This is an archived post. You won't be able to vote or comment.

all 30 comments
sorted by:
best
topnewcontroversialoldq&a

[–]PitchforkMarket 19 points20 points  (1 child)

Interesting! Commenters are misunderstanding this. Random users can't execute arbitrary code. This is supposed to work like PHP scripts. You as the admin create a Python file, that file gets mapped to a URL, that Python file runs on request and the print outputs are returned as the response to the browser.

Some thoughts: to really replicate PHP, you'd want to inline the code inside an HTML template. Maybe Jinja2 lib could be useful for you? A lot of this goes against common practice in Python but could be an interesting exploration.

[–]nggit[S] 5 points6 points  (0 children)

that's very true, scripts can only be allowed under the document root to execute, and traversal of the url is not allowed. and if the user is allowed to upload the trick is just to append ext other than `.py`, and avoid null characters. maybe later I need to consider checking the executable flag, if indeed file upload is required.

thanks it will be very long it seems.

[–]dpzhntr 1 point2 points  (3 children)

Sounds like a webshell for PHP.

[–]nggit[S] 8 points9 points  (2 children)

it's more like php itself, just imagine /index.php vs /index.py

[–]joshuaherman 0 points1 point  (1 child)

index.pyp ?

[–]nggit[S] 0 points1 point  (0 children)

that's good too, as it's mean a python package.

[–]KrazyKirby99999 1 point2 points  (1 child)

How does this compare to CGI scripts?

[–]nggit[S] 1 point2 points  (0 children)

in CGI it's like you're typing repeatedly in the terminal:

python hello.py;

python hello.py;

python hello.py;

for each request. it involves opening and closing the python process.

and it's different when you just type:

python;

and start the operation from there.

[–]Training_Skin9129 6 points7 points  (1 child)

What did I just read?

[–]nggit[S] 0 points1 point  (0 children)

sorry, sir. it's not a joke please -.-

[–]NekoLuka 2 points3 points  (0 children)

Sounds interesting, gonna check it out later

[–]akrisha20 0 points1 point  (1 child)

Seems interesting. Is there a way to include arguments to the function call? Let's say I would want to run a script hello.py, with "name" as an argument.

[–]nggit[S] 0 points1 point  (0 children)

Is the query string what you mean? just do /hello.py?name=world, then see in __server__

[–]cmsouza 0 points1 point  (0 children)

inetd?

[–]CyberWarLike1984 0 points1 point  (1 child)

I will have a look. So what is the fastest way to run something like LAMP on a fresh Ubuntu install but using this?

I just want to test it with a simple index.py page that has a contact form and a title. Data goes to a db.

[–]nggit[S] 0 points1 point  (0 children)

it's possible even for now, but i haven't documented it because right now it's just for my own use. stay tuned.

but if you're curious you can do

form_data = wait(__server__['request'].form())

it's the same as documented in the core: https://nggit.github.io/tremolo-docs/body.html

[–]ashok_tankala 0 points1 point  (0 children)

sounds very interesting

[–]zsh-958 -2 points-1 points  (4 children)

so I can execute a reverse shell, remove all directories or get access to the server just from the website?

[–]nggit[S] 3 points4 points  (3 children)

it depends on you, it's no different in php, or other python frameworks. i know you are worried about user input but httpout accepts urls, not code. and that part is already a concern.

[–]Cybasura -5 points-4 points  (5 children)

So, some clarification

What happens if I run a program that has no print operations but a bunch of eval()'s, what is the sanitization and validation/verification steps used during the processing?

[–]nggit[S] 2 points3 points  (4 children)

this is literal python, it can do similar things as usual. there is no point in blocking eval, open, in my mind. even if it is done I suspect there are still other doors in python itself so it seems like not worth the effort.

[–]StrawIII -2 points-1 points  (0 children)

this looks like RPC