• caglararli@hotmail.com
  • 05386281520

How to bypass ascii_letters and run the code in eval

Çağlar Arlı      -    14 Views

How to bypass ascii_letters and run the code in eval

I have next code:

    if request.method == 'POST':
        exp = request.form['Expression']
        for i in exp:
            if i in ascii_letters:
                return render_template('index.html', exp='', result="Only [0-9] and special characters")
        try:
            result = eval(exp)
        except Exception as e:
            result = 'Something went wrong'

        return render_template('index.html', exp=exp, result=result)

    else:
        return render_template('index.html', exp='', result='')

What can I do to execute a shell command?

I tried, something like this:

"\145\170\145\143(__\151\155\160\157\162\164__('\157\163').\163\171\163\164\145\155('\154\163'))"

result:

exec(__import__('os').system('ls'))

If I change the input data to something like this

\145\170\145\143("__\151\155\160\157\162\164__('\157\163').\163\171\163\164\145\155('\154\163')")

result:

Something went wrong