python input vulnerability

python input vulnerability







hi guys today i will show you how little mistake in write code can lead to expose data or RCE on sever .
as we know python has function that take input from user can save it in variable .
in python 2.x version we find input function   and it built-in function input in module __builtin__ 
let check what mean this method by using help(input)



it 's  equivalent to eval(raw_input)
ok raw_input it's another function take input from user but in input function it's add eval as we know eval it  function evaluates a string of text which is passed as its parameter, accepting possible second argument for the global values to use during evaluation.
let make quick demo 


and if we enter number it will display it but what if we enter 2+4 it will display 6 because it's use eval as part of input function as we see above from here we can use  __builtin__  module to get 


some RCE can get shell in box 






input vulnerability it'not stop here but they have ability to read value like you system connect to database can when user enter password it will compare it with  password store in database
assume database select query store in  db_user and user enter this db_user  it will read real value came from database and can bypass login without knowing real password .

as we see little mistake can lead to big problem 



Comments

  1. This comment has been removed by the author.

    ReplyDelete
  2. thank you for sharing wonderful information
    python training in Hyderabad the best career

    ReplyDelete
  3. Awesome work! That is quite appreciated. I hope you’ll get more success.
    Python Training in Chennai | Python Training Institute in Chennai

    ReplyDelete
  4. Pretty article! I found some useful information in your blog....

    so here we provide,

    We provide you with flexible services and complete hybrid network solutions. It can provide your organisation with exceptional data speeds, advanced external security protection, and high-resilience by leveraging the latest SD-WAN and networking technologies to monitor, manage and strengthening your organisation’s existing network devices.

    https://www.quadsel.in/networking/>
    https://twitter.com/quadsel/
    https://www.linkedin.com/company/quadsel-systems-private-limited/
    https://www.facebook.com/quadselsystems/

    #quadsel #network #security #technologies #managedservices #Infrastructure #Networking #OnsiteResources #ServiceDeskSupport #StorageServices #WarrantyAMCServices #datacentersolutions #DataCenterBuild #EWaste #InfraConsolidation #DisasterRecovery #NetworkingServices #ImagingServices #MPS #Consulting #WANOptimisation #enduserservices

    ReplyDelete
  5. Python is a general-purpose coding language—which means that, unlike HTML, CSS, and JavaScript, it can be used for other types of programming and software development besides web development.

    https://www.kaashivinfotech.com/best-final-year-project-in-information-technology

    ReplyDelete

Post a Comment

Popular posts from this blog

Code injection

hacky holidays h1 CTF

SECURECODE: 1 : OSWE Prep