Command Injection In Online Compiler

Hi everyone i hope you all are doing great , I wanted to share about a vulnerability in IDE’s which leads to command injection.

Now most IDE’s run on the virtual environment therefore even these kinds of vulnerabilities are not directly affecting them unless you can execute root commands. Now if you see in PHP you can code for a program use ‘shell exec’ E.G-$output = shell_exec(‘ls /etc/’) command which allows system commands to be executed on the command line, the interesting part here i found was that we could use these commands to fire system commands.

Example- shell_exec(‘ls /etc/’ ,cat etc/passwd,………..) now ideally these command are hidden but almost most of the ide’s do not stop these commands to be executed and result is

The same trick can be used to fire python shell commands many companies will not consider it a security issue because they have protection but some companies forget to put protection over it.
I reported it to few companies and got rewarded out for it.
Thanks for reading my post.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store