INTRO
These days, a very powerful vulnerability is being found in not only in websites but also in some applications. many of the Black Hat Hackers are using this vulnerability to exploit web servers. many companies lose their money because of this vulnerability. In this article, we will know about the uses of python to get a reverse shell or Command Execution. It can be done remotely or locally. depends on the situation, you are in.
Recently, I was doing an HTB box. I won’t tell you the name otherwise you will know the way to get that box done. but I can show you the process of command execution. well, it is a vulnerability which can be found on many websites and applications. and it is not necessary that command execution will be presented only on a website or application if it is made in the python programming language. Command execution can also be presented in PHP, java, c e.t.c. based programs.
ATTACK
Basically, Command execution is when a website or an application call a function that runs a system command but you intentionally exploit it. so, we can say that command execution occur due to the mistakes of a programmer. here, we will talk about some python modules and its function which allows us to execute a command :
- os.system
As you can see, os is a module and system is its function. In this python module, we have called system function. basically, system function is used for executing the system commands. it means that if you are running the python on Windows, it is must that you run the Windows commands and if you are using Linux, it is must to run the Linux command. For example, I am using my Kali Linux machine as usual. and we will type a command here. or you can call it script:
python -c 'import os; print(os.system("whoami"))'OUTPUT:
As you can see the output, it is saying “root”. if you have a question that why have I used python script as a command. so, whenever you use a python script as a command using the, there are some conditions that you have to change. like, a new line with a semicolon(;) and you will always have to use -c key to telling the python that upcoming string is a script.
suppose if someone writes this code for his website. and he uses the input for the system argument. like, system(input("please type your command")). it will cause command execution.
2. subprocess.Popen and subprocess.run
In python, we have a module called subprocess. The subprocess the module allows you to spawn new processes, connect to their input/output/error pipes, and obtain their return codes. This module intends to replace several older modules and functions. well, for command execution, we are going to use its Popen and run function.
Note- the run function won’t work in the python2.
Look at these commands:
python -c 'import subprocess;subprocess.Popen(["ls", "-al"])'
python3 -c 'import subprocess;subprocess.run(["ls", "-al"])'
OUTPUT:
Remember one thing that the popen function and run function always take a list in the tuple to run the command. you can try to run these in your terminal. and you can see how this is working. it is a module for advance level python programmers. what a programmer use it in his website and if he mistakenly allows input to add in the list. it would cause and command injection or execution flaw in the website.
The Popen function can also work with os. For example, you write a program to tell you the current date:
python3 -c 'import os;a = os.popen("date");print(a.read())'
OUTPUT:
Thu 09 Apr 2020 01:27:05 AM PKT
Here, we have assigned a as variable and we have read it. and then if we print it, we will get the same output as shown above.
And I promise you that in the next article, we will try to get a shell with this techniqe(command execution).
Stay home, stay safe and keep reading our articles.
Thanks For Visiting.
