This exercise demonstrates a Remote Code Execution (RCE) vulnerability caused by unsafe usage of Python's eval() function.
The Flask application provides a simple calculator form where users can input mathematical expressions.
However, instead of safely parsing the input, it directly evaluates user input using eval(), making it possible to execute arbitrary Python code on the server.
- Open the vulnerable calculator page.
- Enter malicious Python code instead of a safe mathematical expression. For example:
__import__('os').system('ls')List server files:
__import__('os').system('ls')Read sensitive files:
__import__('builtins').open('/etc/passwd').read()Execute arbitrary Python code:
(lambda: (exec("print('Hacked!')")))()- Attackers can execute any Python code on the server.
- They can access sensitive files, open reverse shells, or completely take over the machine.
- Even seemingly "harmless" inputs can escalate into full control of the server.
- ✅ Identify that user input is being evaluated unsafely.
- ✅ Successfully inject Python code to demonstrate arbitrary command execution.
Try common Python exploitation patterns first (e.g., using import, open, or os.system). Always be cautious with user inputs — never use eval() on untrusted data!
python main.py