blob: c6410c5343d497887ec6f363d5de80cf81a12125 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
Setup a quick docker container with python2 and ply installed to test..
Check out the source code..
First thing we want to find is how the tokens are turned
into python, since we ideally just want to write python.
We find that tokens of type INLINE are directly injected.
Looking at INLINE tokens we find some which are useful
for calling functions:
"ARGZ": ("INLINE", "_lol_sys.argv"),
"THINGZ": ("INLINE", "()"), # invisible tuple didn't sound right
"THING": ("INLINE", "()"), # sometimes it's better in singular form
"MY": ("INLINE", "self."),
"MYSELF": ("INLINE", "(self)"),
Looks like the sys module was imported as _lol_sys.
The other tokens allow us to call functions.
Varibles are injected directly too.. this allows us to call
builtins by specifying the builtin name, followed by THING.
Since we just want to run python code directly we'd
like to call `eval` with a string. Strings are
injected directly after some escape character checks.
In the inline tokens we saw there is one that allows
us to pass an argument.. MYSELF. For that we need
to define self.. Lets do that as a simple variable
instead of the normal definition of self.
We find we can define self using CAN HAS..
We can print the result of the eval using VISIBLE..
Thus our payload becomes:
self CAN HAS '<PYTHON-CODE>'
VISIBLE eval MYSELF
|
