BinaryFormatter 反序列化恶意代码? [英] BinaryFormatter deserialise malicious code?
问题描述
我将用户生成的文件从客户端发送到服务器.这些是序列化的类,然后由服务器读取.
I send user-generated files to the server from the client. These are serialized classes that are then read by the server.
根据我对上述链接的理解,这是危险的.但是我尝试过发送一次性类,甚至尝试了一个实现了 ISerilizable 的类.但是两者都因为服务器不知道源程序集而被拒绝.
From my understanding of the above link, this is dangerous. But I've tried sending disposable classes, and even tried a class that implemented ISerilizable. But both were rejected due to the server not knowing the source assembly.
[Serializable]
public class Ship : ISerializable
{
public Ship()
{
}
public Ship(SerializationInfo info, StreamingContext context)
{
Console.WriteLine("test");
}
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
}
}
那么客户端如何通过这个向量成功地将代码输入我的服务器呢?通过伪造命名空间名称和公钥导致服务器尝试反序列化它,从而运行上面的代码?或者有更巧妙的方法吗?
So how could a client successfully get code into my server via this vector? By faking the namespace name and public key causing the server to try deserialise it, thus running the above code? Or are there more subtle ways to do it?
不幸的是,此功能是我游戏的核心基础,所以我要小心.
This feature is a core fundamental to my game unfortunately so I want to be careful.
推荐答案
序列化适用于数据,而不是代码.解串器从您提供的有效负载中提取数据,构造一个新的对象实例并从提取的数据中设置对象的值.它不会从有效负载中提取任何代码.
Serialization works on data, not code. A deserializer extracts the data from the payload you provide, consturcts a new object instance and sets the object's values from the extracted data. It does NOT extract any code from the payload.
如果您的代码一开始就容易受到恶意输入的攻击,那么是的,反序列化可能是另一种攻击它的方式——就像任何其他注入恶意数据的方式一样.
If your code is vulnerable to malicious input in the first place, then yes, deserialization could be another way to attack it - just like any other way of injecting malicious data.
例如,如果您通过连接字符串来构造 SQL 语句,那么无论字符串来自用户输入还是反序列化数据,您都容易受到 SQL 注入攻击.解决这个问题的方法是使用参数化查询,而不是避免反序列化或尝试清理用户的输入.
For example, if you construct SQL statements by concatenating strings, you will be vulnerable to SQL injection attack whether the strings come from user input or deserialized data. The way to fix this is to use parameterized queries, not avoid deserialization or try to sanitize the user's input.
无论如何,原始帖子的答案大多是猜测,对与 .NET 没有真正相关的 Java 序列化的评论或真正人为的示例.
In any case the answers to the original post were mostly speculation, comments on Java serialization that's not really relevant to .NET or really contrived examples.
这篇关于BinaryFormatter 反序列化恶意代码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
