Python安全编码与代码审计

php中文网

发布时间：2016-06-06 11:14:47

1813人浏览过

来源于php中文网

原创

1 前言

现在一般的web开发框架安全已经做的挺好的了，比如大家常用的django，但是一些不规范的开发方式还是会导致一些常用的安全问题，下面就针对这些常用问题做一些总结。代码审计准备部分见《php代码审计》，这篇文档主要讲述各种常用错误场景，基本上都是咱们自己的开发人员犯的错误，敏感信息已经去除。

Python安全编码与代码审计

2 XSS

未对输入和输出做过滤，场景：

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> xss_test</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">    name </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">GET</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'name'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">    </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">HttpResponse</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'hello %s'</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">%(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">name</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">))</span></font>

在代码中一搜，发现有大量地方使用，比较正确的使用方式如下：

立即学习“Python免费学习笔记（深入）”；

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> xss_test</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> name </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">GET</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'name'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">#return HttpResponse('hello %s' %(name))</font></span>

return render_to_response('hello.html', {'name':name})

更好的就是对输入做限制，比如说一个正则范围，输出使用正确的api或者做好过滤。

3 CSRF

对系统中一些重要的操作要做CSRF防护，比如登录，关机，扫描等。django 提供CSRF中间件django.middleware.csrf.CsrfViewMiddleware,写入到settings.py的中间件即可。另外再在函数前加上@csrf_exempt修饰器。

4 命令注入

审计代码过程中发现了一些编写代码的不好的习惯，体现最严重的就是在命令注入方面，本来python自身的一些函数库就能完成的功能，偏偏要调用os.system来通过shell 命令执行来完成，老实说最烦这种写代码的啦。下面举个简单的例子：

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> myserve</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> dirname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  re </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> serve</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">path</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">document_root</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">dirname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">show_indexes</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">True</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  filestr</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'authExport.dat'</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  re</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'Content-Disposition'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'attachment; filename="'</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">+</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> urlquote</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filestr</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">+</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'"'</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fullname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">os</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">path</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">join</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">dirname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  os</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">system</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'sudo rm -f %s'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">%</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fullname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> re</span></font>

很显然这段代码是存在问题的，因为fullname是用户可控的。正确的做法是不使用os.system接口，改成python自有的库函数，这样就能避免命令注入。python的三种删除文件方式：

(1)shutil.rmtree 删除一个文件夹及所有文件

(2)os.rmdir 删除一个空目录

(3)os.remove，unlink 删除一个文件

使用了上述接口之后还得注意不能穿越目录，不然整个系统都有可能被删除了。常见的存在命令执行风险的函数如下：

os.system,os.popen,os.spaw*,os.exec*,os.open,os.popen*,commands.call,commands.getoutput,Popen*

推荐使用subprocess模块，同时确保shell=True未设置，否则也是存在注入风险的。

5 sql注入

如果是使用django的api去操作数据库就应该不会有sql注入了，但是因为一些其他原因使用了拼接sql，就会有sql注入风险。下面贴一个有注入风险的例子：

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> getUsers</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">user_id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">None</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> conn </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> psycopg2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">connect</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"dbname='××' user='××' host='' password=''"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cur </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> conn</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">cursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">cursor_factory</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">psycopg2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">extras</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">DictCursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">if</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> user_id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">==</span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">None</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">:</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  str </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'select distinct * from auth_user'</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">else</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">:</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  str</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'select distinct * from auth_user where id=%d'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">%</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">user_id
  res </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cur</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">execute</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">str</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  res </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cur</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fetchall</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  conn</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">close</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> res</span></font>

像这种sql拼接就有sql注入问题，正常情况下应该使用django的数据库api，如果实在有这方面的需求，可以按照如下方式写：

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> user_contacts</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> user </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">GET</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'username'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">]</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> sql </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"SELECT * FROM user_contacts WHERE username = %s"</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cursor </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> connection</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">cursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cursor</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">execute</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">sql</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">user</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">])</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)"># do something with the results</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> results </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cursor</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fetchone</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">#or results = cursor.fetchall()</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> cursor</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">close</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">()</span></font>

直接拼接的是万万不可的，如果采用ModelInstance.objects.raw(sql,[]),或者connection.objects.execute(sql,[]) ,通过列表传进去的参数是没有注入风险的，因为django会有处理。

6 代码执行

一般是由于eval和pickle.loads的滥用造成的，特别是eval，大家都没有意识到这方面的问题。下面举个代码中的例子：

<span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">@login_required</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">@permission_required</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"accounts.newTask_assess"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> targetLogin</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> req </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> simplejson</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">loads</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">POST</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">[</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'loginarray'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">])</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> req</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">unicode</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">req</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">).</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">encode</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"utf-8"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> loginarray</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">eval</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">req</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> ip</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">_e</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">'ipList'</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">#targets=base64.b64decode(targets)</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist1</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">getIPTwoList</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">ip</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> iplist1</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">list</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">set</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist1</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">))</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> iplist2</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">list</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">set</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">iplist2</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">))</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> loginlist</font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=[]</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> delobjs</font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=[]</font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> holdobjs</font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=[]</font></span>

这一段代码就是就是因为eval的参数不可控，导致任意代码执行，正确的做法就是literal.eval接口。再取个pickle.loads的例子：

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">>>></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">import</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cPickle
</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">>>></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> cPickle</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">loads</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"cos\nsystem\n(S'uname -a'\ntR."</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">Linux</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> RCM</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">RSAS</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">V6</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">Dev</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">3.9</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">0</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">-</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">aurora </span><span class="com" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">#4 SMP PREEMPT Fri Jun 7 14:50:52 CST 2013 i686 Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz GenuineIntel GNU/Linux</span></font><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">0</font></span>

7 文件操作

动感购物HTML

修正了V1.10的一些BUG感购物HTML系统是集合目前网络所有购物系统为参考而开发，代码采用DIV编号，不管从速度还是安全我们都努力做到最好，此版虽为免费版但是功能齐全，无任何错误，特点有：专业的、全面的电子商务解决方案，使您可以轻松实现网上销售；自助式开放性的数据平台，为您提供充满个性化的设计空间；功能全面、操作简单的远程管理系统，让您在家中也可实现正常销售管理；严谨实用的全新商品数据库，便于

下载

文件操作主要包含任意文件下载，删除，写入，覆盖等，如果能达到写入的目的时基本上就能写一个webshell了。下面举个任意文件下载的例子：

<span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">@login_required</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="lit" style="BOX-SIZING: border-box; COLOR: rgb(25,95,145)">@permission_required</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"accounts.newTask_assess"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">def</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> exportLoginCheck</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">request</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">,</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)"> </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">if</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> re</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">match</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">r</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">“*.</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">lic</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">”，</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">filename</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">):</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  fullname </font></span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">=</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> filename
 </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">else</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">:</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  fullname </font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"/tmp/test.lic"</span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">  </font></span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">print</font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> fullname
 </span><span class="kwd" style="BOX-SIZING: border-box; COLOR: rgb(30,52,123)">return</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="typ" style="BOX-SIZING: border-box; COLOR: teal">HttpResponse</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">(</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">fullname</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">)</span></font>

这段代码就存在着任意.lic文件下载的问题，没有做好限制目录穿越，同理

8 文件上传

8.1 任意文件上传

这里主要是未限制文件大小，可能导致ddos，未限制文件后缀，导致任意文件上传，未给文件重命名，可能导致目录穿越，文件覆盖等问题。

8.2 xml，excel等上传

在我们的产品中经常用到xml来保存一些配置文件，同时也支持xml文件的导出导入，这样在libxml2.9以下就可能导致xxe漏洞。就拿lxml来说吧：

<font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">root@kali:~/python# cat test.xml
</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)"><?</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">xml version</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"1.0"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> encoding</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="str" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"utf-8"</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">?></span></font><span class="dec" style="BOX-SIZING: border-box; COLOR: teal"><font style="BACKGROUND-COLOR: rgb(247,247,249)"><!DOCTYPE xdsec [ <!ENTITY xxe SYSTEM "file:///etc/passwd" ></font></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">]>
</font></span><span class="tag" style="BOX-SIZING: border-box"><font style="BACKGROUND-COLOR: rgb(247,247,249)"><root></font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="tag" style="BOX-SIZING: border-box"><node</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"11"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">name</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"bb"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">net</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"192.168.0.2-192.168.0.37"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">ltd</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">gid</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="tag" style="BOX-SIZING: border-box">/></span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">test&xxe;</span><span class="tag" style="BOX-SIZING: border-box"></root></span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)">
<font style="BACKGROUND-COLOR: rgb(247,247,249)">>>> from lxml import etree
>>> tree1 = etree.parse('test.xml')
>>> print etree.tostring(tree1.getroot())
</font></span><span class="tag" style="BOX-SIZING: border-box"><font style="BACKGROUND-COLOR: rgb(247,247,249)"><root></font></span><font style="BACKGROUND-COLOR: rgb(247,247,249)"><span class="tag" style="BOX-SIZING: border-box"><node</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">id</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"11"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">name</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"bb"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">net</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">"192.168.0.2-192.168.0.37"</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">ltd</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"> </span><span class="atn" style="BOX-SIZING: border-box; COLOR: teal">gid</span><span class="pun" style="BOX-SIZING: border-box; COLOR: rgb(147,161,161)">=</span><span class="atv" style="BOX-SIZING: border-box; COLOR: rgb(221,17,68)">""</span><span class="tag" style="BOX-SIZING: border-box">/></span></font><span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">testroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh</font></span>

这是因为在lxml中默认采用的XMLParser导致的：

<span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">class XMLParser(_FeedParser)
| XMLParser(self, encoding=None, attribute_defaults=False, dtd_validation=False, load_dtd=False, no_network=True, ns_clean=False, recover=False, XMLSchema schema=None, remove_blank_text=False, resolve_entities=True, remove_comments=False, remove_pis=False, strip_cdata=True, target=None, compact=True)</font></span>

关注其中两个关键参数，其中resolve_entities=True,no_network=True,其中resolve_entities=True会导致解析实体，no_network会为True就导致了该利用条件比较有效，会导致一些ssrf问题，不能将数据带出。在python中xml.dom.minidom,xml.etree.ElementTree不受影响

9 不安全的封装

9.1 eval 封装不彻底

仅仅是将__builtings__置为空，如下方式即可绕过,可参见bug84179

<span class="pln" style="BOX-SIZING: border-box; COLOR: rgb(72,72,76)"><font style="BACKGROUND-COLOR: rgb(247,247,249)">>>> s2="""
... [x for x in ().__class__.__bases__[0].__subclasses__()
... if x.__name__ == "zipimporter"][0](
... "/home/liaoxinxi/eval_test/configobj-4.4.0-py2.5.egg").load_module(
... "configobj").os.system("uname")
... """
>>> eval(s2,{'__builtins__':{}})
Linux
0</font></span>

9.2 执行命令接口封装不彻底

在底层封装函数没有过滤shell元字符，仅仅是限定一些命令，但是其参数未做控制，可参见bug86011

10 总结

1、一切输入都是不可靠的，做好严格过滤。

2、验证输入，避免注入，危险函数列表：evec(),eval(),os.system(),os.popen(),execfile(),input(),compile()

3、访问控制

4、认证管理和session管理，url中不要带认证信息或者用户信息，给敏感信息加密，python的random和whrandom不是足够强大，要获取强大的密码，得使用n=open('/dev/urandom') data = n.read(128)

5、xss

6、错误处理

7、不安全的存储，如base64编码密码

8、ddos

9、配置管理，session过期时间