That One Silly Python Feature Hackers Love (and Devs Hate) đđ»
Python is an amazing language. Itâs clean, elegant, and super beginner-friendly.
âŠuntil you stumble across one of its cursed features and realize âoh no, this is how hackers get RCE.â
Todayâs silly Python feature: đ You can import literally anything, from anywhere.
Wait⊠I Can Do That?
Normally in Python, you import modules at the top like a responsible developer:
import os
os.system("ls")
But what if I told you⊠you can just conjure up imports on the fly, without ever writing import at the top?
Yep. Python lets you do this:
os = __import__("os")
os.system("echo hello, world")
Boom. No import os in sight, but suddenly youâve got os and all its goodies.
This is silly and fun⊠until you realize itâs also nightmare fuel if your server is evaluating untrusted input.
Enter the MRO Black Magic đ§ââïž
Python has something called the Method Resolution Order (MRO). Itâs basically the order Python looks through classes to find methods/attributes.
Hackers realized: âWait⊠if everything in Python is an object⊠and objects know their classes⊠and classes know their base classes⊠canât we⊠uh⊠walk through this graph until we find __subclasses__ and then pull imports out of thin air?â
Yes. Yes, you can.
Something like this (simplified for the memes):
().__class__.__base__.__subclasses__()
That one-liner is like the Konami code for Python internals. From there, attackers can dig up file handles, os, sys, subprocess⊠whatever they need.
Why Hackers Love This
If youâve ever played with:
- SSTI (Server-Side Template Injection) in Flask/Jinja2
- RCE (Remote Code Execution) on a misconfigured Python service
âŠthen youâve probably seen this trick in action.
You think youâve locked down Python?
Nah. Some hacker just did ().__class__.__base__.__subclasses__()[1337] and spawned a shell on your server.
But Why Is This a Problem?
Because developers sometimes write innocent-looking server code like this:
@app.route("/calc")
def calc():
return str(eval(request.args.get("expr")))
And then wonder why their logs suddenly say:
$ curl "http://example.com/calc?expr=__import__('os').system('rm -rf /')"
đŹ
The Actual Pro Tip
If youâre building anything in Python that runs on the internet:
- đ« Never
eval()user input. Ever. - đ« Never trust template engines to âsanitize for you.â
- â Sanitize, whitelist, and validate everything.
- â
Assume hackers will try
__import__()from inside your app.
Final Thoughts
Python is wonderful⊠but also cursed. The fact that you can import modules without importing them is equal parts genius and dangerous.
So next time youâre writing a Flask app and think: âItâs just a tiny eval, whatâs the worst that could happen?â â remember: somewhere out there, a hacker is already typing:
__import__('os').system('cat /etc/passwd')
âŠand you just turned your server into their personal playground. đą
đ TL;DR: Python imports are silly, MRO is hacker magic, and you should sanitize your server code before someone âimports chaos.â