5.2.3. Sandbox

5.2.3.1. Common functions

  • eval / exec / compile

  • dir / type

  • globals / locals / vars

  • getattr / setattr

5.2.3.2. Import package method

  • import os

  • from os import *

  • __import__("os")

  • importlib

  • imp

  • reload(os)

  • execfile Only Python2 support

5.2.3.3. Bypass

  • dir(__builtins__) View built-in modules

  • The simplest idea is to import in an existing module. If that module has imported modules that can be used, it can be used.

  • Look for available modules in the parent class, the most common payload is ().__class__.__bases__[0].__subclasses__() or use magic methods to get the global scope __init__.__func__.__globals__

  • Some websites do not filter pickle modules, and can use pickle to execute arbitrary code. To generate payloads, you can use https://gist.github.com/freddyb/3360650

  • In some sandboxes, the related module code has been deleted, so the functions in libc can be used, and ctypes or cffi can generally be used in Python calls.

  • "A""B" == "AB"

5.2.3.4. Defense

Python official gives some defense suggestions:

  • Using Jython and trying to use the Java platform to lock down a program’s permissions

  • Use fakeroot to avoid

  • Use some rootjail techniques