ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. It can be dynamically added to a running ASP.NET web application, or even all ASP.NET web applications on a machine, without any need for re-compilation or re-deployment. In some cases, the logs expose ASPXAUTH cookies allowing to hijack a logged in administrator session.
PoC代码[已公开]
id: elmah-log-file
info:
name: ELMAH Exposure
author: shine,idealphase
severity: high
description: |
ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. It can be dynamically added to a running ASP.NET web application, or even all ASP.NET web applications on a machine, without any need for re-compilation or re-deployment. In some cases, the logs expose ASPXAUTH cookies allowing to hijack a logged in administrator session.
reference:
- https://code.google.com/archive/p/elmah/
- https://www.troyhunt.com/aspnet-session-hijacking-with-google/
metadata:
verified: true
max-request: 2
tags: logs,elmah,exposure,vuln
http:
- method: GET
path:
- "{{BaseURL}}/elmah"
- "{{BaseURL}}/elmah.axd"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
words:
- 'Error Log for'
- type: status
status:
- 200
# digest: 4a0a00473045022100cf36780ceec41c22f01b495f7d6d807e31eebe99cc12d894c4a905009db937b402207ef9ec45a8b6ebf8f28154e4b86931222a8258798849662910056610aa6fbc13:922c64590222798bb761d5b6d8e72950