back to blogs
a simple example of python code injection

Perhaps in implementation/the real world, code injection can get complex. I, myself, have never really ran into such vulnerabilities outside of lab/simulated situations, but I'd like to give a shot at simplifying the general concept here.

> what is it anyway?

Code injection basically occurs when code inserted into a user input feature exploits an input validation flaw within its software. The inserted code is then executed and performs some malicious action against the vulnerability. There are various types of injection attacks, but this post will specifically speak to this type of injection attack using Python.

> about python2

For this example, I will be explaining code injection using Python version 2. Python2 is known to have a plethora of security vulnerabilities, and support for Python2 has been discontinued.

Some of the functions in Python2 that pose security risks are: eval(), input(), and exec().

> simple example 1

Let's do a simple walk-through. First, in your browser, enter this site. On the left side, you should see the editor where you can type your code, and on the right side, you should see a standard input ("STDIN") panel and an output panel.

Above those right-side panels, you should see a drop-down button to change the language; change the language to Python2 (the default seems to be Java). In the editor, enter the following code:

print "Let's do some math..."
ans = 7006652

if ans == input("What is 1234 * 5678?"):
  print "\nOk Einstein."
  print "\nTry again!"

Enter any number in the "STDIN" box, then run the code. You can either enter the right or wrong answer to observe which message it will print.

Now enter the variable name, "ans," in the "STDIN" box, and observe that you didn't actually need to evaluate the math to achieve getting the answer "right." This is a very simple example of code injection. Essentially, what is happening here is Python is evaluating if the value of "ans" with the value of "ans." Since 7006652 is obviously equal to 7006652, the condition met is TRUE, which prints, "Ok Einstein," to the output.

> simple example 2

Let's look at how the eval() function behaves. Clear the editor, and enter the following:

print "Let's do some math..."
ans = 7006652

user_in = raw_input("What is 1234 * 5678?")

if ans == eval(user_in):
  print "\nOk Einstein."
  print "\nYou entered" + eval(user_in) + "... Try again!"

Now this code is pretty much the same as the previous. In fact, the input() function pretty much uses raw_input() and eval() together anyway.

Again, enter any number, correct or incorrect, and observe which message you'll receive. You can also still enter the variable name, "ans," to evaluate the condition as true.

Now to observe how eval() can be exploited, enter __import__('sys').version, and notice how python will call the __import__ built-in function to return the version of the Python interpreter (this number should match a 2.7.x version). As you can see, it can be exploited to have access to variables and functions used by the interpretor.

> conclusion

Use Python3! Jk - I need to write more, but this shall be subject to further elaboration and revisions for now.... In the meantime, here is the Python2 documentation if you'd like to review its operating system and runtime services.

© 2022