Source Code Recovery - Managed .NET Code
Use dnSpy or ILSpy to decompile executable ```bash (rdp connection to DNN lab) xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d: /u: /p: /v:dnn /u:administrator /p:studentlab /size:1180x708
```windows (csc compiler for C#)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
Search for methods (such as base64)
Analyze functions after discovery
Used by and Uses
Modify assemblies using Edit Class
Compile > File > Save All to overwrite original version
Source Code Discovery - Decompiling Java Classes
Use JD-GUI to decompile Java bytecode Java applications are compiled Java class files that are compressed to a JAR file ```bash (compiling java source code) sudo apt install default-jdk # if JDK is not installed javac -source 1.8 -target 1.8 test.java # outputs a class file
# create manifest file
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
# create java archive (jar) file
jar cmvf META-INF/MANIFEST.MF test.jar test.class
# execute jar file
java -jar test.jar ``` ## Source Code Analysis ```techniques
source-sink analysis
data enters the application through a source (POST request with username + password)
data is executed via database query (SQL database call to run query)
top-down analysis
identify sources and trace to sink
identify controls that in place
useful when looking for unauthenticated resources
bottom-up analysis
identify vulnerable sinks and trace back to source
be mindful to controls in place
discovery of higher impact vulnerabilities with less chance for exploitation ``` Routing Types
file system routing
server locates file within document root
apache: `/var/www/html`
servlet mapping
classes that handle requests and returns a response
java: web.xml (configuration file for HTTP routing)
direct routing
routing information is directly in source code
```javascript
router.get('/login', function(req, res, next){}); // expressjs
```
annotation or attribute routing
descriptor next to the function used for routing
```java
@GetMapping({"/admin/users"}) // for Spring MVC
``` Analysis Priorities
```analysis
unauthenticated to authenticated
santization of user input (trusted libraries vs custom solution)
database query structuring (parameterized or dynamic)
application logic subversion (login/password reset)
interaction with operating systems
programming language specific vulnerabilities
```