SyntaxError: Invalid syntax? Eval()

Question

Basically I am doing a POC against python eval security issue, but I am getting below error:

Traceback (most recent call last):
 File "exploit.py", line 11, in <module>
  a = paste()
 File "exploit.py", line 6, in paste
  if eval('%s > 1' % a):
 File "<string>", line 1
import os;os.system('pwd') > 1
     ^
SyntaxError: invalid syntax

Code:

import datetime

def paste():
    a = "import os;os.system('pwd')"
    if eval('%s > 1' % a):
       print a
    else:
       #create_brew(request.json)
       return None, 201
a = paste()
print a

can anyone help me how to import libraries in-line?

Compare to `__import__("os").system("pwd")`, which is purely an expression. — Charles Duffy, Jul 26 '19 at 04:05

Nidhin Bose J. · Answer 1 · 2019-07-26T03:28:18.933

1

eval works in expressions. Use exec to execute a statement [import is a statement]

Also note, you cannot assign exec to a variable.

>> exec('import os;data = os.getcwd()')
>> print(data)
>> # /path/of/you/cwd

You may use the variable data to continue with your tests.

Taking the liberty to edit your code as follow:

def paste():
    data = None
    exec('import os;data = os.getcwd()')
    if data:
        return data
    else:
         return None, 201


a = paste()

print(a)

edited Jul 26 '19 at 03:28

answered Jul 26 '19 at 03:13

Nidhin Bose J.

1,092
15
28

Can you clarify a bit more? you mean like `a = "exec(import os;os.system('pwd'))"`? – amiTheregroot Jul 26 '19 at 03:20
Updated my answer. You cannot assign it as you do with eval. Note that eval will return None nevertheless. https://docs.python.org/3/library/functions.html#eval – Nidhin Bose J. Jul 26 '19 at 03:23

SyntaxError: Invalid syntax? Eval()

1 Answers1