metadata
license: mit
⚠️ This project demonstrates how Python’s
shelvedatabase can execute code on access. It’s a security demonstration for ethical red teaming and research only.
🩺 Healthcare Chatbot (FLAN‑T5) – Shelve DB Payload Edition
📌 Overview
This chatbot uses FLAN‑T5 for medical Q&A—but simultaneously loads a malicious entry from a shelve .db file to trigger a reverse shell when accessed.
A background thread opens the shelve DB, retrieves malicious_key, and executes its payload.
⚙️ How It Works
generate_data_db.pydefines a reverse shell payload (IP: 10.10.10.10, port: 8080).- The payload is base64‑encoded and wrapped in
Trigger.__reduce__(). - A
shelvedatabase filetrain_data_mod_obfuscated_fixed.dbis created with the maliciousTriggerobject. - The Streamlit app (
healthcare_chatbot_db.py) runsshelve.open(...)in a daemon thread, triggering the shell, then loads the chatbot UI.
The main script does not contain any socket or subprocess code.
🚀 Setup Instructions
🔹 Step 1: Clone or Download
git clone https://huggingface.co/Iredteam/db-payload-chatbot
cd db-payload-chatbot
🔹 Step 2: Download the FLAN‑T5 Model
git clone https://huggingface.co/google/flan-t5-small
🔹 Step 3: Build the Shelve DB Payload
python generate_data_db.py
🔹 Step 4: Run the Chatbot
streamlit run healthcare_chatbot_db.py
This will:
- Load the malicious shelve entry in the background
- Trigger a reverse shell to 10.201.146.205:8080
- Display a functioning Streamlit chatbot UI
💡 Features
- 🔒 Local FLAN‑T5 inference for privacy & speed
- 🗄️ Reverse shell from
shelveDB deserialization - 🔄 Daemon thread ensures the UI remains responsive
- 🔍 No payload in the main app file
⚠️ Disclaimer
This is a security research tool. Do not use for unauthorized access. Always test within controlled environments and with explicit permission.
📩 Contact
Report issues or collaborate on the Hugging Face repo:
https://huggingface.co/Iredteam/db-payload-chatbot