Skip to content

C# Dangerous Function

Jump to bottom
Rinku Kumar edited this page Oct 25, 2021 · 19 revisions

<———————Acquire User-Supplied Data————→
QueryString
Ex: string studentName = HttpContext.Current.Request.QueryString[“studentName”];
Params
Item
Form
ServerVariables //
Headers //
Files // Returns a collection of fi les uploaded by the user.
Cookies //
HttpMethod // Returns the method used in the HTTP request.
InputStream //
BinaryRead //

Ex: string lastname = Request.QueryString[“lastname”];

<——————RFI & LFI—————>

  • Server.Execute(path) //executes an ASP file from inside another ASP file

<————Directory Traversal———>

  • Open a file
    FileStream fs = File.Open(“C:\\temp\\” + userinput,FileMode.OpenOrCreate);
  • Some constructor method is used to read a file.
    1. System.IO.FileStream
    2. System.IO.StreamReader
    3. System.IO.StreamWriter
    Ex: FileStream fs = new FileStream(“F:\\tmp\\” + userinput,FileMode.OpenOrCreate);

<—————OS Command Injection—→

  • string cmd= @"/C ping" + Request.QueryString[“hostname”]; /* @ means do not interpret control character inside string */
    ProcessStartInfo info = new ProcessStartInfo(“cmd.exe”, cmd);
    Process.Start(info);

<——————-SQL Injection———→

  • Following classes that can be used to create and execute a SQL statement. If these are not used with parameterized value and user input is not properly sanitize/filter SQL injection might be possible.
    1. System.Data.SqlClient.SqlCommand
    2. System.Data.SqlClient.SqlDataAdapter
    3. System.Data.Oledb.OleDbCommand
    4. System.Data.Odbc.OdbcCommand
    5. System.Data.SqlServerCe.SqlCeCommand
    Ex 1:
    string query = “select username, password from user where username=’” + username + “’ & password=’” + password + ""’;
    OdbcCommand command = new OdbcCommand(query, connection);
    comand.ExecuteNonQuery();

Ex 2:
var query = “SELECT * FROM User WHERE Username = ’” + username “’”;
SqlCommand command = new SqlCommand(query , connection);
SqlDataReader reader = command.ExecuteReader();

<——————-XSS————————→

  • Response.Write()
  • <%= searchTermFromUser %>

<——————-XXE————————→
Default Vulnerable Parser

  • XmlDocument < v4.5.2+
  • XPathNavigator < v4.5.2+
  • XmlTextReader < v4.5.2+

<——————Serialization————>

  • Deserialize Binary to Object
    BinaryFormatter bf = new BinaryFormatter();
    FileStream fsin = new FileStream(“xyz.binary”, FileMode.Open, FileAccess.Read);
    obj = (class) bf.Deserialize(fsin);

  • Deserialize XML to Object
    XmlSerializer xs = new XmlSerializer(typeof(class));
    FileStream fsin = new FileStream(“xyz.xml”, FileMode.Open, FileAccess.Read);
    obj=(class)xs.Deserialize(fsin);
  • Deserialize Json to Object
    // Deserializing json data to object using JavaScriptJsonSerializer
    string jsonData =@’{"Name":“C-sharpcorner”,“Description”:“Share Knowledge”}’;
    JavaScriptSerializer js = new JavaScriptSerializer();
    class object = js.Deserialize(jsonData);
// Deserializing json data to object using Json.NET

string json =@’{"Name":“C-sharpcorner”,“Description”:“Share Knowledge”}’;
class Obj = JsonConvert.DeserializeObject(json);

// Deserializing json data to object using DataContractJsonSerializer

string json = “{\”Username\“:\”raj\“,\”Password\“:\”insecure\“}”;
var ms = new MemoryStream(Encoding.Unicode.GetBytes(json))
DataContractJsonSerializer deserializer = new DataContractJsonSerializer(typeof(class));
class Obj = (class)deserializer.ReadObject(ms);

<——————SSRF————>

  • Code Snippet Type 1
    var uri = Request.QueryString[“url”];
    var psi = new System.Diagnostics.ProcessStartInfo();
    psi.UseShellExecute = true;
    psi.FileName = uri;
    System.Diagnostics.Process.Start(psi);
  • Code Snippet Type 2
    var url = Request.QueryString[“url”];
    HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    HttpWebResponse response = (HttpWebResponse)request.GetResponse();
  • Code Snippet Type 3
    var url = Request.QueryString[“url”];
    HttpClient client = new HttpClient();
    HttpResponseMessage response = await client.GetAsync(url);

<——————Unvalidated-Redirects and Forwards———→

  • HttpResponse.Redirect(Request.QueryString[“Url”]);
  • Controller.Redirect%(Request.QueryString[“Url”]); //MVC
  • HttpResponse.AddHeader(“Location”,Request.QueryString[“Url”])
  • HttpResponse.AppendHeader(“Location”,Request.QueryString[“Url”])
  • HttpServerUtility.Transfer(Request.QueryString[“path”]);

<——————XML Injection———→
string studentName = HttpContext.Current.Request.QueryString[“studentName”];
XmlWriter writer = XmlWriter.Create(“student.xml”);
writer.WriteStartDocument();
writer.WriteRaw(“” + studentName + “”); // Insert user input directly into XML
writer.WriteEndElement();
writer.WriteEndDocument();

<——————XPath Injection———→
string userName = HttpContext.Current.Request.QueryString[“userName”];
string password = HttpContext.Current.Request.QueryString[“password”];
var xquery = “//users/user[login/text()=’” + userName + “’ and password/text() = ’” + password + “’]/home_dir/text()”;
XPathExpression.Compile(xquery);

Clone this wiki locally