(My challenge CTF) Black myth pickle

# (My challenge CTF) Black myth pickle - Leak password admin (ORM Leak): https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/ORM%20Leak#django-python - Pickle deser: ![image](https://hackmd.io/_uploads/B1ALyesqyx.png) - `UNSAFE_NAMES`: có thể bypass bằng cách: ![image](https://hackmd.io/_uploads/r1YiJljcye.png) - `BLACKLISTED_NAMES`: target là lấy được flag -> tìm một class có thể dùng để list folder và đọc file -> class `_frozen_importlib_external.FileLoader` ```python class FileLoader: """Base file loader class which implements the loader protocol methods that require file system usage.""" def __init__(self, fullname, path): """Cache the module name and the path to the file found by the finder.""" self.name = fullname self.path = path def __eq__(self, other): return (self.__class__ == other.__class__ and self.__dict__ == other.__dict__) def __hash__(self): return hash(self.name) ^ hash(self.path) @_check_name def load_module(self, fullname): """Load a module from a file. This method is deprecated. Use exec_module() instead. """ # The only reason for this method is for the name check. # Issue #14857: Avoid the zero-argument form of super so the implementation # of that form can be updated without breaking the frozen module return super(FileLoader, self).load_module(fullname) @_check_name def get_filename(self, fullname): """Return the path to the source file as found by the finder.""" return self.path def get_data(self, path): """Return the data from path as raw bytes.""" if isinstance(self, (SourceLoader, ExtensionFileLoader)): with _io.open_code(str(path)) as file: return file.read() else: with _io.FileIO(path, 'r') as file: return file.read() # ResourceReader ABC API. @_check_name def get_resource_reader(self, module): if self.is_package(module): return self return None def open_resource(self, resource): path = _path_join(_path_split(self.path)[0], resource) return _io.FileIO(path, 'r') def resource_path(self, resource): if not self.is_resource(resource): raise FileNotFoundError path = _path_join(_path_split(self.path)[0], resource) return path def is_resource(self, name): if path_sep in name: return False path = _path_join(_path_split(self.path)[0], name) return _path_isfile(path) def contents(self): return iter(_os.listdir(_path_split(self.path)[0])) ```