Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
PreviousCommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread SleepNextExploiting __VIEWSTATE knowing the secrets
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
This post is dedicated to kuelewa jinsi gadget ObjectDataProvider inavyotumiwa kupata RCE na jinsi maktaba za Serialization Json.Net na xmlSerializer zinaweza kutumika vibaya na gadget hiyo.
From the documentation: the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source. Ndio, ni maelezo ya ajabu, hivyo hebu tuone ni nini kilichomo katika darasa hili ambacho ni cha kuvutia sana: Darasa hili linaruhusu kufunga kitu chochote, tumia MethodParameters kuweka vigezo vyovyote, na kisha tumia MethodName kuita kazi yoyote ya kitu chochote kilichotangazwa kwa kutumia vigezo vyovyote. Hivyo, kitu chochote kitafanya kazi na vigezo wakati kinapokuwa kinadeserialized.
Namespace ya System.Windows.Data, iliyopatikana ndani ya PresentationFramework.dll katika C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF, ndiyo mahali ambapo ObjectDataProvider imefafanuliwa na kutekelezwa.
Kwa kutumia dnSpy unaweza kuangalia msimbo wa darasa tunalolipenda. Katika picha hapa chini tunaona msimbo wa PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name
Kama unavyoona wakati MethodName imewekwa base.Refresh() inaitwa, hebu tuangalie inafanya nini:
Sawa, hebu tuendelee kuona this.BeginQuery() inafanya nini. BeginQuery imeandikwa upya na ObjectDataProvider na hii ndiyo inafanya:
Kumbuka kwamba mwishoni mwa msimbo inaita this.QueryWorke(null). Hebu tuone inatekeleza nini:
Kumbuka kwamba hii si msimbo kamili wa kazi QueryWorker lakini inaonyesha sehemu ya kuvutia ya hiyo: Msimbo unaita this.InvokeMethodOnInstance(out ex); hii ndiyo mistari ambapo seti ya njia inaitwa.
Ikiwa unataka kuangalia kwamba kwa kuweka tu MethodName** itatekelezwa**, unaweza kukimbia msimbo huu:
Note that you need to add as reference C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll in order to load System.Windows.Data
Using the previous exploit there will be cases where the object is going to be deserialized as an ObjectDataProvider instance (for example in DotNetNuke vuln, using XmlSerializer, the object was deserialized using GetType). Then, will have no knowledge of the object type that is wrapped in the ObjectDataProvider instance (Process for example). You can find more information about the DotNetNuke vuln here.
Darasa hili linaruhusu kuelezea aina za vitu vya vitu ambavyo vimefungwa katika mfano fulani. Hivyo, darasa hili linaweza kutumika kufunga kitu cha chanzo (ObjectDataProvider) ndani ya aina mpya ya kitu na kutoa mali tunazohitaji (ObjectDataProvider.MethodName na ObjectDataProvider.MethodParameters). Hii ni muhimu sana kwa kesi kama ile iliyowasilishwa hapo awali, kwa sababu tutakuwa na uwezo wa kufunga _ObjectDataProvider** ndani ya **ExpandedWrapper _ mfano na wakati wa deserialization darasa hili litaunda OjectDataProvider kitu ambacho kitafanya kazi iliyoonyeshwa katika MethodName.
You can check this wrapper with the following code:
Katika ukurasa rasmi inaonyeshwa kwamba maktaba hii inaruhusu Kuhifadhi na kufungua tena kitu chochote cha .NET kwa kutumia Json.NET's powerful JSON serializer. Hivyo, ikiwa tunaweza kufungua tena gadget ya ObjectDataProvider, tunaweza kusababisha RCE kwa kufungua tena kitu.
Kwanza kabisa hebu tuone mfano wa jinsi ya kufanya uhifadhi/ufunguo wa tena kitu kwa kutumia maktaba hii:
Using ysoserial.net niliunda exploit:
Katika hii code unaweza kujaribu exploit, endesha tu na utaona kwamba calc inatekelezwa:
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
