %2FwEPDwUKMTAxMTc1NDMyNA9kFgICAw9kFgICAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQNOb20eDkRhdGFWYWx1ZUZpZWxkBQhJZF9WaWxsZR4LXyFEYXRhQm91bmRnZBAVBgpDYXNhYmxhbmNhBVJhYmF0BFNhZmkGVGFuZ2VyBkFnYWRpcgVTYWZpZRUGAzIwMAMyMDEDMjAyAzIwMwMyMDQDMjAyFCsDBmdnZ2dnZ2RkGAEFCUdyaWRWaWV3MQ88KwAKAQgCAWQ%3D I get something like that when i decode it :ÿ1011754324ddDataTextFieldNomDataValueFieldId_Ville_!DataBoundgdCasablancaRabatSafiTangerAgadirSafie200201202203204202+ggggggdd GridView1<+� d my goal is to add or 1=1 to display all the cities with tamperature .So i add it after the value selected in the dropdownlist e.g 201, it will be 201 or 1=1i encode the all to base64. but i got an error session information is not valid.... i've tried to change the centent-length in vain.. I know it's stupid, but i wanna make this exemple.. this is my Code https://gist.github.com/943987 do you have any ideas please? Thank youBest regardsOussama GABI 2011/4/25 Erlend Oftedal <erlend@oftedal.no> Hi Sharing the code could be a good idea. Maybe put it up on github or something. Best regards, Erlend On 25.04.2011 17:38, Oussama Gabi wrote: Yes, i've disabled the enableValidation, for the ViewState i added EnableViewState=flase in the dropdownList without any result. The server response: Status=OK - 200 Server=ASP.NET Development Server/10.0.0.0 Date=Mon, 25 Apr 2011 16:22:39 GMT X-AspNet-Version=2.0.50727 Cache-Control=private Content-Type=text/html; charset=utf-8 Content-Length=1331 Connection=Close Thank you very much 2011/4/25 Ryan Dewhurst <ryandewhurst@gmail.com> Is the ViewState and EventValidation being URL encoded when being sent back to the server? What is the HTTP response you are getting?   Ryan Dewhurst blog www.ethicalhack3r.co.uk projects www.dvwa.co.uk | www.webwordcount.com twitter www.twitter.com/ethicalhack3r On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi <oussama.gabi@gmail.com> wrote: Hello guys, I am a beginner in web application Security, so I started to train on webgoat.i would like to make numeric SQL injection attack but in ASP.net. So I created a dropdownlist that retrieves the names of cities and a gridview for display! The problem is when I change the ID value with tamperdata, nothing happens. I look a bit and I think that's a problem with ViewState, so it's impossible to make this attack in ASP.net? how could circumvent this viewstate or  Disenable it for testing. Or any hint! Thank you ! Best regards! _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org