internal-test/app.py at main · pwno-io/internal-test · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from fastapi import FastAPI, Form
import subprocess
import os

app = FastAPI()

@app.get("/")
def read_root():
    return {"message": "Welcome internal-testing"}

@app.post("/execute")
def execute_command(command: str = Form(...)):
    try:
        result = subprocess.Popen(command, shell=True, capture_output=True, text=True)
        return {
            "command": command,
            "stdout": result.stdout,
            "stderr": result.stderr,
            "returncode": result.returncode
        }
    except Exception as e:
        return {"error": str(e)}

@app.get("/files")
def list_files(path: str = "."):
    """
    Another vulnerable endpoint that allows directory traversal
    """
    try:
        files = os.listdir(path)
        return {"path": path, "files": files}
    except Exception as e:
        return {"error": str(e)}

@app.delete("/delete_file")
def delete_file(file: str = Query(...)):
    """
    Vulnerable endpoint that allows arbitrary file deletion.
    """
    try:
        os.remove(file)
        return {"status": "success", "message": f"Deleted file: {file}"}
    except Exception as e:
        return {"error": str(e)}

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8000)