webPromedium

Lab 404 — MindVault — RCE via eval() in Search Filter Expressions

hackadvisor

Task: MindVault knowledge platform exposes a search 'Filter Expression' field that is server-side eval()'d as raw Python with no blacklist and no sandbox. Solution: use the test=1 API oracle to confirm eval (7*7=49), then __import__('os').popen('id') runs as root and open('/root/flag.txt').read() returns the flag; a decoy flag and prompt-injection text in HTML are ignored.

$ ls tags/ techniques/

flask rce sandbox_escape python eval_injection prompt_injection decoy_flag mro_chain api_oracle

python_eval_injectiondecoy_flag_recognitionos_command_execution_via_importmro_subclass_chain_fallbacktest_mode_eval_oracleprompt_injection_resistance

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 224 — ModelVault — Path Traversal via OCI Manifest Digest— hackadvisor
[web][Pro]Lab 84 — PulseView— hackadvisor
[web][Pro]Lab 159 — ShareVault — Path Traversal via Filter Bypass in File Download— hackadvisor
[web][Pro]Lab 314 — PixVault — ExifTool DjVu RCE via Image Upload— hackadvisor
[web][Pro]Lab 343 — FrameCast — RCE via Ghostscript EPS Processing in Thumbnail Import— hackadvisor