notes (1357B)
1Setup a quick docker container with python2 and ply installed to test.. 2 3Check out the source code.. 4 5First thing we want to find is how the tokens are turned 6into python, since we ideally just want to write python. 7 8We find that tokens of type INLINE are directly injected. 9 10Looking at INLINE tokens we find some which are useful 11for calling functions: 12 13 "ARGZ": ("INLINE", "_lol_sys.argv"), 14 "THINGZ": ("INLINE", "()"), # invisible tuple didn't sound right 15 "THING": ("INLINE", "()"), # sometimes it's better in singular form 16 "MY": ("INLINE", "self."), 17 "MYSELF": ("INLINE", "(self)"), 18 19Looks like the sys module was imported as _lol_sys. 20The other tokens allow us to call functions. 21 22Varibles are injected directly too.. this allows us to call 23builtins by specifying the builtin name, followed by THING. 24 25Since we just want to run python code directly we'd 26like to call `eval` with a string. Strings are 27injected directly after some escape character checks. 28 29In the inline tokens we saw there is one that allows 30us to pass an argument.. MYSELF. For that we need 31to define self.. Lets do that as a simple variable 32instead of the normal definition of self. 33 34We find we can define self using CAN HAS.. 35We can print the result of the eval using VISIBLE.. 36 37Thus our payload becomes: 38 39 self CAN HAS '<PYTHON-CODE>' 40 VISIBLE eval MYSELF 41