corresponding 0x00 intro - github repo:https://github.com/lykops/lykops - 121 stars and 65 forks til 2021/2/6 0x01 Post-Auth OS-command injection lykops/library/utils/file.py#248 -> upload_file() we got lykops/lykops/ansible/yaml.py#74 ,github link here vuln param file comes from our HTTP Request in array of FILES[] So we can completely control the unsantized param, and cause a OS-cmd injection the corresponding route is ^ansible/yaml/import$ , we can trigger this vuln by visiting it. Also, you can see that an exception will trigger twice invocations of import_file() ,which means a `sleep 5` command will casue a delay of 10 second POST /ansible/yaml/import/ Host: lykops ... ... ...;filename="test.txt$(sleep 5)" ...