Comments (4)
pwntester
commented on July 30, 2024
2
In which scenario would (Gadget: ObjectDataProvider, Formatter: Json.net) work, and (Gadget: WindowsIdentity, Formatter: Json.net) not?
The only case I can think of is that the applcation is blacklisting one but not the other, but I would bet that those blacklists will contain all gadgets in ysoserial. So in practice, using one of them would be enough. ObjectDataProvider is easier since it does not involve BinaryFormatter, but in the other hand you can choose WindowIdentity and a BinaryFormatter payload using the ActivitySurrogateSelector to run arbitrary c# code (eg: DNS lookup for out-of-band detection, sleep, etc)
In general I would use ActivitySurrogateSelector gadget for the reasons explained above when there are different gadgets that work for a formatter.
In my experience, automizing the exploitation of Json.Net, XmlSerializer, LosFormatter, ObjectStateFormatter, DataContractSerializer is very difficult, so I would only try sending payloads for BinaryFormatter, FastJson and JavaScriptSerializer. The first group require finding the right injection point, controlling the expected type, etc.
Also ObjectStateFormatter and LosFormatter are only used for ASP.NET ViewState, and you can only exploit it if it is not signed or you can leak the encryption and validation keys from Web.config (and infer some other parameters). I have a small tool to generate a ViewState payload if you know the key. I will integrate it into ysoserial.
I'm sending the payloads to all parameters, sending them as-is and base64 encoded, sending them in query string, post-data, cookies.
I think it would be better to send it if you find a parameter, input field, cookie, etc already using it. So using passive approach for detection and active one for verification
Hope it helps,
A
from ysoserial.net.
andresriancho
commented on July 30, 2024
@pwntester thanks for the very detailed answer. So, based on your recommendations it seems that I'll send the following gadgets / formatters:
- ActivitySurrogateSelector, BinaryFormatter
- ObjectDataProvider, FastJson
- ObjectDataProvider, JavaScriptSerializer
For the ActivitySurrogateSelector I'll code a short ExploitClass that will sleep() in order to perform detection. The other ones I believe I'll use the ping localhost -n X command in order to introduce the time delay I need.
The w3af plugin is almost ready, I just need to add these payloads and test :-) Do you know of a test web application I can use for testing the payloads I generate? (I know about -t but a web would allow me to better test this).
from ysoserial.net.
andresriancho
commented on July 30, 2024
PS: I implemented some logic for deciding when to inject the payloads. The code can be found here and here. The logic is not perfect (lots of false positives: w3af will inject even when the original parameter value was not a serialized object), but at least it will not inject into everything.
from ysoserial.net.
pwntester
commented on July 30, 2024
@andresriancho sorry, forgot about this issue. Is this anything else I can help you with?
from ysoserial.net.
Related Issues (20)
- Constantly encountering FormatException: Invalid length for a Base-64 char array or string. HOT 1
- the exe file considered having a virus HOT 1
- Unable to cast object of type 'System.Windows.Data.ObjectDataProvider' to type 'System.Windows.Media.Brush' HOT 2
- 033102051731: The given key was not present in the dictionary HOT 1
- cannot be exploited when in compatibility mode....... compatibilityMode="Framework45" HOT 1
- Update Outdated Dependencies HOT 2
- The problem of deserializing AES\3DES in Viewstate HOT 3
- Handling gadgets that don't result in command execution
- Requires AES/3DES support
- fix artifact and document how to compile HOT 5
- add TypeNameHandling.Auto
- Default output format - Release 1.35
- The XamlAssemblyLoadFromFileGenerator gadget is not a gadget
- Bug Report: Regex in DataContractSerializer_Marshal_2_MainType Function HOT 3
- How to Generate Encrypted ViewState without MAC Validation HOT 1
- Include Compilation Instructions HOT 1
- [feature request] Add run any byte code/dll in deserialization chain HOT 3
- make artifact life time longer HOT 7
- How to generate a payload for the AES validation method ViewState?
- document each mono corresponding to each unity version
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ysoserial.net.