aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63285f61aaf4501a6660be7dfe98c70135c1b89b
vulhub/celery/celery3_redis_unauth/README.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

57 lines
1.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Celery <4.0 Redis unauthorized access + Pickle deserialization exploit
[中文版本(Chinese version)](./README.zh-cn.md)
Celery is a simple, flexible, and reliable distributed system that processes a large number of messages while providing the tools needed to operate and maintain such a system. It is a task queue focused on real-time processing and also supports task scheduling.
In Celery <4.0 version, Pickle is used by default for serialized task messages. When the queue servicee.g. Redis/RabbitMQ/RocketMQ used has an unauthorized access problem, the Pickle deserialization vulnerability can be used to execute arbitrary code.
## Vulnerability Environment
Execute the following command to start Celery 3.1.23 + Redis:
```bash
docker compose up -d
```
## Exploit
The exploit script `exploit.py` only supports use under python3
```bash
pip install redis
python exploit.py [Host IP]
```
View Results
```
docker compose logs celery
```
You can see the following task message error
![](a.png)
```bash
docker compose exec celery ls -l /tmp
```
You can see that the file `celery_success` was successfully created
![](b.png)
## Reference
https://docs.celeryproject.org/en/stable/userguide/configuration.html
https://www.bookstack.cn/read/celery-3.1.7-zh/8d5b10e3439dbe1f.md#dhfmrk
https://docs.celeryproject.org/en/stable/userguide/calling.html#serializers
https://www.jianshu.com/p/52552c075bc0
https://www.runoob.com/w3cnote/python-redis-intro.html
https://blog.csdn.net/SKI_12/article/details/85015803
Reference in New Issue View Git Blame Copy Permalink