Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Escaping the python sandbox

1,760 views

Published on

There’s two things I really like: Capture the flag competitions and Python.
Fortunately, I have found out that there are challenges that combine both.
In my session I will talk about challenges from 3 different CTF competitions and about the upgraded challenges I wrote from PwCTF.
I will explain the difficulties of creating Python Sandbox and I will show the security issues in the wild.

Things you will learn from my session:
* Why Python Sandbox is a bad idea
* How to exploit Python Sandbox using knowledge of Python language to execute code remotely
* Why it’s hard to protect Python from code execution using Web Application Firewall
* At the end of the session you will get 3 pySandbox challenges to solve in order to check your abilities

Published in: Software
  • Be the first to comment

  • Be the first to like this

Escaping the python sandbox

  1. 1. $ • • • • • @realgam3 • https://linkedin.com/in/realgam3 • https://github.com/realgam3
  2. 2. Objects
  3. 3. from __future__ import print_function targets = __builtins__.__dict__.keys() targets.remove('raw_input') targets.remove('print') for x in targets: del __builtins__.__dict__[x]
  4. 4. banned = [ "import", "exec", "eval", "pickle", "os", "subprocess", "kevin sucks", "input", "banned", "cry sum more", "sys" ]
  5. 5. https://Links • http://pyconil2018.realgame.co.il • https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90- 5-PySandbox.pdf • https://github.com/vstinner/pysandbox • https://nvisium.com/blog/2016/03/09/exploring-ssti-in- flask-jinja2.html
  6. 6. If You Really Like CTF Challenges

×