Deserialization Tips #
- ysoserial for .NET
Debug using dnSpy #
- with (once in dnSpy, right click on “Edit Assembly Attributes”)
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
- Make IIS load the module and not copy and execute from a temp directory
1 2 3 4
iisreset /noforce # Exit and reload dnSpy and Attach to process "w3p*" # Pause the debugging and open the modules
General Tips #
- Make use of “Call Stack”, “Watch” (Variable) and Breakpoints (F5,F9,F10)
XML Serialization #
- Grep for the following which might give a hint for XML Deserialization
1 2 3 4 5 6 7 8 9
.GetType( .GetType().AssemblyQualifiedName XmlSerializer( Serializer .Serialize( .Deserialize( = new XmlDocument() DeSerializeHashtable XmlUtils.DeSerializeHashtable
- Payload or abusable functions
- Can be used to provide a binding source
- To retrieve data from any of your called methods and classes without violating XMLSerializers restrictions/limitations to public fields and properties
- To have a generic wrapper to fake a method so it would be accepted for example by XmlSerializer
- Public read/write properties and fields of public classes
- Only public properties and fields not public class
- Cannot serialize class methods”
Notes from Afinepl's blog #
- During whitebox analysis look for
- Practice on Vulnerable Java
- Use Nicky Bloor’s Serialization dumper to inspect serialized objects to confirm what they are.
- Apart from deserialization flaws to be exploited with Ysoserial, it is possible that a logical information is being transported in the serialized stream (e.g. user=admin)
- Ysoserial has more usages than just getting instant RCE.
- For blind or quick testing, use URLDNS or JRMPClient/Listener payloads.
- Apart from instant RCE, it’s worth noticing how to use payloads related to FileUpload or Object Lookup.
- Be prepared to face stack traces
- See what to do, If you find errors like SerialUID Mismatch or ClassNotFoundException
Last update: May 23, 2021