Created
August 26, 2022 19:59
-
-
Save ookkee/e399f9c10e24f2f8b06f3a5dea06c247 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# found this from https://github.com/TheSnowWight/hackdocs/tree/master/misc/basic-python/bypass-python-sandboxes#recursive-search-of-builtins-globals | |
import os, sys # Import these to find more gadgets | |
SEARCH_FOR = { | |
# Misc | |
#"__globals__": set(), | |
#"builtins": set(), | |
#"__builtins__": set(), | |
#"open": set(), | |
# RCE libs | |
"os": set(), | |
"subprocess": set(), | |
#"commands": set(), | |
#"pty": set(), | |
#"importlib": set(), | |
#"imp": set(), | |
#"sys": set(), | |
#"pip": set(), | |
#"pdb": set(), | |
# RCE methods | |
"system": set(), | |
"popen": set(), | |
#"getstatusoutput": set(), | |
#"getoutput": set(), | |
#"call": set(), | |
#"Popen": set(), | |
#"popen": set(), | |
#"spawn": set(), | |
#"import_module": set(), | |
#"__import__": set(), | |
#"load_source": set(), | |
#"execfile": set(), | |
#"execute": set() | |
} | |
#More than 4 is veeery time consuming | |
MAX_CONT = 3 | |
#The ALREADY_CHECKED makes the script run much faster, but some solutions won't be find | |
#ALREADY_CHECKED = set() | |
def check_recursive(element, cont, name, orig_n, orig_i, execute): | |
# If bigger than maxium, stop | |
if cont > MAX_CONT: | |
return | |
# If already checked, stop | |
#if name and name in ALREADY_CHECKED: | |
# return | |
# Add to already checked | |
#if name: | |
# ALREADY_CHECKED.add(name) | |
# If found add to the dict | |
for k in SEARCH_FOR: | |
if k in dir(element) or (type(element) is dict and k in element): | |
SEARCH_FOR[k].add(f"{orig_i}: {orig_n}.{name}") | |
# Continue with the recursivity | |
for new_element in dir(element): | |
try: | |
check_recursive(getattr(element, new_element), cont+1, f"{name}.{new_element}", orig_n, orig_i, execute) | |
# WARNING: Calling random functions sometimes kill the script | |
# Comment this part if you notice that behaviour!! | |
if execute: | |
try: | |
if callable(getattr(element, new_element)): | |
check_recursive(getattr(element, new_element)(), cont+1, f"{name}.{new_element}()", orig_i, execute) | |
except: | |
pass | |
except: | |
pass | |
# If in a dict, scan also each keys, very important | |
if type(element) is dict: | |
for new_element in element: | |
check_recursive(element[new_element], cont+1, f"{name}[{new_element}]", orig_n, orig_i) | |
def main(): | |
print("Checking from empty string...") | |
total = [""] | |
for i,element in enumerate(total): | |
print(f"\rStatus: {i}/{len(total)}", end="") | |
cont = 1 | |
check_recursive(element, cont, "", str(element), f"Empty str {i}", True) | |
print() | |
print("Checking loaded subclasses...") | |
total = "".__class__.__base__.__subclasses__() | |
for i,element in enumerate(total): | |
print(f"\rStatus: {i}/{len(total)}", end="") | |
cont = 1 | |
check_recursive(element, cont, "", str(element), f"Subclass {i}", True) | |
print() | |
print("Checking from global functions...") | |
total = [print, check_recursive] | |
for i,element in enumerate(total): | |
print(f"\rStatus: {i}/{len(total)}", end="") | |
cont = 1 | |
check_recursive(element, cont, "", str(element), f"Global func {i}", False) | |
print() | |
print(SEARCH_FOR) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment