JSON.NET Deserialization

In .NET application that uses JSON.net (Newtonsoft library), we can inject arbitrary code or read local files by abusing JSON deserialization objects.

- [json](https://www.newtonsoft.com/json)
- [presentations](https://owasp.org/www-chapter-vancouver/assets/presentations/2020-05_Exploiting_and_Preventing_Deserialization_Vulnerabilities.pdf)
- https://book.hacktricks.xyz/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net)

Investigation

We can decompile .dll files using ILSpy in Windows. If you like to use ILSpy in Linux, use AvaloniaILSpy.

json = JsonConvert.DeserializeObject<Example>(json);

If the application uses “JsonConvert.DeserializeObject” function, we can abuse JSON object and execute arbitrary code or read local files.


Exploitation

We can give the Json value to the “JsonConvert.DeserializeObject(json)” with a reserved key ($type).
The format is as follow. The value of $type is a string that contains the assembly-qualified name of the .NET type to be deserialized.

{
    "$type": "<namespace>.<class>, <assembly>",
    "<method_name>": "<attribute>"
}

LFI

If the application has the method that reads file, we can use this method and read desired files by abusing JSON oject to deserialize. For example, the application has "ReadFile" method in the "File" class so we can use it to read local files.

{
    "$type": "Example.File, example",
    "ReadFile": "../../../../etc/passwd"
}


Deserialization Payload Generator

For .NET, we can use Ysoserial.net but Windows machine required.