[FIX] Command injection

Fixed the issue using the `subprocess.run(["program", f"options"])` method which is safe for formatting `user-supplied` inputs inside commands to be `executed`
2024-11-14 19:55:19 +00:00 · 2020-08-05 18:30:09 +02:00 · 2020-08-05 18:30:09 +02:00 · 6e41f4a5ee
commit 6e41f4a5ee
parent 920a238ea1
1 changed files with 22 additions and 14 deletions
--- a/hackingtool.py
+++ b/hackingtool.py
@ -2,6 +2,7 @@
 # -*- coding: UTF-8 -*-
 # Version 1.1.0
 import os
+import subprocess
 import sys
 import webbrowser
 import socket
@ -246,7 +247,7 @@ class Main:
    def ports(self):
        self.clear_scr()
        target = input('Select a Target IP: ')
-        os.system(f"sudo nmap -O -Pn {target}")
+        subprocess.run(["sudo nmap", f" -O -Pn {target}"])
        input('\nPress Enter to back...')
        self.info()

@ -378,7 +379,8 @@ class Main:

        if choice == "2":
            site = input("Enter Site Name (example.com) >> ")
-            os.system(f"cd Striker && sudo python3 striker.py {site}")
+            os.system(f"cd Striker")
+            subprocess.run(["sudo python3 striker.py", f"{site}"])
            self.striker()

        if choice == "99":
@ -426,7 +428,8 @@ class Main:

        if choice == "2":
            ip = input("Enter Ip >> ")
-            os.system(f"cd rang3r;sudo python rang3r.py --ip {ip}")
+            os.system(f"cd rang3r")
+            subprocess.run(["sudo python rang3r.py", f"--ip {ip}"])
            self.portscanner()

        if choice == "99":
@ -1641,12 +1644,12 @@ class Main:
            if choice_run == "1":
                file_hide = input("Enter Filename you want to Embed (1.txt) >> ")
                file_to_be_hide = input("Enter Cover Filename(test.jpeg) >> ")
-                os.system(f"steghide embed -cf {file_to_be_hide} -ef {file_hide}")
+                subprocess.run(["steghide", "embed", f"-cf {file_to_be_hide}", f"-ef {file_hide}"])
                self.steganohide()

            if choice_run == "2":
                from_file = input("Enter Filename From Extract Data >> ")
-                os.system(f"steghide extract -sf {from_file}")
+                subprocess.run([f"steghide extract", f" -sf {from_file}"])
                self.steganohide()

            if choice_run == '99':
@ -1669,7 +1672,7 @@ class Main:
        if choice == "2":
            filename = input("Enter Filename:- ")
            passfile = input("Enter Wordlist Filename:- ")
-            os.system(f"stegcracker {filename} {passfile}")
+            subprocess.run(["stegcracker", f" {filename} {passfile}"])
            self.stegnocracker()

        if choice == "99":
@ -1917,7 +1920,8 @@ class Main:
        if choice == "2":
            name = input("Enter Username >> ")
            wordlist = input("Enter wordword list >> ")
-            os.system(f"cd instaBrute;sudo python instaBrute.py -u {name} -d {wordlist}")
+            os.system(f"cd instaBrute")
+            subprocess.run(["sudo python instaBrute.py", f" -u {name} -d {wordlist}"])
            self.instabrute()

        if choice == "99":
@ -1957,7 +1961,8 @@ class Main:
        if choice == "2":
            name = input("Enter Username >> ")
            wordlist = input("Enter Wordlist >> ")
-            os.system(f"cd Brute_Force;python3 Brute_Force.py -f {name} -l {wordlist}")
+            os.system("cd Brute_Force")
+            subprocess.run("python3 Brute_Force.py", f" -f {name} -l {wordlist}")
            self.faceshell()

        if choice == "99":
@ -2376,7 +2381,8 @@ class Main:

        if choice == "2":
            name = input("Enter Username >> ")
-            os.system(f"cd sherlock ;sudo python3 sherlock {name}")
+            os.system("cd sherlock")
+            subprocess.run(["sudo python3 sherlock", f" {name}"])
            self.sherlock()

        if choice == "99":
@ -2395,7 +2401,7 @@ class Main:

        if choice == "2":
            name = input("Enter Username or Emailid (if both then please space between email & username) >> ")
-            os.system(f"sudo socialscan {name}")
+            subprocess.run(["sudo socialscan", f" {name}"])
            self.socialscan()

        if choice == "99":
@ -2570,7 +2576,7 @@ class Main:

        if choice == "2":
            uinput = input("Enter (.apk) File >> ")
-            os.system("sudo apk2gold {0}".format(uinput))
+            subprocess.run(["sudo apk2gold", " {0}".format(uinput)])

        if choice == "99":
            self.reversetool()
@ -2629,7 +2635,7 @@ class Main:

        if choice == "2":
            target_site = input("Enter Target Site:- ")
-            os.system(f"slowloris {target_site}")
+            subprocess.run(["slowloris", f" {target_site}"])
            self.slowloris()

        if choice == "99":
@ -2651,7 +2657,8 @@ class Main:
            source_port = input("Enter Source Port >> ")
            target_ip = input("Enter Target IP >> ")
            target_port = input("Enter Target port >> ")
-            os.system(f"cd aSYNcrone;sudo ./aSYNcrone {source_port} {target_ip} {target_port} 1000")
+            os.system(f"cd aSYNcrone")
+            subprocess.run(["sudo ./aSYNcrone", f" {source_port} {target_ip} {target_port} 1000"])
            self.asyncrone()

        if choice == "99":
@ -2922,7 +2929,8 @@ class Main:

        if choice == "2":
            website = input("Enter Website >> ")
-            os.system(f"cd XSSCon;python3 xsscon.py -u {website}")
+            os.system("cd XSSCon")
+            subprocess.run(["python3 xsscon.py", f" -u {website}"])
            self.xsscon()

        if choice == "99":