Deserialization Tips
.NET
Tools
- dnSpy
- ysoserial for .NET
Debug using dnSpy
- Replace
- with (once in dnSpy, right click on “Edit Assembly Attributes”)
- Make IIS load the module and not copy and execute from a temp directory
General Tips
- Make use of “Call Stack”, “Watch” (Variable) and Breakpoints (F5,F9,F10)
XML Serialization
- Grep for the following which might give a hint for XML Deserialization
- Payload or abusable functions
FileSystemUtils.PullFileObjectDataProvider- Can be used to provide a binding source
- To retrieve data from any of your called methods and classes without violating XMLSerializers restrictions/limitations to public fields and properties
ExtendedWrapper- To have a generic wrapper to fake a method so it would be accepted for example by XmlSerializer
- Public read/write properties and fields of public classes
- Only public properties and fields not public class
- Cannot serialize class methods”
- Objects
- XmlElement
- XmlNode
- DataSet
Java
Notes from Afinepl's blog
- URL
- During whitebox analysis look for
readObject() - Practice on Vulnerable Java
- Use Nicky Bloor’s Serialization dumper to inspect serialized objects to confirm what they are.
- Apart from deserialization flaws to be exploited with Ysoserial, it is possible that a logical information is being transported in the serialized stream (e.g. user=admin)
- Ysoserial has more usages than just getting instant RCE.
- For blind or quick testing, use URLDNS or JRMPClient/Listener payloads.
- Apart from instant RCE, it’s worth noticing how to use payloads related to FileUpload or Object Lookup.
- Be prepared to face stack traces
- See what to do, If you find errors like SerialUID Mismatch or ClassNotFoundException