python-tools

vulnerability code injection (cwe-94)
severity 7.7
language python
registry other

✍️ Description

python-tools is using an unsecure input function in https://github.com/C0oki3s/python-tools/blob/main/Dir_create/Dir_create.py#L8. Given that the script can be run using python2 or python3, if you feed the program with a python command and the python interpreter is python2, then the interpreter will eval() your input

🕵️‍♂️ Proof of Concept

Run https://github.com/C0oki3s/python-tools/blob/main/Dir_create/Dir_create.py Then when asked to enter an input, enter the following

__import__("os").system("ls")

💥 Impact

Code execution. Please raw_input instead.