Python is a language powering an extraordinary number of applications, but here we're just going to focus on very common coding errors you're likely to find. These can be useful in cases of both web applications as well as local and exploiting any of these is incredibly context specific.

python2 input

In python 2, the input function worked in an interesting manner. It queried for user input, executed the input given to it directly, allowing us to, for example, have an integer returned directly from the result of the function. However, this also allowed any arbitrary code to be injected. In cases where you have a python 2 style input mechanism, simply write the following:


In python 3 this was removed, and raw_input from python 2 replaced it.

Module Overwrite

Consider the following program:

import base64
print base64.b64decode('VW5pY29ybidzIGFyZSBraWNrIGFzcyE=')

Running it will output a base64 decoded string:

[email protected]:~/pyexample# python
Unicorn's are kick ass!

Let's create a file called in the same folder and include within it the following:

def b64decode(oldinput):
    return 'Welcome to my Evil Function!'

Now we get a very different output:

[email protected]:~/pyexample# ls  base64.pyc
[email protected]:~/pyexample# python
Welcome to my Evil Function!

In module importing, the interpreter will first check the local directory before checking the installed modules. Consequently, it is more than possible to take over a python scripts execution, even if we don't have write-access to it.

A good reference for how these things work is this Stackoverflow post.

Pickle Deserialization

During pickle deserialization, it is possible to create a situation where arbitrary code is executed. This is because the reduce method defines how the object itself is de-serialized, and so will be executed when pickle.loads is called.

import subprocess
class BadPickle(object):
    def __reduce__(self):
        return (subprocess.check_output, (chars,))

print cPickle.dumps(BadPickle())

Further Reading

CTF Writeups

These are a collection of CTF writeups that may prove helpful if you find yourself against a Python Jail or environment. Since it's such a popular language a python jail, such as lshell, can be a surprisingly common vulnerability.

PlaidCTF - Pyjail with character restrictions

results matching ""

    No results matching ""