Code Execution 08
Bookmarked!This exercise is one of our challenges on Code Execution
In this challenge, similar to the previous one, we aim to execute a command on the server. However, the current setup prevents the use of slashes (/) in the path, a restriction that's enforced by the Flask route configuration. To work around this, we need to encode our command in base64, allowing us to send it without slashes. Once the server receives the encoded payload, it will decode it using the b64decode
function from the base64 module, which we load via the __import__
trick. This method ensures that our command can be executed despite the path restrictions.
The source code review reveals that the route /hello/
is mapped to the hello_name
function, which evaluates user input using eval
. This setup is vulnerable to code injection, but the absence of slashes complicates direct command execution. By encoding our command in base64, we can bypass this limitation. The decoded command is then evaluated, allowing us to achieve our goal of executing commands on the server.