. NET advanced code audit（the first lesson）XmlSerializer deserialization vulnerability-vulnerability warning-the black bar safety net

在.NET in the framework of the XmlSerializer class is a great tool, it is a highly structured XML data is mapped to . NET objects. The XmlSerializer class in the program through a single API call to perform the XML document and the object conversion between. The conversion mapping rules in the . NET class via metadata properties to represent, if the application developer to use the Type class’s static method to get external data, and call the Deserialize deserialize xml data it will trigger a deserialization exploit such as DotNetNuke arbitrary code execution vulnerability CVE-2017-9822, the article author from the principles and the code of audit perspective to do the relevant brain map presentation and reproduction.
! [](/Article/UploadPic/2019-3/201936185043104. png)

0X01 XmlSerializer serialization
. NET Framework System. Xml. Serialization namespace in the XmlSerializer class that can be XML document to bind to . NET class of the instance, there is little need to note that it is only the object’s public properties and public fields is converted to an XML element or attribute, and by two methods of composition: the Serialize() is used from the object instance of the generated XML; the Deserialize() for the XML document of the analysis object diagram is a sequence of data may be a data, fields, arrays, as well as the XmlElement and XmlAttribute object format of the embedded XML. Specifically look at the following demo
! [](/Article/UploadPic/2019-3/201936185043563. png)
XmlElement specifies the attributes to be serialized for the element, XmlAttribute specifies the attribute to be serialized as an attribute, the XmlRoot attribute to specify the class to be serialized as the root element; by the characteristics of the type of property, the impact to the generated name, name space and type. Then create a TestClass instance of the class to populate its properties are serialized to the file, and the XmlSerializer. The Serialize method overload can accept the Stream, TextWrite, the XmlWrite class, the resulting XML file lists TestClass element, Classname properties and other storage for the element attributes:
! [](/Article/UploadPic/2019-3/201936185043702. png)

0x02 XmlSerialize deserialization
The reverse sequence of the process: the xml file is converted to objects is by creating a new object called the XmlSerializer. The Deserialize method to achieve, in the sequence of the most critical ring is the new XmlSerializer constructor the parameters to pass this parameter from the System. Type class, this class can be accessed on any data type information, point to any given type of the Type referenced in the following three ways.
2.1, typeof
Instantiate the XmlSerializer incoming typeof(TestClass) represents the acquisition TestClass the class of the Type, the typeof is a C#operator, the transmission parameter can only be a type name, not the instantiated object, as the following Demo
! [](/Article/UploadPic/2019-3/201936185043325. png)
By typeof gets the Type after which you can give the class all of the Methods, the Members and other information. The following figure runs Debug, a pop-up message dialog box displays the current members of the Name of the value.
! [](/Article/UploadPic/2019-3/201936185043693. png)
2.2, the object. Type
In the. NET all classes are ultimately derived from System. Object, in the Object class defines a number of public and protected member methods, these methods can be used to define all other types, the GetType method is one, the method returns from the System. The Type derivation of an instance of the class, because it can provide the object the member belongs to the class of information, including the basic types, methods, properties, etc., the above-described case in the instance of the TestClass, and then get the current instance of the Type, as in the following Demo
! [](/Article/UploadPic/2019-3/201936185043955. png)
2.3, Type. GetType
The third method is to Type the class to static method GetType, this method allows the outside of the incoming string, which is a major plus, you’ll need to pass fully qualified name you can call the class methods, properties, etc.
! [](/Article/UploadPic/2019-3/201936185043463. png)
Type. GetType incoming parameter is deserialized to produce the vulnerability to pollution point, the next step is to go look for can be used to attack the use of the class.

0X03 build the attack chain
First put on the attack chain to build after the success of the full Demo, this Demo can be multiplexed in any place 这里不涉及.NET Core, MVC, as figure
! [](/Article/UploadPic/2019-3/201936185043220. png)
As long as the XmlSerializer the presence of deserialization vulnerability you can use the following Demo of content that relates to the three main technical points, the following were to introduce the principle.
3.1, the ObjectDataProvider
ObjectDataProvider class, which is located in the System. Windows. Data namespace, you can call any referenced methods in the class, to provide members of the ObjectInstance using the similar instance of the class, the members of the MethodName to invoke the specified type the name of the method, the members of the MethodParameters representation is passed to the method parameters, refer to the following figure
! [](/Article/UploadPic/2019-3/201936185044438. png)
Then to the TestClass class defines a ClassMethod method, the code calls System. Diagnostics. Process. Start start a new process pop-up calculator. If you use the XmlSerializer directly serialize will throw an exception, because during serialization ObjectInstance this member type is unknown, but you can use ExpandedWrapper extension class in the system of internal pre-load related entities of the query to avoid the exception error, rewrite Demo
! [](/Article/UploadPic/2019-3/201936185044376. png)
To generate data. xml content is as follows:
! [](/Article/UploadPic/2019-3/201936185044267. png)

[1] [2] next