webProhard

Lab 379 — CrawlBase — Stored XSS to SSRF to Pickle Deserialization RCE

hackadvisor

Task: Flask web scraping platform with demo request form, admin bot, PycURL crawl worker supporting gopher://, and Redis-cached pickle-serialized job metadata. Solution: Chain stored XSS (Jinja2 |safe) → SSRF via gopher:// to Redis → inject malicious pickle into job metadata → trigger pickle.loads() for RCE → exfiltrate flag via demo request status update.

$ ls tags/ techniques/

flask ssrf rce stored_xss pickle deserialization admin_bot redis resp_protocol gopher pycurl jinja2_safe_filter crawl_worker multi_stage_exploit

stored_xss_via_jinja2_safe_filterssrf_via_gopher_protocolredis_cache_poisoning_via_resppickle_deserialization_rce_via_reducedata_exfiltration_via_application_featuremulti_stage_xss_chain

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 362 — LogPulse — Insecure Deserialization via Pickle Session Cookie— hackadvisor
[web][free]SecretPickle— gpnctf
[web][Pro]Lab 13 — WebForge — Insecure Deserialization in Config Import— hackadvisor
[web][free]Secure Secretpickle— gpnctf
[web][Pro]Dosie X (Dossier X)— hackerlab