Python-Vulnerable/pythonvuln.py at main · sheikh-zain786/Python-Vulnerable · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# vulnerable_app.py

from flask import Flask, request
import subprocess
import os

app = Flask(__name__)

@app.route('/execute/<command>')
def execute_command(command):
    """Vulnerable endpoint that executes shell commands."""
    try:
        # INSECURE: Directly using user input in subprocess.
        result = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT, text=True)
        return f"Command executed successfully:\n{result}"
    except subprocess.CalledProcessError as e:
        return f"Error executing command:\n{e.output}", 500
    except Exception as e:
        return f"An unexpected error occurred: {e}", 500

@app.route('/file/<filename>')
def read_file(filename):
    """Vulnerable endpoint that reads files."""
    try:
        # INSECURE: Path traversal vulnerability.
        filepath = os.path.join("/", filename) #This is bad.
        with open(filepath, 'r') as f:
            content = f.read()
        return content
    except FileNotFoundError:
        return "File not found", 404
    except Exception as e:
        return f"An error occurred: {e}", 500

@app.route('/sqli')
def sql_injection():
    """Simulated SQL Injection vulnerability."""
    user_id = request.args.get('id')
    if user_id:
        # INSECURE: Vulnerable to SQL injection (simulated).
        # In a real application, this would be a database query.
        result = f"Simulated query: SELECT * FROM users WHERE id = {user_id}"
        return result
    else:
        return "Please provide an 'id' parameter."

if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0', port=5000)