Pickle Code Execution
This exercise covers the exploitation of Python's pickle when used to deserialize untrusted data
The lab begins with an introduction to object serialization in Python using the Pickle library, explaining how applications use serialization for easy storage and retrieval of object instances. It highlights the potential risks if a malicious user can tamper with serialized data, which can lead to severe consequences like remote code execution. You will learn to identify and exploit such vulnerabilities by creating a malicious Pickle object that binds a shell to a port and executes commands.
The exercise walks through the process of examining how a web application handles Pickled data, specifically within a "Remember me" function. It explains how to create and encode a malicious object, and how to inject it into the application to achieve code execution. Through this exercise, you will gain an understanding of the importance of scrutinizing custom code for vulnerabilities, as it is often less secure than the framework's native code.