A vulnerable web application written in Python3 Flask to demonstrate insecure file extraction.
At first you should clone the repository:
Then install requirements packages with pip3.*:
cd bad_python_extract
pip3 install -r requirements.txt
Next you should run the server:
python3 server.py
This will start the server at http://0.0.0.0:6005
paload.py is an example that you can use it for command injection.
python3 paload.py
It creates payload.zip for inject "print('--------- Injection ---------')" in to config/init.py.