SoFunction
Updated on 2024-11-20

Python's eval function is dangerous.

Generally Python's eval() function turns the string "123" into the numeric 123, but PP3E says it's dangerous and can execute other commands!

Some experimentation with this. Sure enough, a cgi program written in python that uses eval() instead of int() to convert the contents of an input box such as age is very dangerous. Not only can you see all the files on your system listed, but you can also delete files, look at their source code, and other dangerous operations!

Tried to write a program, want to write the local script file with such a form of line by line to a file on the server, but the final failure in the inability to enter line breaks "/n", as long as there are line breaks in the statement submitted, there will be an EOL error prompts, change the encoding method or did not succeed.
 
The web page has a window for submitting names, here is just an example of changing it, otherwise the names are not converted with the eval function, but the age to is easy to get wrong. This file (http://localhost/) imports the os.

line1 = "Hello, %s." % eval(form['user'].value)

(1)

('del * /q') #Delete all files in the current directory(Excluding folders)。

Calling commands for the current system (e.g. windows)

/q
Specifies a mandatory status. You are not prompted to confirm the deletion.

(2) If you delete a folder, use rmdir

/s
Deletes the specified directory and all subdirectories and all files contained therein. Use /s to delete the directory tree.

/q
Run rmdir in quiet mode. deletes directories without confirmation.

('rmdir d:/workspace /s/q')

(3) List all files ('dir'). Because after the successful execution of the dir command, the system returns 0, so see the return content can only be Hello,0. And on the server, but really listed, if there is a log, may be found. Submit ('dir >'), then visit http://localhost/Then all the files and folders are exposed, want to see the source code? If then use ('type '). The command will return the same Hello, 0.'s if it completes successfully. Do you put in another file and access that file again? open('').read()

From there, you can list and view the contents of other folders.

If you're not doing anything else bad, then you can delete it to avoid being found out. ('del /q')

Import os and execute the command:

__import__('os').system('dir >')