Closed bakera81 closed 6 years ago
You don't need to use eval. These commands can be run directly on any datacamp light python exercises. However, it is being run as root (which hopefully protects against most issues):
@bakera81 not sure if this is a security issue. Our code execution service allows people to run arbitrary python code, so code for OS-level commands. However, this code is executed as a non-root user, so your ability to mess things up is rather limited. I'm closing this, as this is something we're aware of, but if you have a targeted example where this is troublesome, please reopen!
On learnpython.org, you can execute OS level commands.
Steps to Reproduce
Returns:
Example to get OS code execution (simple example using 'id' command:
Returns:
More info: https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html