viewstate icon indicating copy to clipboard operation
viewstate copied to clipboard

Published 20 hours ago verified publisher icon yuvadm

ViewStateException: Cannot decode invalid viewstate, bad preamble

Open brunoaduarte opened this issue 5 years ago • 5 comments

Hi,

I'm trying to decode a ViewState from

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="R764/r3QPGEcug7NDCf691JVWHHD..........

But i get this error

ubuntu@vboxubuntu:~$ BASE64='R764/r3QPGEcug7NDCf691JVWHHD..........
ubuntu@vboxubuntu:~$ echo $BASE64 | python3 -m viewstate
Traceback (most recent call last):
  File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/viewstate/__main__.py", line 20, in <module>
    main(raw)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/viewstate/__main__.py", line 15, in main
    pp.pprint(vs.decode())
  File "/home/ubuntu/.local/lib/python3.6/site-packages/viewstate/viewstate.py", line 43, in decode
    raise ViewStateException('Cannot decode invalid viewstate, bad preamble')
viewstate.exceptions.ViewStateException: Cannot decode invalid viewstate, bad preamble

Although, it works well with the test data

ubuntu@vboxubuntu:~$ BASE64='/wEPBQVhYmNkZQ9nAgE='
ubuntu@vboxubuntu:~$ echo $BASE64 | python3 -m viewstate
('abcde', (True, 1))

brunoaduarte avatar Mar 12 '19 19:03 brunoaduarte

The viewstate that is failing is probably encrypted. Using a test website configured for AES with an explicit key, I got viewstate of "fJpcff0hiVevQIysiaIKgkx2dnueLNYQKHvN+8Da9mpyY/IsL6xhIen3niz0KDUiJ3ztn6ejt8rum6jZysGCJmRo8iZ45u1LT+3lhxGySYpLtQ4m0hP5/WHlMLyT0H2Lk2aCxcxFh6TVDf6+jXbMYXLEgDs=", which gave me the same error, but, once decrypted and skipping the first 32 bytes (randomness to use as a makeshift IV, I guess...), I have "/wEPDwUKMTY1NDU2MTA1Mg8WAh4EVEVTVAUFVkFMVUVkZK3h5yv0mrM9ifh43lDf449iCgYMOaWxxQ==", which processes fine. I had to chop off the last 20 bytes of the encrypted viewstate before decrypting as the signature is appended to the ciphertext.

Supporting encrypted viewstate shouldn't be difficult, as it's a basic CBC with standard crypto algorithms, but would require extra parameters to pass the decryption key and cipher. Since the signature has to be split off before decryption and thus also before parsing, the current process of parsing to the end of the statebag and whatever remains is the signature wouldn't work, so the signature format would need to be explicitly specified as well.

I ought to be able to cook up a pullrequest for this.

rpimonitrbtch avatar Feb 01 '20 02:02 rpimonitrbtch

Enums to define the decryption and validation modes would seem to be in order... Would it be ok to have them in viewstate.py, or should they be a separate file as was requested for the color table in PullRequest#12?

rpimonitrbtch avatar Feb 01 '20 04:02 rpimonitrbtch

@rpimonitrbtch thanks for taking the lead on this! It would be a much appreciated feature to have. Please go ahead with whatever you feel would be right for the codebase, then we can review and see if any changes are needed.

yuvadm avatar Feb 01 '20 11:02 yuvadm

@rpimonitrbtch Also please note I did some codebase cleanup today and released v0.5.2 so make sure you rebase your branch onto that.

yuvadm avatar Feb 01 '20 11:02 yuvadm

I also have the same problem, even I use the updated code @rpimonitrbtch @yuvadm

junmoxiao avatar Apr 26 '20 07:04 junmoxiao