The code snippet below is from an ASP.NET MVC application. It accepts all parameters from browser. I believe it's vulnerable.
I'm testing an application's security, it uses Invoke method, but accepts the Object type, method and parameters dynamically from user's input. I believe it is dangerous and I'm trying to prove it.
Do you think I can invoke Console.Write or execute some sort of arbitrary/dangerous code?
I want to try to use C# Invoke Method to write to console to prove the vulnerability. This is what I did:
static void Main(string[] args)
{
Type magicType = Type.GetType("System");
ConstructorInfo magicConstructor = magicType.GetConstructor(Type.EmptyTypes);
object magicClassObject = magicConstructor.Invoke(new object[] { });
MethodInfo magicMethod = magicType.GetMethod("Console.Write");
object magicValue = magicMethod.Invoke(magicClassObject, new object[] { 100 });
}
But it doesn't work. It says Object is not initialized. What am I missing?
System
is not a type , it's a namespace . You're actually looking for System.Console
, which is the console class. After that, you're looking for the WriteLine
method with the proper overload, which takes an int
, which is what you pass to Type.GetMethod
. Only then, you can invoke the MethodInfo
object using Invoke
passing null
as the object (as this is a static
class) and the right parameter.
What you actually want is this:
Type magicType = Type.GetType("System.Console");
var method = magicType.GetMethod("WriteLine", new[] { typeof(int) });
method.Invoke(null, new object[] { 100 });
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.