120 lines
2.5 KiB
Python
120 lines
2.5 KiB
Python
"""
|
||
反序列化漏洞知识
|
||
"""
|
||
|
||
from ..base import KnowledgeDocument, KnowledgeCategory
|
||
|
||
|
||
INSECURE_DESERIALIZATION = KnowledgeDocument(
|
||
id="vuln_deserialization",
|
||
title="Insecure Deserialization",
|
||
category=KnowledgeCategory.VULNERABILITY,
|
||
tags=["deserialization", "pickle", "yaml", "json", "object", "rce"],
|
||
severity="critical",
|
||
cwe_ids=["CWE-502"],
|
||
owasp_ids=["A08:2021"],
|
||
content="""
|
||
不安全的反序列化可能导致远程代码执行、拒绝服务或权限提升。
|
||
|
||
## 危险模式
|
||
|
||
### Python Pickle
|
||
```python
|
||
# 危险 - 反序列化不可信数据
|
||
import pickle
|
||
data = pickle.loads(user_data)
|
||
data = pickle.load(open(user_file, 'rb'))
|
||
|
||
# 危险 - 通过网络接收
|
||
data = pickle.loads(request.data)
|
||
```
|
||
|
||
### Python YAML
|
||
```python
|
||
# 危险 - 不安全的yaml.load
|
||
import yaml
|
||
data = yaml.load(user_input) # 不带Loader参数
|
||
data = yaml.load(user_input, Loader=yaml.Loader) # 不安全的Loader
|
||
```
|
||
|
||
### Python Marshal
|
||
```python
|
||
# 危险
|
||
import marshal
|
||
code = marshal.loads(user_data)
|
||
```
|
||
|
||
### Java
|
||
```java
|
||
// 危险 - ObjectInputStream
|
||
ObjectInputStream ois = new ObjectInputStream(userInput);
|
||
Object obj = ois.readObject();
|
||
|
||
// 危险 - XMLDecoder
|
||
XMLDecoder decoder = new XMLDecoder(userInput);
|
||
Object obj = decoder.readObject();
|
||
```
|
||
|
||
### PHP
|
||
```php
|
||
// 危险
|
||
$data = unserialize($_POST['data']);
|
||
```
|
||
|
||
### Node.js
|
||
```javascript
|
||
// 危险 - node-serialize
|
||
var serialize = require('node-serialize');
|
||
var obj = serialize.unserialize(userInput);
|
||
```
|
||
|
||
## 攻击原理
|
||
```python
|
||
# Pickle RCE示例
|
||
import pickle
|
||
import os
|
||
|
||
class Exploit:
|
||
def __reduce__(self):
|
||
return (os.system, ('id',))
|
||
|
||
payload = pickle.dumps(Exploit())
|
||
# 反序列化时执行os.system('id')
|
||
```
|
||
|
||
## 检测要点
|
||
1. 搜索pickle.loads, yaml.load, unserialize
|
||
2. 检查数据来源是否可信
|
||
3. 检查是否有签名验证
|
||
4. 关注网络接收的序列化数据
|
||
|
||
## 安全实践
|
||
1. 避免反序列化不可信数据
|
||
2. 使用安全的序列化格式(JSON)
|
||
3. 使用yaml.safe_load()
|
||
4. 实现完整性检查(HMAC签名)
|
||
5. 使用白名单限制可反序列化的类
|
||
|
||
## 修复示例
|
||
```python
|
||
# 安全 - 使用JSON
|
||
import json
|
||
data = json.loads(user_input)
|
||
|
||
# 安全 - 使用safe_load
|
||
import yaml
|
||
data = yaml.safe_load(user_input)
|
||
|
||
# 安全 - 签名验证
|
||
import hmac
|
||
import pickle
|
||
|
||
def safe_loads(data, signature, key):
|
||
expected_sig = hmac.new(key, data, 'sha256').hexdigest()
|
||
if not hmac.compare_digest(signature, expected_sig):
|
||
raise ValueError("Invalid signature")
|
||
return pickle.loads(data)
|
||
```
|
||
""",
|
||
)
|