corresponding 0x00 intro
0x01 Post-Auth OS-command injection
lykops/lykops/ansible/yaml.py#74，github link here
vuln param file comes from our HTTP Request in array of FILES
So we can completely control the unsantized param, and cause a OS-cmd injection
- the corresponding route is
^ansible/yaml/import$, we can trigger this vuln by visiting it.
- Also, you can see that an exception will trigger twice invocations of
import_file()，which means a `sleep 5` command will casue a delay of 10 second
0x02 Pre-Auth pickle Unserialized RCE via Unauthorized Redis
^login.html，the corresponding implementation is
pickle.loads! this evil function!
get The implementation of, in the input parameter is
fmt=obj When deserialization from Redis achieved in
字符串 ], and the deserialization function is actually used
If you are not familiar with Python deserialization attacks, see python deserialization attacks from scratch This post.
The following figure shows a demo that uses deserialization to run commands in Python cmdline.
So the script for generating the payload is as follows:
0x03 Post-Auth YAML Unserialized RCE
Warning: It is not safe to call
yaml.loadwith any data received from an untrusted source!
yaml.loadis as powerful as
pickle.loadand so may call any Python function. Check the
the sorce is in library/utils/file.py, github link here