Greetings everyone, this is Shawar Khan and i hope you all are doing well. It's been a while since my last write up, so i decided to disclose one of my recent findings that i have identified in a top web application. Recently i found an issue that allowed me to read files on server with Python, that was due to lack of protection and i will show you how i did it, It's quite simple.
So while i was practicing python coding i decided to apply the coded script on the web app, there were a few applications that were using python and i was able to execute python there. Some of these are online tools that execute languages online. Python is the simplest and the powerful language as it contains the easiest syntax with powerful control. There are many commands and modules that can be used to compromise systems and applications by in this write up i will demonstrate how i read the files.
So, lets move towards the interesting stuff, I went to the area where python execution was possible, a normal "print('Shawar Khan')" command returns the following results:
So as you can see that after the "Output:" you can see the result of the command, now the only thing that pings while executing programs is the execution of system commands, so i tried executing system command using the "os" module.
code:
import os
os.system('ls')
result:
The system command was not executed as the "syscall" was blocked, they were not allowing us to execute the system command, so i tried the "subprocess" module to do the same trick:
code:
import subprocess
subprocess.Popen('ls')
Result:
Okay, so same issue with this one, they were blocking all commands that execute system command so this trick failed. In similar cases we are able to execute system command and are able to get full control over the server using this trick but in this case i skipped this one and moved on to reading the server files. I tried the 'open()' to open or create a file on the server.
i found that the server was not giving me write permissions and i was not able to write files on the server but i was able to READ file that means i was having read permissions. So using that i was able to read server files by directly calling them using 'open()' with read option. The following was my code for reading /etc/passwd file:
Code:
f = open('/etc/passwd','r')for i in f:
print i.strip('\n')
Result:
So, i was successfully able to read files on the server and was able to call them as i was having read permissions. These simple tricks can be handy wile performing pentests against web apps like these.
Thats it, share the write up if you like it!
Tip:~$ #Where there's a Python, there's a way.
0 comments:
Post a Comment