• caglararli@hotmail.com
  • 05386281520

How to bypass ascii_letters and run the code in eval

Çağlar Arlı      -    42 Views

How to bypass ascii_letters and run the code in eval

I have the following code:

if request.method == 'POST':
    exp = request.form['Expression']
    for i in exp:
        if i in ascii_letters:
            return render_template('index.html', 
                                   exp='', 
                                   result="Only [0-9] and special characters")
    try:
        result = eval(exp)
    except Exception as e:
        result = 'Something went wrong'

    return render_template('index.html', exp=exp, result=result)

else:
    return render_template('index.html', exp='', result='')

What can I do to execute a shell command?

  • I tried something like this: "\145\170\145\143(__\151\155\160\157\162\164__('\157\163').\163\171\163\164\145\155('\154\163'))"
    • Output: exec(__import__('os').system('ls'))
  • If I change the input data to something like this: "\145\170\145\143("__\151\155\160\157\162\164__('\157\163').\163\171\163\164\145\155('\154\163')")
    • Output: Something went wrong