mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-20 03:16:10 +00:00
commit
2c10b28976
@ -43,6 +43,16 @@ state: !!python/tuple
|
|||||||
update: !!python/name:exec
|
update: !!python/name:exec
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Since PyYaml version 6.0, the default loader for ```load``` has been switched to SafeLoader mitigating the risks against Remote Code Execution.
|
||||||
|
[PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)
|
||||||
|
|
||||||
|
The vulnerable sinks are now ```yaml.unsafe_load``` and ```yaml.load(input, Loader=yaml.UnsafeLoader)```
|
||||||
|
|
||||||
|
```
|
||||||
|
with open('exploit_unsafeloader.yml') as file:
|
||||||
|
data = yaml.load(file,Loader=yaml.UnsafeLoader)
|
||||||
|
```
|
||||||
|
|
||||||
## Ruamel.yaml
|
## Ruamel.yaml
|
||||||
|
|
||||||
## Ruby
|
## Ruby
|
||||||
|
Loading…
Reference in New Issue
Block a user