Web Security with Python | Command Injection

Cyber Security Python
Transcript

English (Auto-generated)

castors, it is your boy heads. And today we're going to look at command injection. So to demonstrate this up, I'm not even gonna explain it because you guys are gonna see it as we develop it. So here we have our Hello World app that we're always starting with and we have our junior Deb who decides, hey, we need to use this A P I to check on a let's say to check on a system. Users like to see who's logged in and what that users up to. And the way we can do that is with the finger command. Right? So what we can do is we can say we can run a finger and I can see someone who I can use, let's see what I have logged in. We have Eliana login. So I would say I run a single command and pass Eliana as an argument. You can see they have no mail when they logged in what their home directory is, their actual name and some Right. And we want to create a little api route up here. Uh so we'll call it a finger and then you will pass it a user and that user will be available here to flask. And we will then get the output of the finger command run against that user. So we will use the sub process module in order to do this. And we'll use the check output, check output. It's kind of like a p open if any of you are familiar with that. It basically runs a shell while it runs a sub process running an executable or what have you. And it's a popular way to run these sorts of he sort of system commands. So just to make sure that it is working rather than just say check output. And we will run the finger command and of course we're going to have to run it with our user. So I'm gonna use an F. String and then right in here I will just add the user. Is it crazy? So we're gonna run the finger command, we'll patch up this user. All is good. Right. Well let's for one to see if it works flats run and I already have I already have a flat spring right here so I can kill it camp and we'll get a 404 because we have to run finger slash and then whoever we want to run the command and I'm gonna use Eliana because that's the only user. I think that on the system and it is returning Hello world, which definitely is not correct. So let's see what's up with that because I didn't save the file. Of course I'm a genius. Alright, let's try that again. And we get an internal server error. Very interesting. Why is that? Well let's see. So we try running this file and we see that we get all these commands and it says no such file or directory. Okay. So it thinks that the program we're trying to run instead of running finger with the command Eliana. we're running a program called finger Alien which obviously doesn't exist. So I'm like oh hey okay. I I remember this in order to make it run as truly be interpreted by the shell. Just as though I was running this on the command line and I have to say shell people it's true. There you go. Now. It'll be just like typing this into my command blind. Let's see. Cool. Look at the output of the command. Right? So that's it. That's that's the junior debs role. He submits this. He's happy. So what's the problem? What's what's wrong with this picture? Well this is being run on the shelf and we're just passing this input here. But we can add more things to user to make the shell do unexpected things. Let's say we passed the user Eliana let me pass the semicolon. Oh and over here. That'll be the end of the finger command. And we can run another command like Ls dash L. Now we get to see what's in the current directory. We can create a file called random L. O. L. And let's see if that file is actually created there. It is Random L. O L. Um We can actually run any command as though we were this user. We could even uh we could I mean we can create users if this user has root access we can do anything we want on the system very dangerous as you can imagine, we could even modify the code of the server itself. If there was a database, we would be able to modify that. We can read the source code for app dot pi. There you go. It's pretty simple. Just a few lines right there. We can do anything we want and that's not good. For example, we could kill the server actually. Yeah, let's try that. So we'll run a P S A W X. Regret for python three. And why are we doing that? Because first in order to kill the server, I need to know it's uh I need to know what his process ideas. So here we have been. Okay. That's obviously I'm just gonna think it's under flask. So I'm actually gonna look up flask. There we go flask. So we have the group command. And over here I have this finger command. Let's see sorry, I'm so used to having a much friendlier interface for having new lines. So I'm just gonna go ahead and say I'm going to use the command. Why? Because I only wanted to give me the second field of each. There we go. Alright, so these are just three random things that I'll have that text in there. I'm just gonna kill him. I'm gonna kill them all. In fact, you know what I can do? I don't have to do any of this. I could use to kill all command kill off flask. There you go. We got an internal server error. Uh what is that? Okay, return to non zero. But it didn't kill it. Like I wanted to, Let's see what we have these three processes. Let's just kill those. Maybe it's because the process can't kill itself. I guess we're gonna find out right now. I'm gonna run kill-9, which is the root kill in the Linux World. There we go. What happened to our server? Uh This is a denial of service attack. So using this hack, the attacker can actually shut down the server at will create files on the system just generally wreak havoc. I mean at this point the server is completely pumped. So what do we do? Well, the obvious thing, I mean uh we see this Shell equals true. So the way we're supposed to be passing arguments um it's not like this, it's like this. So we run the execute double and we pass it an array of arguments. Okay, user is gonna be an argument as well and now we don't need the benefits of the shelf. We don't need them because each element in this array is basically an argument. So finger is the command we're gonna run and then this is the argument to it. This will only be passed as an argument to figure. But what if for some reason let's just say you actually did need the benefits of the shell. I guess I should have thought of. I should, I should have thought I had a little bit more for this podcast and thought of a situation where the shell would be relevant, but just for the sake of teaching you this since not everybody here might be an expert python. Ista. If you did require shell equals troops. So you couldn't just turn that off and do it the normal way. You would use flex and you specifically would use the quote function. In fact, I'm not even gonna I'm gonna just import selects because quote people might not know where that's coming from. So we'll use lex. And what we would do is we would do Schleck stock and I'm like typing dyslexia right now, Schleck stock, quote user that will do is it will escape this user thing to be passed as an argument to a shell command. This is shell. Shell escape and it exists for the entire purpose of escaping things for shells exactly like we're doing. So let's try it again. I've really ever used to elect myself. So maybe I'm using it. Let's find out. And let's just try one of the commands we did earlier, like reading app dot pi and there you go. It doesn't work anymore. We can no longer do that. Attack. Excellent. And another move. So this is our senior death who's coming in right and fixing things. So I'll call this output equals that and we'll try this. So sometimes I get this error and then it just displays nothing. So let's try to say that return output and we can just use an exception. In reality we should be checking the status code status code. So I guess this isn't truly a senior dev move, but we'll say that user could not and we'll try that just as easy to make this a little friendlier. Oh no, let's see. Oh right, right. Because it's actually not an exception, Like python is fine with it. It's just it's just out putting this to standard error. So Well it's not that's not really a big all I wanted to tell you is that you could easily add error checking to see. You could easily add error checking by checking the status code returned by check output. But there you go. You have flex dot quote and if you don't need show which in this case we actually don't. So this would be the proper solution. We're going to pass this a list I think earlier I said array. I didn't spend a lot of time in javascript can see some kind of used to kind of use that terminology. We would do this. We would pass it this list. And then just to be extra super duper goody two shoes, we could still put this for the shell. Just in case we don't trust the ability of check output to handle this for us. 100%. There you go. That's it. That will handle it for you. And our code is fixed. Thank you a lot for listening in. Um I don't know if you could hear it but my little we have a we have a brand new baby and he was he was he was eating just now and I think I think he was just crying because he wanted some more. So sorry, sorry have you heard that? But he's a he's a bundle of joy. Hopefully I didn't wake him up with my code casting. But anyway yep, there you go. That's command injection. It's when you are interfacing with the system and executing commands like this and you have some argument or you know you're running an execute herbal based on user input and you don't properly escape it. Well I'm gonna go check on my little baby boys with my wife right now but I'll check and give him a few kisses and I hope you guys had as much fun as I did doing command injection. Thank you so much. Bye bye.
28 Views 0 Likes 0 Comments

What if you want to rely on user-supplied input to run a command on your system? In this cast, we'll see how a naive developer introduces a vulnerability by combining Python with system commands, and how to fix it. Let's go!

Comment
Leave a comment (supports markdown format)