.NET
Json.Net Deserialization
Requires a custom TypeNameHandling setting by the dev (not insecure by default!). On of the following must be true for type that is deserialized:
It is Object Type (java.lang.Object or System.Object)
It is a non-generic collection (e.g.: ArrayList, Hashtable, etc.)
It implements IDynamicMetaObjectProvider
It is System.Data.EntityKeyMember or any derived Type from it. We may not need even
TypeNameHandling property set to a non-None (see the EntityKeyMemberConverter in
"TypeConverters" ).
Common RCE payload (can also be created with ysoerial.net):
ASP.NET Razor Template Injection (SSTI)
Check if vulnerable:
Exploit:
References
https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/
Last updated