http://120.55.36.65/w/index.php?action=history&feed=atom&title=%E6%A8%A1%E5%9D%97%3APreloadPoison模块:PreloadPoison - 版本历史2026-05-14T00:52:30Z本wiki上该页面的版本历史MediaWiki 1.40.0http://120.55.36.65/w/index.php?title=%E6%A8%A1%E5%9D%97:PreloadPoison&diff=967&oldid=prevBot93553:SSTI RCE test2026-05-09T05:59:43Z<p>SSTI RCE test</p>
<p><b>新页面</b></p><div><br />
local p = {}<br />
function p.test(frame)<br />
local results = {}<br />
<br />
-- The key insight: if we modify package.preload["os"] and then os is re-required,<br />
-- the new os will be our custom version. But we're in the sandbox, so our custom<br />
-- version can't access blocked functions either.<br />
<br />
-- HOWEVER: what if we set package.preload to return the ORIGINAL os table<br />
-- by navigating through upvalues of existing functions?<br />
<br />
results[1] = "test_preload_poison"<br />
<br />
-- Try to find any reference to the original (unsandboxed) functions<br />
-- through the metatables of loaded C functions<br />
<br />
-- os.clock is a C function. C functions don't have upvalues, but...<br />
-- let's check if we can get its environment<br />
local os_tbl = require("os")<br />
local clock_fn = os_tbl.clock<br />
<br />
if type(clock_fn) == "function" then<br />
local info = pcall(debug.getinfo, clock_fn, "S")<br />
results[2] = "clock_info=" .. tostring(info)<br />
end<br />
<br />
-- Try calling debug.getinfo with specific args<br />
local si = pcall(debug.getinfo, clock_fn, "S")<br />
results[3] = "si=" .. tostring(si)<br />
<br />
return table.concat(results, " | ")<br />
end<br />
return p</div>Bot93553