案例1
def make_secure():
UNSAFE = ['open',
'file',
'execfile',
'compile',
'reload',
'__import__',
'eval',
'input']
for func in UNSAFE:
del __builtins__.__dict__[func]
from re import findall
# Remove dangerous builtins
make_secure()
print 'Go Ahead, Expoit me >;D'
while True:
try:
print ">>>",
# Read user input until the first whitespace character
inp = findall('\S+', raw_input())[0]
a = None
# Set a to the result from executing the user input
exec 'a=' + inp
print '>>>', a
except Exception, e:
print 'Exception:', e
下面是脚本运行的效果。
效果相当于python的命令界面,我们的目标是读取当前目录下的flag文件。
如果题目没有任何的过滤,读取的命令如下,导入os包,然后直接执行命令。
但是直接导入os会报错,如下图
因为 del 命令删除了对应的命令,如下图
看了Ned Batchelder的分享后学到了新知识。我们可以用file对象read文件
下面是元类和元类型详细信息,元组,子对象
由于file在索引40,我们可以硬编码。如下图
用file类型读取flag文件。
案例2
#!/usr/bin/env python
from __future__ import print_function
print("Welcome to my Python sandbox! Enter commands below!")
banned = [
"import",
"exec",
"eval",
"pickle",
"os",
"subprocess",
"kevin sucks",
"input",
"banned",
"cry sum more",
"sys"
]
targets = __builtins__.__dict__.keys()
targets.remove('raw_input')
targets.remove('print')
for x in targets:
del __builtins__.__dict__[x]
while 1:
print(">>>", end=' ')
data = raw_input()
for no in banned:
if no.lower() in data.lower():
print("No bueno")
break
else: # this means nobreak
exec data
相对于第一题,第二题是没有直接的回显。
我们可以用catch_warnings类(索引在59),进行命令执行。
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ls')
案例3
# -*-coding:utf-8-*-
#!/usr/bin/python3
import sys, cmd, os
del __builtins__.__dict__['__import__']
del __builtins__.__dict__['eval']
intro = """
pwnhub cuit
pwn everything
Rules:
-No import
-No ...
-No flag
"""
def execute(command):
exec(command, globals())
class Jail(cmd.Cmd):
prompt = '>>> '
filtered = '\'|.|input|if|else|eval|exit|import|quit|exec|code|const|vars|str|chr|ord|local|global|join|format|replace|translate|try|except|with|content|frame|back'.split('|')
def do_EOF(self, line):
sys.exit()
def emptyline(self):
return cmd.Cmd.emptyline(self)
def default(self, line):
sys.stdout.write('\x00')
def postcmd(self, stop, line):
if any(f in line for f in self.filtered):
print("You are a big hacker !!!")
print("Go away")
else:
try:
execute(line)
except NameError:
print("NameError: name '%s' is not defined" % line)
except Exception:
print("Error: %s" % line)
return cmd.Cmd.postcmd(self, stop, line)
if __name__ == "__main__":
try:
Jail().cmdloop(intro)
except KeyboardInterrupt:
print("\rSee you next time !")
这题是cuit2017的题目,python3环境。
这里主要过滤了大量的字符,包括1,2题所用的点号。
- print(getattr(os, “system”)
获取system函数地址,
- print(getattr(os, “system”)(“ls”))
执行system(“ls”)
下面是获取flag的姿势
以上都是利用Python作为脚本语言的特性来逃逸