Heim >Backend-Entwicklung >Python-Tutorial >Python安全编码与代码审计

Python安全编码与代码审计

WBOY
WBOYOriginal
2016-06-06 11:14:471705Durchsuche

1 前言

现在一般的web开发框架安全已经做的挺好的了,比如大家常用的django,但是一些不规范的开发方式还是会导致一些常用的安全问题,下面就针对这些常用问题做一些总结。代码审计准备部分见《php代码审计》,这篇文档主要讲述各种常用错误场景,基本上都是咱们自己的开发人员犯的错误,敏感信息已经去除。

Python安全编码与代码审计

2 XSS

未对输入和输出做过滤,场景:

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> xss_test</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">    name </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">GET</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'name'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">    </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">HttpResponse</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'hello %s'</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">%(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">name</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">))</span></font>

在代码中一搜,发现有大量地方使用,比较正确的使用方式如下:

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> xss_test</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> name </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">GET</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'name'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">#return HttpResponse('hello %s' %(name))</font></span>

return render_to_response('hello.html', {'name':name})

更好的就是对输入做限制,比如说一个正则范围,输出使用正确的api或者做好过滤。

3 CSRF

对系统中一些重要的操作要做CSRF防护,比如登录,关机,扫描等。django 提供CSRF中间件django.middleware.csrf.CsrfViewMiddleware,写入到settings.py的中间件即可。另外再在函数前加上@csrf_exempt修饰器。

4 命令注入

审计代码过程中发现了一些编写代码的不好的习惯,体现最严重的就是在命令注入方面,本来python自身的一些函数库就能完成的功能,偏偏要调用os.system来通过shell 命令执行来完成,老实说最烦这种写代码的啦。下面举个简单的例子:

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> myserve</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> dirname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  re </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> serve</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">path</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">document_root</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">dirname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">show_indexes</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">True</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  filestr</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'authExport.dat'</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  re</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'Content-Disposition'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'attachment; filename="'</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">+</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> urlquote</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filestr</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">+</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'"'</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fullname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">os</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">path</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">join</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">dirname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  os</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">system</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'sudo rm -f %s'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">%</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fullname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> re</span></font>

很显然这段代码是存在问题的,因为fullname是用户可控的。正确的做法是不使用os.system接口,改成python自有的库函数,这样就能避免命令注入。python的三种删除文件方式:

(1)shutil.rmtree 删除一个文件夹及所有文件

(2)os.rmdir 删除一个空目录

(3)os.remove,unlink 删除一个文件

使用了上述接口之后还得注意不能穿越目录,不然整个系统都有可能被删除了。常见的存在命令执行风险的函数如下:

os.system,os.popen,os.spaw*,os.exec*,os.open,os.popen*,commands.call,commands.getoutput,Popen*

推荐使用subprocess模块,同时确保shell=True未设置,否则也是存在注入风险的。

5 sql注入

如果是使用django的api去操作数据库就应该不会有sql注入了,但是因为一些其他原因使用了拼接sql,就会有sql注入风险。下面贴一个有注入风险的例子:

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> getUsers</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">user_id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">None</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> conn </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> psycopg2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">connect</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"dbname='&times;&times;' user='&times;&times;' host='' password=''"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cur </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> conn</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">cursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">cursor_factory</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">psycopg2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">extras</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">DictCursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">if</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> user_id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">==</span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">None</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">:</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  str </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'select distinct * from auth_user'</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">else</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">:</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  str</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'select distinct * from auth_user where id=%d'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">%</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">user_id
  res </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cur</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">execute</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">str</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  res </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cur</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fetchall</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  conn</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">close</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> res</span></font>

像这种sql拼接就有sql注入问题,正常情况下应该使用django的数据库api,如果实在有这方面的需求,可以按照如下方式写:

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> user_contacts</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> user </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">GET</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'username'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> sql </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"SELECT * FROM user_contacts WHERE username = %s"</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cursor </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> connection</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">cursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cursor</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">execute</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">sql</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">user</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">])</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)"># do something with the results</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> results </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fetchone</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">#or results = cursor.fetchall()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cursor</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">close</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font>

直接拼接的是万万不可的,如果采用ModelInstance.objects.raw(sql,[]),或者connection.objects.execute(sql,[]) ,通过列表传进去的参数是没有注入风险的,因为django会有处理。

6 代码执行

一般是由于eval和pickle.loads的滥用造成的,特别是eval,大家都没有意识到这方面的问题。下面举个代码中的例子:

<span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">@login_required</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">@permission_required</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"accounts.newTask_assess"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> targetLogin</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> req </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> simplejson</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">loads</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">POST</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'loginarray'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">])</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> req</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">unicode</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">req</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">).</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">encode</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"utf-8"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> loginarray</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">eval</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">req</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> ip</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">_e</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'ipList'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">#targets=base64.b64decode(targets)</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist1</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">getIPTwoList</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">ip</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> iplist1</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">list</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">set</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist1</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">))</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> iplist2</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">list</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">set</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">))</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> loginlist</font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=[]</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> delobjs</font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=[]</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> holdobjs</font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=[]</font></span>


 

这一段代码就是就是因为eval的参数不可控,导致任意代码执行,正确的做法就是literal.eval接口。再取个pickle.loads的例子:

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">>>></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">import</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cPickle
</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">>>></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cPickle</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">loads</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"cos\nsystem\n(S'uname -a'\ntR."</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">Linux</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> RCM</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">RSAS</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">V6</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">Dev</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">3.9</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">0</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">aurora </span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">#4 SMP PREEMPT Fri Jun 7 14:50:52 CST 2013 i686 Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz GenuineIntel GNU/Linux</span></font><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">0</font></span>

7 文件操作

文件操作主要包含任意文件下载,删除,写入,覆盖等,如果能达到写入的目的时基本上就能写一个webshell了。下面举个任意文件下载的例子:

<span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">@login_required</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">@permission_required</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"accounts.newTask_assess"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> exportLoginCheck</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">if</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> re</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">match</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">r</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">&ldquo;*.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">lic</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">&rdquo;,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  fullname </font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> filename
 </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">else</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">:</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  fullname </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"/tmp/test.lic"</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  </font></span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">print</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> fullname
 </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">HttpResponse</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fullname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font>

这段代码就存在着任意.lic文件下载的问题,没有做好限制目录穿越,同理

8 文件上传

8.1 任意文件上传

这里主要是未限制文件大小,可能导致ddos,未限制文件后缀,导致任意文件上传,未给文件重命名,可能导致目录穿越,文件覆盖等问题。

8.2 xml,excel等上传

在我们的产品中经常用到xml来保存一些配置文件,同时也支持xml文件的导出导入,这样在libxml2.9以下就可能导致xxe漏洞。就拿lxml来说吧:

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">root@kali:~/python# cat test.xml
</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><?</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">xml version</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"1.0"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> encoding</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"utf-8"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">?></span></font><span class="dec" style="BOX-SIZING: border-box; COLOR: teal"><font style="BACKGROUND-COLOR: rgb(247,247,249)"><!DOCTYPE xdsec [ <!ENTITY xxe SYSTEM "file:///etc/passwd" ></font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">]>
</font></span><span class="tag" style="BOX-SIZING: border-box"><font style="BACKGROUND-COLOR: rgb(247,247,249)"><root></font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="tag" style="BOX-SIZING: border-box"><node</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"11"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">name</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"bb"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">net</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"192.168.0.2-192.168.0.37"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">ltd</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">gid</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="tag" style="BOX-SIZING: border-box">/></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">test&xxe;</span><span class="tag" style="BOX-SIZING: border-box"></root></span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">>>> from lxml import etree
>>> tree1 = etree.parse('test.xml')
>>> print etree.tostring(tree1.getroot())
</font></span><span class="tag" style="BOX-SIZING: border-box"><font style="BACKGROUND-COLOR: rgb(247,247,249)"><root></font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="tag" style="BOX-SIZING: border-box"><node</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"11"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">name</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"bb"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">net</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"192.168.0.2-192.168.0.37"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">ltd</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">gid</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="tag" style="BOX-SIZING: border-box">/></span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">testroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh</font></span>

这是因为在lxml中默认采用的XMLParser导致的:

<span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">class XMLParser(_FeedParser)
| XMLParser(self, encoding=None, attribute_defaults=False, dtd_validation=False, load_dtd=False, no_network=True, ns_clean=False, recover=False, XMLSchema schema=None, remove_blank_text=False, resolve_entities=True, remove_comments=False, remove_pis=False, strip_cdata=True, target=None, compact=True)</font></span>

关注其中两个关键参数,其中resolve_entities=True,no_network=True,其中resolve_entities=True会导致解析实体,no_network会为True就导致了该利用条件比较有效,会导致一些ssrf问题,不能将数据带出。在python中xml.dom.minidom,xml.etree.ElementTree不受影响

9 不安全的封装

9.1 eval 封装不彻底

仅仅是将__builtings__置为空,如下方式即可绕过,可参见bug84179

<span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">>>> s2="""
... [x for x in ().__class__.__bases__[0].__subclasses__()
... if x.__name__ == "zipimporter"][0](
... "/home/liaoxinxi/eval_test/configobj-4.4.0-py2.5.egg").load_module(
... "configobj").os.system("uname")
... """
>>> eval(s2,{'__builtins__':{}})
Linux
0</font></span>

9.2 执行命令接口封装不彻底

在底层封装函数没有过滤shell元字符,仅仅是限定一些命令,但是其参数未做控制,可参见bug86011

10 总结

1、一切输入都是不可靠的,做好严格过滤。

2、验证输入,避免注入,危险函数列表:evec(),eval(),os.system(),os.popen(),execfile(),input(),compile()

3、访问控制

4、认证管理和session管理,url中不要带认证信息或者用户信息,给敏感信息加密,python的random和whrandom不是足够强大,要获取强大的密码,得使用n=open('/dev/urandom') data = n.read(128)

5、xss

6、错误处理

7、不安全的存储,如base64编码密码

8、ddos

9、配置管理,session过期时间

10、缓冲区溢出

Stellungnahme:
Der Inhalt dieses Artikels wird freiwillig von Internetnutzern beigesteuert und das Urheberrecht liegt beim ursprünglichen Autor. Diese Website übernimmt keine entsprechende rechtliche Verantwortung. Wenn Sie Inhalte finden, bei denen der Verdacht eines Plagiats oder einer Rechtsverletzung besteht, wenden Sie sich bitte an admin@php.cn