Research finding

This finding is not an indication of a problem or danger, but can be used for security research. See this tool's philosophy.

os.system() and os.exec()

These functions can be used to execute shell commands. This research finding on these calls can be used to trace the variables going in and out of the function and checking if there is any user input that can be used to influence the commands.

Dangerous characters

For shell commands there are a number of dangerous characters that can be tried:
• ' ' Space can split one parameter into multiple parameters
• 'l' Separates commands
• '.' and '*' File wildcard symbols
• '|' (Pipe)
• '||' and '&&' Command chaining with OR and AND
• '$' (Variable character)
• '`' (Backtick)
• '$( )' Shell block
• '>' and '>>' (Redirect to)
• '<' (Redirect from)
• '&' Can start commands in the background
• '--' Can influence how parameters are interpreted

Links

• https://docs.python.org/3/library/os.html
• https://book.hacktricks.xyz/pentesting-web/command-injection