Today I’m presenting you some research I’ve done recently into the Python 3 eval protections.
It’s been covered before, but it surprised me to find that most of the info I could find was only applicable for earlier versions of Python and no longer work, or suggested solutions would not work from an attacker perspective inside of eval since you need to express it as a single statement.
Since these break every so often, I’ve gone to some length to describe how I arrived at my conclusions to hopefully proverbially ‘teach you how to fish’ so you can work out your own technique should any of the exact solutions I arrived at break in the future.
I have also included a copy-and-paste section at the end of this if you’re in a hurry.
FleTime
