I always preferred the remote code execution search myself personally... https:/...

fjcaetano · on Aug 5, 2013

Holy shit! Look at this! This is hilarious! https://github.com/bratliff/engconf/blob/0b8f003edc5f5d25fe1...

spyder · on Aug 5, 2013

And it has been already exploited: http://wordpress.org/support/topic/plugin-ezpz-one-click-bac...

krapp · on Aug 5, 2013

Oh. And it's for wordpress. Isn't that just fucking wonderful. I would guess looking at the age of the account and the complete lack of documentation that it's a personal project he never really intended to get much scrutiny. I'm sure if someone looked at my github they could find some bad code too. Not that bad though.

Edit - made an issue.

a904guy · on Aug 5, 2013

CGI Python? Happens... https://github.com/search?q=extension%3Apy+os.system+%22impo...

a904guy · on Aug 5, 2013

Django... https://github.com/search?q=extension%3Apy+os.system+%22requ...

ris · on Aug 5, 2013

I only found one exploitable example browsing the first few pages, whereas the majority of the OP's results looked fairly exploitable.

fjcaetano · on Aug 5, 2013

The difference is that SQL injection will only happen when using raw queries.

System (as you mentioned) or EXEC injections, however, may get out of hand.