Exploiting insecure file extraction in Python for code execution

Exploiting insecure file extraction in Python for code execution

Ajin Abraham Ajin Abraham

Ajin Abraham

Published Sep 29, 2017
+ Follow

One of the easiest way to achieve code execution in PHP is by exploiting insecurely written file upload handling logic. If you are able to upload arbitrary PHP file by fooling the file upload logic, you can execute arbitrary PHP code. But when it comes to modern web frameworks written in Go, Node.js, Python, Ruby etc. it's a different story. Even if you managed to upload a .py or .js file to the server, requesting these resource via a URL often won't return anything as the route or URL is not exposed by the application. Even if you are able to access the resource by URL, it won't trigger any code execution as it's treated as a static file and just returns plain text source code. This post will explain how to get code execution in one such scenario in Python when you are able to upload compressed files to the server.

Read Blog: https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution

To view or add a comment, sign in

More articles by Ajin Abraham

  • Making yourself employable and landing a great job
    Sep 18, 2019

    Making yourself employable and landing a great job

    TL;DR This article is targeted at freshers or engineering graduates from Computer Science or Information Technology…

    3 Comments
  • How to write an Application Security Resume
    Dec 11, 2017

    How to write an Application Security Resume

    Introduction This post aims to help people to write appropriate resume for Application Security related roles like…

    6 Comments
  • Farewell to OWASP Xenotix and The Story behind it
    Mar 17, 2017

    Farewell to OWASP Xenotix and The Story behind it

    With a heavy heart, I would like to announce that OWASP Xenotix V6.2 will be the last of it.

    8 Comments
  • New Features in MobSF v0.9.2
    May 2, 2016

    New Features in MobSF v0.9.2

    I just released MobSF v0.92 Beta today.

    5 Comments
  • WebSec Ninja: Lesser Known WebAttacks
    Jan 18, 2016

    WebSec Ninja: Lesser Known WebAttacks

    WebSecNinja: Lesser Known WebAttacks is a brand new and unique web security course that takes the learner to the next…

  • Launching OpSecX | Security Education for Everyone
    Jan 1, 2016

    Launching OpSecX | Security Education for Everyone

    I am glad to announce the launch of OpSecX, an online security education platform that provides quality and affordable…

    10 Comments
  • Inviting to X0RC0NF Security Conference 2015
    Oct 14, 2015

    Inviting to X0RC0NF Security Conference 2015

    Hello there, We are inviting you to X0RC0NF Security Conference 2015 Kochi. X0RC0NF is an annual international security…

  • X0RC0NF CFP is Open Now
    Aug 10, 2015

    X0RC0NF CFP is Open Now

    About X0RC0NF X0RC0NF is an annual international security conference conducted in God's Own Country, Kerala. It is a…

    1 Comment
  • A Security Analysis of Common Android Web Browsers
    Dec 25, 2014

    A Security Analysis of Common Android Web Browsers

    Here is a quick Security Review of the most commonly used Android Web Browsers. All the APKs are collected from Google…

    2 Comments
See all articles

Explore content categories