mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
14 lines
411 B
Python
14 lines
411 B
Python
"""Phase 21 (Track M.3) — python-socketio handler vuln fixture.
|
|
|
|
`message(sid, data)` is a Socket.IO event handler. It splices the
|
|
inbound message into a shell command via `os.system`.
|
|
"""
|
|
import os
|
|
|
|
_NYX_ADAPTER_MARKER = "import socketio"
|
|
_NYX_EVENT_MARKER = "@sio.on('message')"
|
|
|
|
|
|
def message(sid, data):
|
|
# SINK: tainted message body concatenated into shell command.
|
|
os.system("echo " + str(data))
|