mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
25 lines
666 B
Python
25 lines
666 B
Python
"""Phase 12 — Flask route, vulnerable.
|
|
|
|
Vulnerable route reads the `host` query parameter and concatenates it
|
|
into a shell command. Nyx harness reaches the route via
|
|
`app.test_client()` so no real network listener is bound.
|
|
"""
|
|
import subprocess
|
|
|
|
from flask import Flask, request
|
|
|
|
app = Flask(__name__)
|
|
|
|
|
|
@app.route("/ping", methods=["GET"])
|
|
def ping():
|
|
"""Vulnerable: untrusted query param flows to subprocess(shell=True)."""
|
|
host = request.args.get("host", "")
|
|
result = subprocess.run(
|
|
"ping -c 1 " + host,
|
|
shell=True,
|
|
capture_output=True,
|
|
text=True,
|
|
timeout=5,
|
|
)
|
|
return result.stdout + result.stderr
|