MHLoppyMar 21, 2025

isInHell = true

isInHell = true

https://fedia.io/media/b9/ae/b9ae619e723e9bf32d053366e4cf0a7441a802de4e9e29abafa2a9f7947669e7.webp

Show threadjjjalljsMar 21, 2025
Is the backend Python and the frontend JavaScript? Because then that would happen and just be normal, because Boolean true is True in python.
Show threadtestfactor
Probably, but if you’re interpreting user inputs as raw code, you’ve got much much worse problems going on, lol.
Mar 21, 2025 at 2:05pmWeb
Show threadmmddmmMar 21, 2025
It’s the settiings file… It’s probably supposed to only be written by the system admin.
Show threadraldone01Mar 21, 2025
A good place to put persistent malware. That’s why when using docker images always mount as ro if at all possible.
Show threadmmddmmMar 21, 2025
Every environment has plenty of good places to put persistent malware. Even if you run your docker images as ro.
Show threadAshleyMar 21, 2025
It’s you can modify the settings file you sure as hell can put the malware anywhere you want
Show threadMajorHavocMar 24, 2025

It’s you can modify the settings file you sure as hell can put the malware anywhere you want

True. But a code settings file still carries it’s own special risk, as an executable file, in a predictable place, that gets run regularly.

An executable settings file is particularly nice for the attacker, as it’s a great place to ensure that any injected code gets executed without much effort.

In particular, if an attacker can force a reboot, they know the settings file will get read reasonably early during the start-up process.

So a settings file that’s written in code can be useful for an attacker who can write to the disk (like through a poorly secured upload prompt), but doesn’t have full shell access yet.

They will typically upload a reverse shell, and use a line added to settings to ensure the reverse shell gets executed and starts listening for connections.

Show threadSchwertImSteinMar 21, 2025
It’s not User input, it’s config file
Show thread0x0Mar 21, 2025

Given the warning about capitalization, the best possible case is that they’re using ast.literal_eval() rather than throwing untrusted input into eval().

Err, I guess they might be comparing strings to ‘True’ and are choosing to be really strict about capitalization for some reason.

ast — Abstract syntax trees

Source code: Lib/ast.py The ast module helps Python applications to process trees of the Python abstract syntax grammar. The abstract syntax itself might change with each Python release; this modul...

Python documentation
Show threadMajorHavocMar 21, 2025
Yeah. Maybe .to_lower() is really expensive in their environment, lol.