132 - VID_LANGUAGE_PYTHON_OS

Research finding


This finding is not an indication of a problem or danger, but can be used for security research. See this tool's *philosophy*.

os.system and os.exec


These functions can be used to execute shell commands. This (Research) finding on these calls can be used to trace the variables going in and out of the function and checking if there is any user input that can be used to influence the commands.

Dangerous characters


For shell commands there are a number of dangerous characters that can be tried:
• ' ' Space can split one parameter into multiple parameters
• 'l' Separates commands
• '.' and '*' File wildcard symbols
• '|' (Pipe)
• '||' and '&&' Command chaining with OR and AND
• '$' (Variable character)
• '`' (Backtick)
• '$( )' Shell block
• '>' and '>>' (Redirect to)
• '<' (Redirect from)
• '&' Can start commands in the background
• '--' Can influence how parameters are interpreted

Links


https://docs.python.org/3/library/os.html
https://book.hacktricks.xyz/pentesting-web/command-injection