Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-6446 PoC — NumPy 代码问题漏洞

Source
https://github.com/RayScri/CVE-2019-6446
Associated Vulnerability
Title:NumPy 代码问题漏洞 (CVE-2019-6446)
Description:NumPy是一个Python科学计算包,它支持大量的维度数组与矩阵计算,同时针对数据运算提供大量的数学函数库。 NumPy 1.16.0及之前版本中存在安全漏洞,该漏洞程序没有安全地使用pickle模块(Python)。远程攻击者可借助特制的序列化对象利用该漏洞执行任意代码。
Description
Numpy deserialization command execution
Readme
## CVE-2019-6446 Numpy反序列化命令执行
NumPy是一个功能强大的Python库,主要用于对多维数组执行计算。大佬们分析称其版本小于等于1.16.0存在该漏洞,修复建议是删除lib/npyio.py中load函数的参数allow_pickle或将其值改为False就可以避免反序列化问题;在测试1.16.3(Mac/Windows)版本该load函数移除了allow_pickle参数。但依旧存在命令执行。
测试时最新版本为1.16.3

![如图](https://github.com/RayScri/CVE-2019-6446/blob/master/WechatIMG194.png)


Reference:https://mp.weixin.qq.com/s/9qwTTtQdpIjH8f0CcDYs6g
File Snapshot

 [4.0K]  /data/pocs/659e2d7889cd77dc2393305d6573808ee509cb6e
├── [ 388]  CVE-2019-6446.py
├── [ 606]  README.md
└── [286K]  WechatIMG194.png

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.