Coding on s4yhii's blog https://blog.s4yhii.com/tags/coding/ Recent content in Coding on s4yhii's blog s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Tue, 05 Jul 2022 12:00:00 -0400 Vulnerabilities in Python Code https://blog.s4yhii.com/posts/2022-07-05-injections-in-python/ Tue, 05 Jul 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-07-05-injections-in-python/ <h1 id="os-command-injection">OS Command Injection</h1> <h2 id="vulnerable-example">Vulnerable Example</h2> <p>The following snippet contains a Flask web application written in Python that executes the <code>nslookup</code> command to resolve the host supplied by the user.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s2">&#34;/dns&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">page</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">hostname</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">values</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">hostname</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">cmd</span> <span class="o">=</span> <span class="s1">&#39;nslookup &#39;</span> <span class="o">+</span> <span class="n">hostname</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">check_output</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span></code></pre></div><p>We can see the <code>hostname</code> appended to the command and executed on a subshell with the paratmeter <code>shell=true</code>, an attacker could stack another command with <code>;</code> in the GET parameter to inject other commands for example <code>cat /etc/paswd</code> .</p>