BinaryFormatter 反序列化利用技术详解<\/h1>

1. BinaryFormatter 基础<\/h2>
BinaryFormatter 是 .NET 中用于二进制序列化和反序列化的类，位于 `System.Runtime.Serialization.Formatters.Binary<\/code> 命名空间。<\/p>`

1.1 基本用法<\/h3>
[Serializable]<\/span>
<\/span><\/span>public<\/span> class<\/span> MyClass<\/span>
<\/span><\/span>{
<\/span><\/span>    public<\/span> int<\/span> a;
<\/span><\/span>    public<\/span> int<\/span> b;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 序列化<\/span>
<\/span><\/span>void<\/span> SerializeToFile(string<\/span> filename, MyClass obj)
<\/span><\/span>{
<\/span><\/span>    FileStream fs = new<\/span> FileStream(filename, FileMode.Create);
<\/span><\/span>    BinaryFormatter formatter = new<\/span> BinaryFormatter();
<\/span><\/span>    formatter.Serialize(fs, obj);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化<\/span>
<\/span><\/span>void<\/span> DeserializeFromFile(string<\/span> filename)
<\/span><\/span>{
<\/span><\/span>    FileStream fs = new<\/span> FileStream(filename, FileMode.Open);
<\/span><\/span>    BinaryFormatter formatter = new<\/span> BinaryFormatter();
<\/span><\/span>    MyClass obj = (MyClass)formatter.Deserialize(fs);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.2 序列化生命周期<\/h3>

检查是否有代理选择器(SurrogateSelector)，有则调用其处理方法<\/li>
检查对象是否有 [Serializable]<\/code> 特性，没有则抛出异常<\/li>
检查是否实现 ISerializable<\/code> 接口，实现则调用其 GetObjectData<\/code> 方法<\/li>
否则使用默认策略序列化所有未标记 [NonSerialized]<\/code> 的字段<\/li>
<\/ol>
2. ISerializable 接口<\/h2>
自定义序列化可通过实现 ISerializable<\/code> 接口来控制：<\/p>
[Serializable]<\/span>
<\/span><\/span>public<\/span> class<\/span> MyClass<\/span> : ISerializable
<\/span><\/span>{
<\/span><\/span>    public<\/span> int<\/span> n1;
<\/span><\/span>    public<\/span> string<\/span> str;
<\/span><\/span>
<\/span><\/span>    \/\/ 必须实现的构造函数<\/span>
<\/span><\/span>    protected<\/span> MyClass(SerializationInfo info, StreamingContext context)
<\/span><\/span>    {
<\/span><\/span>        n1 = info.GetInt32("i"<\/span>);
<\/span><\/span>        str = info.GetString("s"<\/span>);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ ISerializable 方法<\/span>
<\/span><\/span>    public<\/span> void<\/span> GetObjectData(SerializationInfo info, StreamingContext context)
<\/span><\/span>    {
<\/span><\/span>        info.AddValue("i"<\/span>, n1);
<\/span><\/span>        info.AddValue("s"<\/span>, str);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 序列化事件<\/h2>
.NET 提供了四个序列化事件特性：<\/p>



特性<\/th>
调用时机<\/th>
典型用途<\/th>
<\/tr>
<\/thead>


OnDeserializingAttribute<\/code><\/td>
反序列化之前<\/td>
初始化可选字段默认值<\/td>
<\/tr>

OnDeserializedAttribute<\/code><\/td>
反序列化之后<\/td>
根据其他字段修改可选字段<\/td>
<\/tr>

OnSerializingAttribute<\/code><\/td>
序列化之前<\/td>
准备序列化，创建数据结构<\/td>
<\/tr>

OnSerializedAttribute<\/code><\/td>
序列化之后<\/td>
记录序列化事件<\/td>
<\/tr>
<\/tbody>
<\/table>
4. 序列化控制机制<\/h2>
4.1 SurrogateSelector (代理选择器)<\/h3>
代理选择器可以接管序列化\/反序列化过程：<\/p>
class<\/span> MySurrogate<\/span> : ISerializationSurrogate
<\/span><\/span>{
<\/span><\/span>    public<\/span> void<\/span> GetObjectData(object<\/span> obj, SerializationInfo info, StreamingContext context)
<\/span><\/span>    {
<\/span><\/span>        \/\/ 自定义序列化逻辑<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    public<\/span> object<\/span> SetObjectData(object<\/span> obj, SerializationInfo info, StreamingContext context, ISurrogateSelector selector)
<\/span><\/span>    {
<\/span><\/span>        \/\/ 自定义反序列化逻辑<\/span>
<\/span><\/span>        return<\/span> new<\/span> MyClass();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 使用代理<\/span>
<\/span><\/span>SurrogateSelector ss = new<\/span> SurrogateSelector();
<\/span><\/span>ss.AddSurrogate(typeof<\/span>(MyClass), new<\/span> StreamingContext(), new<\/span> MySurrogate());
<\/span><\/span>formatter.SurrogateSelector = ss;
<\/span><\/span><\/code><\/pre>4.2 SerializationBinder (序列化绑定器)<\/h3>
用于控制反序列化时的类型绑定，可用于安全防护：<\/p>
class<\/span> SafeBinder<\/span> : SerializationBinder
<\/span><\/span>{
<\/span><\/span>    public<\/span> override<\/span> Type BindToType(string<\/span> assemblyName, string<\/span> typeName)
<\/span><\/span>    {
<\/span><\/span>        if<\/span> (typeName == "System.Data.DataSet"<\/span>)
<\/span><\/span>            throw<\/span> new<\/span> Exception("危险类型禁止反序列化"<\/span>);
<\/span><\/span>        return<\/span> Type.GetType($"{typeName}, {assemblyName}"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 使用绑定器<\/span>
<\/span><\/span>formatter.Binder = new<\/span> SafeBinder();
<\/span><\/span><\/code><\/pre>5. 安全风险与绕过技术<\/h2>
5.1 危险类型<\/h3>
以下类型特别危险：<\/p>

System.Data.DataSet<\/code><\/li>
System.Windows.Forms.AxHost<\/code><\/li>
System.Configuration.Install.AssemblyInstaller<\/code><\/li>
<\/ul>
5.2 SerializationBinder 绕过技术<\/h3>
5.2.1 空白字符绕过<\/h4>
string<\/span> typeName = "\nSystem.Data.DataSet,\nSystem.Data"<\/span>;
<\/span><\/span>Type.GetType(typeName); \/\/ 仍然能解析<\/span>
<\/span><\/span><\/code><\/pre>5.2.2 前导点号<\/h4>
string<\/span> typeName = ".System.Data.DataSet, System.Data"<\/span>;
<\/span><\/span><\/code><\/pre>5.2.3 程序集引号<\/h4>
string<\/span> typeName = "System.Data.DataSet, \"System.Data\""<\/span>;
<\/span><\/span><\/code><\/pre>5.2.4 大小写不敏感<\/h4>
string<\/span> typeName = "System.Data.DataSet, system.data"<\/span>;
<\/span><\/span><\/code><\/pre>5.2.5 属性顺序任意<\/h4>
string<\/span> typeName = "System.Data.DataSet, System.Data, PublicKeyToken=b77a5c561934e089, Version=4.0.0.0"<\/span>;
<\/span><\/span><\/code><\/pre>5.3 加固建议<\/h3>

避免使用 BinaryFormatter<\/code>，改用 JsonSerializer<\/code> 或 XmlSerializer<\/code><\/li>
如果必须使用，实现严格的 SerializationBinder<\/code><\/li>
检查并清理输入中的特殊字符<\/li>
使用白名单而非黑名单<\/li>
<\/ol>
6. 替代方案<\/h2>
以下序列化程序同样危险，应避免使用：<\/p>

SoapFormatter<\/code><\/li>
LosFormatter<\/code><\/li>
NetDataContractSerializer<\/code><\/li>
ObjectStateFormatter<\/code><\/li>
<\/ul>
7. 参考资源<\/h2>

Microsoft 官方文档 - 自定义序列化<\/a><\/li>
.NET 反序列化漏洞详解<\/a><\/li>
绕过 .NET 序列化绑定器<\/a><\/li>
.NET 反序列化入门<\/a><\/li>
<\/ol>

特性<\/th>	调用时机<\/th>	典型用途<\/th> <\/tr> <\/thead>
`OnDeserializingAttribute<\/code><\/td>`	反序列化之前<\/td>	初始化可选字段默认值<\/td> <\/tr>
`OnDeserializedAttribute<\/code><\/td>`	反序列化之后<\/td>	根据其他字段修改可选字段<\/td> <\/tr>
`OnSerializingAttribute<\/code><\/td>`	序列化之前<\/td>	准备序列化，创建数据结构<\/td> <\/tr>
`OnSerializedAttribute<\/code><\/td>`	序列化之后<\/td>	记录序列化事件<\/td> <\/tr> <\/tbody> <\/table> 4. 序列化控制机制<\/h2> 4.1 SurrogateSelector (代理选择器)<\/h3> 代理选择器可以接管序列化\/反序列化过程：<\/p> class<\/span> MySurrogate<\/span> : ISerializationSurrogate <\/span><\/span>{ <\/span><\/span> public<\/span> void<\/span> GetObjectData(object<\/span> obj, SerializationInfo info, StreamingContext context) <\/span><\/span> { <\/span><\/span> \/\/ 自定义序列化逻辑<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> object<\/span> SetObjectData(object<\/span> obj, SerializationInfo info, StreamingContext context, ISurrogateSelector selector) <\/span><\/span> { <\/span><\/span> \/\/ 自定义反序列化逻辑<\/span> <\/span><\/span> return<\/span> new<\/span> MyClass(); <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 使用代理<\/span> <\/span><\/span>SurrogateSelector ss = new<\/span> SurrogateSelector(); <\/span><\/span>ss.AddSurrogate(typeof<\/span>(MyClass), new<\/span> StreamingContext(), new<\/span> MySurrogate()); <\/span><\/span>formatter.SurrogateSelector = ss; <\/span><\/span><\/code><\/pre>4.2 SerializationBinder (序列化绑定器)<\/h3> 用于控制反序列化时的类型绑定，可用于安全防护：<\/p> class<\/span> SafeBinder<\/span> : SerializationBinder <\/span><\/span>{ <\/span><\/span> public<\/span> override<\/span> Type BindToType(string<\/span> assemblyName, string<\/span> typeName) <\/span><\/span> { <\/span><\/span> if<\/span> (typeName == "System.Data.DataSet"<\/span>) <\/span><\/span> throw<\/span> new<\/span> Exception("危险类型禁止反序列化"<\/span>); <\/span><\/span> return<\/span> Type.GetType($"{typeName}, {assemblyName}"<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 使用绑定器<\/span> <\/span><\/span>formatter.Binder = new<\/span> SafeBinder(); <\/span><\/span><\/code><\/pre>5. 安全风险与绕过技术<\/h2> 5.1 危险类型<\/h3> 以下类型特别危险：<\/p> System.Data.DataSet<\/code><\/li> System.Windows.Forms.AxHost<\/code><\/li> System.Configuration.Install.AssemblyInstaller<\/code><\/li> <\/ul> 5.2 SerializationBinder 绕过技术<\/h3> 5.2.1 空白字符绕过<\/h4> string<\/span> typeName = "\nSystem.Data.DataSet,\nSystem.Data"<\/span>; <\/span><\/span>Type.GetType(typeName); \/\/ 仍然能解析<\/span> <\/span><\/span><\/code><\/pre>5.2.2 前导点号<\/h4> string<\/span> typeName = ".System.Data.DataSet, System.Data"<\/span>; <\/span><\/span><\/code><\/pre>5.2.3 程序集引号<\/h4> string<\/span> typeName = "System.Data.DataSet, \"System.Data\""<\/span>; <\/span><\/span><\/code><\/pre>5.2.4 大小写不敏感<\/h4> string<\/span> typeName = "System.Data.DataSet, system.data"<\/span>; <\/span><\/span><\/code><\/pre>5.2.5 属性顺序任意<\/h4> string<\/span> typeName = "System.Data.DataSet, System.Data, PublicKeyToken=b77a5c561934e089, Version=4.0.0.0"<\/span>; <\/span><\/span><\/code><\/pre>5.3 加固建议<\/h3> 避免使用 BinaryFormatter<\/code>，改用 JsonSerializer<\/code> 或 XmlSerializer<\/code><\/li> 如果必须使用，实现严格的 SerializationBinder<\/code><\/li> 检查并清理输入中的特殊字符<\/li> 使用白名单而非黑名单<\/li> <\/ol> 6. 替代方案<\/h2> 以下序列化程序同样危险，应避免使用：<\/p> SoapFormatter<\/code><\/li> LosFormatter<\/code><\/li> NetDataContractSerializer<\/code><\/li> ObjectStateFormatter<\/code><\/li> <\/ul> 7. 参考资源<\/h2> Microsoft 官方文档 - 自定义序列化<\/a><\/li> .NET 反序列化漏洞详解<\/a><\/li> 绕过 .NET 序列化绑定器<\/a><\/li> .NET 反序列化入门<\/a><\/li> <\/ol>

BinaryFormatter 反序列化利用技术详解<\/h1>

1. BinaryFormatter 基础<\/h2> BinaryFormatter 是 .NET 中用于二进制序列化和反序列化的类，位于 System.Runtime.Serialization.Formatters.Binary<\/code> 命名空间。<\/p>

4. 序列化控制机制<\/h2>

5. 安全风险与绕过技术<\/h2>

5.2 SerializationBinder 绕过技术<\/h3>

7. 参考资源<\/h2> Microsoft 官方文档 - 自定义序列化<\/a><\/li> .NET 反序列化漏洞详解<\/a><\/li> 绕过 .NET 序列化绑定器<\/a><\/li> .NET 反序列化入门<\/a><\/li> <\/ol>

1. BinaryFormatter 基础<\/h2>
BinaryFormatter 是 .NET 中用于二进制序列化和反序列化的类，位于 `System.Runtime.Serialization.Formatters.Binary<\/code> 命名空间。<\/p>`

7. 参考资源<\/h2>

Microsoft 官方文档 - 自定义序列化<\/a><\/li>
.NET 反序列化漏洞详解<\/a><\/li>
绕过 .NET 序列化绑定器<\/a><\/li>
.NET 反序列化入门<\/a><\/li> <\/ol>