JSON.NET Deserialization
Last modified: 2023-03-08
In .NET application that uses JSON.net (Newtonsoft library), we can inject arbitrary code or read local files by abusing JSON deserialization objects.
Investigation
We can decompile .dll files using ILSpy in Windows. If you like to use ILSpy in Linux, use AvaloniaILSpy.
json = JsonConvert.DeserializeObject<Example>(json);
If the application uses “JsonConvert.DeserializeObject” function, we can abuse JSON object and execute arbitrary code or read local files.
Exploitation
We can give the Json value to the “JsonConvert.DeserializeObject(json)” with a reserved key ($type).
The format is as follow. The value of $type is a string that contains the assembly-qualified name of the .NET type to be deserialized.
{
"$type": "<namespace>.<class>, <assembly>",
"<method_name>": "<attribute>"
}
LFI
If the application has the method that reads file, we can use this method and read desired files by abusing JSON oject to deserialize. For example, the application has "ReadFile" method in the "File" class so we can use it to read local files.
{
"$type": "Example.File, example",
"ReadFile": "../../../../etc/passwd"
}
Deserialization Payload Generator
For .NET, we can use Ysoserial.net but Windows machine required.
References
- https://www.newtonsoft.com/json
- https://owasp.org/www-chapter-vancouver/assets/presentations/2020-05_Exploiting_and_Preventing_Deserialization_Vulnerabilities.pdf
- https://book.hacktricks.xyz/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net