Of Stack

Common command injection threats in python

  • 2020-04-02 09:53:40
  • OfStack

Ah! Actually not as serious as the title says!

But here are some of the gallows examples from the early days of our product development. More security threats can be found in the PPT of "python hack" of beibei students, which mentions not only the threat of command execution, but also the code we experienced.

Remember not to trust other incoming data when executing the command, and there are many ways to fix the problem if you are aware of it.

In our system, where it is impossible to fix many problems, we need a common secure execution interface that is later updated.

In addition, when we develop new functions, we should also master the standard skills of secure programming, which are not limited to command execution security.

The summary is the following elements:

The & # 8226; Command string execution do not splice the input parameters, if not, to input parameters whitelist filtering
The & # 8226; Be sure to do type checks on the incoming parameters, such as knowing that it is numeric, int testing, will be much safer
The & # 8226; For splicing strings, be strict as well, such as splicing parameters of type int, using %d instead of %s for parameters.
The & # 8226; Using subprocess to pass in multiple parameters prevents command-line injection

Take the bugs in our old code (which was the latest version at that time =, = has changed) :

Example 1 (variable not filtered) :

Amy polumbo y

The site variable is actually a string in url format, unfiltered. Since the old version had no problems with the site format, the new version supports the url format, so you can pass in symbols. 


cmd = 'python /a.py --task_id=%s --site=%s -b' % (taski, site)

Example 2 (unreliable filtering) :

Util/update. Py

Although the downloadFile function USES filters for fileName, there are many ways to bypass them.

There are so many command separation methods under Linux that the blacklist method is unreliable. 


fileName = downloadInfo[0]
fileName = fileName.replace(';','').replace('&','') # Filter file name 
localMd5 = os.popen('md5sum %s%s' %(path,fileName)).read()

The e way to fix this is to do a whitelist format check on fileName, for example, only characters, Numbers and.

Example 3 (an unsafe formatted string) :

P. y.

Target is a string in url format, unfiltered. And there is a potential threat, deep used %s, in fact, it must be an int, use %d to right, if there is a chance to infect the deep variable later, that is sex. 


cmd = 'python b.py --task_id "%s" -s %s --deep %s --check_level %s -b' %(taski,target,deep,check_level)

Example 4 (command injection not available) :

C.p y

The site_report function, tid parameter is unformatted and currently unavailable because there is a statement to query the database:

Get_object_or_404 (Task, get_domain_query(request), id=tid)# will make the tid with special symbol invisible, so it becomes 404, temporarily protecting the CMD concatenation below.

Once the statement is changed, a new command injection vulnerability is caused

CMD = 'sh /opt/report %s > / TMP/export_report. Log 2 > & 1 '% dar

Related articles: