ASP .NET - POST request method

Printable View

Hi everybody,
I need help with creating correct POST request to website working with ASP .NET.
May begin that my request was contructed by using sniffer results.
Here it is:

Code:

request.setRawHeader("Origin:","http://www.md5decrypter.co.uk");
    request.setRawHeader("X-Requested-With:","XMLHttpRequest");
    request.setRawHeader("Cache-Control:","no-cache");
    request.setRawHeader("X-MicrosoftAjax:","Delta=true");
    request.setRawHeader("Accept:","*/*");
    request.setRawHeader("Referer:","http://www.md5decrypter.co.uk/sha1-decrypt.aspx");
    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded; charset=UTF-8");
    request.setRawHeader("Accept-Language:","pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4");
    request.setRawHeader("Accept-Charset:","ISO-8859-2,utf-8;q=0.7,*;q=0.3");
 
    postData.addQueryItem("ctl00$ScriptManager1", "ctl00$MainContent$btnDecrypt");
    postData.addQueryItem("ctl00$MainContent$txtHashes", "f41b59b297ded4f90ba61ee3c5ff18220ae55c66");
    postData.addQueryItem("ctl00$MainContent$txtCaptcha", sCaptcha);
    //postData.addQueryItem("__EVENTTARGET", "ctl00$MainContent$btnDecrypt");
    //postData.addQueryItem("__VIEWSTATE", sViewState);
    postData.addQueryItem("__EVENTVALIDATION", sEventValidation);
    postData.addQueryItem("__ASYNCPOST", "true");

Unfortunately, I don't receive satisfying outcome. Also, can't understand why in case of sending __EVENTTARGET or __VIEWSTATE, getting this kind of error:

Code:

1|#||4|52|pageRedirect||%2ferror.aspx%3faspxerrorpath%3d%2fsha1-decrypt.aspx|

I can add that my app in the first place, download __VIEWSTATE and __EVENTVALIDATION after connection to website.
Where can be a problem, and why it happen so as above.

Thanks in advance,
Trok

5th October 2011, 16:32
pkj

Re: ASP .NET - POST request method

ViewState is microsoft proprietary infrastructure to manage state in http. It is Base64 encoded, and uses hashes to identify events on client side. Whatever, be the case, it is not documented because it wasn't meant to be by Microsoft. I don't think you can use this forum for help in reverse engineering it.
Also, they can and will change it as and when they want. Your code, even after doing RE can die tomorrow. If you happen to have the code for server side, modify the code to use only the http controls if you must. Hacking viewstate is not a good idea in my opinion.
HTH
6th October 2011, 15:02
Trok

Re: ASP .NET - POST request method

So, is there any possibility to send good working request to this page without ViewState? Every time i get all page source without result of current action (decrypt hash). I still don't understand why this code doesn't work correct.
Thanks in advance.
6th October 2011, 22:52
pkj

Re: ASP .NET - POST request method

Are you the one requesting the page and sending the postback? Or are you trying to sniff poor Bob's page and send postback, or tricking poor Bob to make a request passing in your viewstate. In both cases it won't work. There is a ViewStateUserKey exactly to discourage this and used to salt the hash.
If you do have asp.net you can explicitly set viewstate off for each control. There is no way that as a client you can request a viewstate less page.
Moreover Trok, This is not the right forum for a asp.net question.