🌐
GitHub
github.com › 3ls3if › Cybersecurity-Notes › blob › main › real-world-and-and-ctf › scripts-and-systems › python2-input-vulnerability.md
Cybersecurity-Notes/real-world-and-and-ctf/scripts-and-systems/python2-input-vulnerability.md at main · 3ls3if/Cybersecurity-Notes
Python 2 input vulnerability is a security flaw that arises due to the usage of the input() function in Python 2. Unlike its Python 3 counterpart, the input() function in Python 2 evaluates the input as Python code rather than treating it as ...
Author   3ls3if
🌐
Reddit
reddit.com › r/python › demo of how input() is security probem in python 2.7 (4min)
r/Python on Reddit: Demo of how input() is security probem in Python 2.7 (4min)
March 14, 2018 - Vulnerability is still a vulnerability, ... to use Skydthon instead of Python has lead to someone fucking you over. ... There's no vulnerability. input is used to input Python code into a Python 2.7 program....
Discussions

python - Is input() safe to use if you cast it as a string? - Stack Overflow
I've been experimenting with python 2.7's input() function and trying to find ways to exploit it. I know that by itself it's vulnerable to exploitation because you can input python expressions, which More on stackoverflow.com
🌐 stackoverflow.com
How can Python 2's input() be exploited cause a comparison against a random number yet-to-be-generated to pass? - Stack Overflow
I understand that relying on Python 2's built-in input() function (as opposed to raw_input(), which was renamed to input() in Python 3) is prone to security bugs. In this question, I'm trying to determine how to demonstrate this class of vulnerability. More on stackoverflow.com
🌐 stackoverflow.com
Python 2.7에서 input()이 보안 문제인 이유 (4분) 데모
🌐 r/Python
Is Python a Security Vulnerability?

No, there is nothing inherently insecure about python.

However Python can be used to make a vulnerability. For instance it would be easy to make a web portal that executes anything that is typed in. This is true for any programming language, but python makes it extra easy.

And I know, you would know better, but IT departments see all their users as idiots (often with good reason).

More on reddit.com
🌐 r/Python
27
17
November 20, 2017
🌐
Medium
medium.com › @abdelazimmohmmed › python-input-vulnerability-30b0bfea22c9
python input vulnerability. hi guys today i will show you how… | by intx0x80 | Medium
December 19, 2019 - input vulnerability it’not stop here but they have ability to read value like you system connect to database can when user enter password it will compare it with password store in database · assume database select query store in db_user and ...
🌐
Aikido
aikido.dev › home › articles › top 10 python security vulnerabilities developers should avoid
Python Security Vulnerabilities | Top Issues
January 29, 2026 - Even if your use of eval is “safe” today (e.g. only evaluating mathematical expressions), it creates a latent vulnerability that future changes can accidentally trigger. Mitigation: Never use eval or exec on untrusted input. In fact, avoid them altogether unless absolutely necessary. Python provides safer alternatives for most use cases (for example, use literal evaluation via ast.literal_eval for reading data structures, or dispatch tables for calling functions instead of building a string to eval).
🌐
GeeksforGeeks
geeksforgeeks.org › vulnerability-input-function-python-2-x
Vulnerability in input() function – Python 2.x - GeeksforGeeks
March 29, 2024 - If "secret_number" is given as input, answer is 'You lose'. The vulnerability lies here as we can even provide the name of a function as input and access values that are otherwise not meant to be accessed.
🌐
Blogger
intx0x80.blogspot.com › 2017 › 05 › python-input-vulnerability_25.html
python input vulnerability
May 25, 2017 - input vulnerability it'not stop here but they have ability to read value like you system connect to database can when user enter password it will compare it with password store in database
🌐
Wisc
research.cs.wisc.edu › mist › SoftwareSecurityCourse › Chapters › 3_8_3-Code-Injections.pdf pdf
Introduction to Software Security Chapter 3.8.3: Code Injections
Learn how to mitigate code injections vulnerabilities. Examples are presented from Python, Perl, JavaScript and Ruby. ... Code Injection is a specific type of injection attack where an executable program statement is constructed · involving user input at an attack surface that becomes vulnerable when it can be manipulated in an
🌐
Snyk
snyk.io › blog › code-injection-python-prevention-examples
Code injection in Python: examples and prevention | Snyk
December 6, 2023 - Dynamically constructing command strings without proper validation can lead to command injection vulnerabilities. For instance, take a look at this code: 1import os 2 3directory = input("Enter the directory to list: ") 4command = f"ls {directory}" # Vulnerable to Command Injection 5os.system(command)
🌐
Medium
medium.com › swlh › hacking-python-applications-5d4cd541b3f1
Hacking Python Applications. And how attackers exploit common… | by Vickie Li | The Startup | Medium
November 15, 2019 - Today, let’s talk about a few dangerous features that could be exploited by attackers in Python. Dangerous functions in Python like eval(), exec() and input() can be used to achieve authentication bypass and even code injection.
Find elsewhere
🌐
StackHawk
stackhawk.com › stackhawk, inc. › vulnerabilities and remediation › preventing command injection in python: a guide to security
Preventing Command Injection in Python: A Guide to Security
January 13, 2025 - This could seem like a given to some people, but you might be surprised by the number of Python apps in production still running version 2.7. With the changes that version 3 brings (like the input() function bug fix, we mentioned above), upgrading is not the easiest of tasks, but it is worth the effort. That is why this is the simplest yet the most useful secure practice for building in Python. These reviews focus on the general security of the application source code and cover injection vulnerabilities.
Top answer
1 of 5
13

is there any way to exploit input() and make it output "RIGHT password"?

Yep:

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__('sys').stdout.write('RIGHT password') or exit(0)
RIGHT password
C:\Users\Kevin\Desktop>

"But that doesn't count because you're printing your own output and terminating early", you protest hypothetically. "Show me an example where the conditional actually executes".

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: (1, globals().update({"random": type("", (object,), {"__init__": lambda self: setattr(self, "randint", lambda x,y: "1")})()}))[0]
RIGHT password

C:\Users\Kevin\Desktop>

"Ok, well, in a real application I wouldn't be using random.randint to determine the password. Show me an example where the conditional inp == "hunter2": passes"

import random
inp = str(input("Enter the password: "))
if inp == "hunter2":
    print "RIGHT password" 
else:
    print "WRONG password"

 

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__("re").search(r"if inp == \"(.*?)\"", open(__file__).read()).group(1)
RIGHT password

"That doesn't count because you read the file. Show me an example where you don't extract the password from the source code"

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: type("", (str,), {"__str__": lambda self: self, "__eq__": lambda self, other: True})()
RIGHT password

C:\Users\Kevin\Desktop>
2 of 5
2

input has to process the string before it ever returns a value for str to turn back into a string. So no, "casting" does not make it safe.

🌐
CyberChef
sevenlayers.com › index.php › 215-abusing-python-input
Abusing Python Input
But if you recall from above, it's evaluating the input so if instead we feed it something like this: It evaluates the expression. In order to abuse this behavior, we can use __import__ to import a module and ultimately, we want it to eval the following: ... We catch a shell. Now let's point it to our victim: ... We catch our shell from the victim. If we wanted to fix our Python script, we'd use raw_input instead of input:
🌐
TutorialsPoint
tutorialspoint.com › python-vulnerability-in-input-function
Python vulnerability in input() function
August 29, 2019 - It considers the variable name equivalent to a number directly entered by the user, The expression yields a True Boolean value and game reaches the end. On the contrary, if I used raw_input() instead, no such issue is encountered. This vulnerability may prove fatal in case we are storing login credentials, user details & account passwords.
🌐
Pstanalytics
pstanalytics.com › blog › advanced-analytics › python › vulnerability-in-input-function-python-2-x-for-data-science
Data Science Training and Machine Learning Courses in Delhi NCR and Gurgaon
PST Analytics offers Data Science training and Machine Learning Course in Delhi, Gurgaon and NCR. We provide classroom data analytics training with global certification and certification courses.
🌐
Invicti
invicti.com › web-application-vulnerabilities › code-evaluation-python
Code Evaluation (Python) - Web Application Vulnerabilities | Invicti
This application is vulnerable to Python code injection, a critical security flaw that occurs when user-supplied input is passed directly into Python's dynamic code evaluation functions (such as eval(), exec(), or compile()) without proper validation or sanitization.
🌐
Blogger
cysecguide.blogspot.com › 2017 › 10 › vulnerability-of-input-in-python-2x.html
Vulnerability of input() in Python 2.x - Cybersecurity Guide
Without the double quotes, Python can be problematic because it understands the input value as a variable or a function name. Even if the programmer didn't intend using the "str2" as variable, but someone can exploit it.
Top answer
1 of 1
6

Approach 1: Overriding random.randint() Completely

Assuming the interpreter is Python 2, the following input will cause the result of the comparison to be True, without modifying the program at all:

[42 for random.randint in [lambda x,y: 42]][0]

Witness the execution transcript:

$ python test.py
What is the password?[42 for random.randint in [lambda x,y: 42]][0]
Access granted.

Digression: How It Works

To explain this -- in Python 2, input() -- as opposed to raw_input() -- runs content entered by the user through an evaluation pass. This means code can access defined variables, or have side effects on them.

lambda x,y: 42

is a function that takes two arguments, and always returns 42.

[42 for random.randint in [lambda x,y: 42]]

is a list comprehension that goes through a list of items containing only that lambda expression, assigning each of them in turn to the variable random.randint, and then adding the value 42 to its list; tacking on a [0] on the end thus makes the end effect be an evaluation to that value.


Approach 2: Setting a Known Seed

[random.seed(1), random.randint(0, 2**30), random.seed(1)][1]

Again, the transcript:

$ python test.py
What is the password?[random.seed(1), random.randint(0, 2**30), random.seed(1)][1]
Access granted.

In this case, we caused the random number generator to be initialized with a known seed; generated a value from the same range; and then reinitialized from that seed again -- and return the second value from that list, corresponding with the first random number generated with the given range and the given seed.

🌐
OffSec
offsec.com › home › research & tutorials › cve-2025-3248 – unauthenticated remote code execution in langflow via insecure python exec usage
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
June 18, 2025 - CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
🌐
Medium
medium.com › @0xb07 › code-execution-python-input-5448505e739c
Code Execution Python input(). Root-me.org easy challenge | by 0xb07 | Medium
August 11, 2024 - When we examine this Python 2 code, it’s easy to spot several weaknesses, including a potential code execution vulnerability in the use of `input()`.
🌐
Guardrails
docs.guardrails.io › vulnerabilities › insecure use of dangerous function
Insecure Use of Dangerous Function | GuardRails
This rule detects user input that is passed to Python functions that spawn operating system commands, which allows attackers to execute arbitrary commands. Vulnerabilities in the use of the following libraries are supported by GuardRails: