-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapp.py
More file actions
33 lines (25 loc) · 969 Bytes
/
app.py
File metadata and controls
33 lines (25 loc) · 969 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from flask import Flask, request, render_template_string
import subprocess
app = Flask(__name__)
@app.route('/')
def index():
return render_template_string('''
<h1>Command Injection Test</h1>
<form action="/execute" method="POST">
Command: <input type="text" name="command" required><br>
<input type="submit" value="Execute">
</form>
''')
@app.route('/execute', methods=['POST'])
def execute():
user_command = request.form['command']
# Debugging: Print the command to the console
print("Executing command:", user_command)
# Vulnerable code: directly using user input in a system command
try:
result = subprocess.check_output(user_command, shell=True, text=True)
except subprocess.CalledProcessError as e:
result = f"Error: {e.output}"
return f"Command executed: {user_command}<br>Output:<br>{result}"
if __name__ == '__main__':
app.run(debug=True)