|
1 | 1 | ### 代码注入、命令执行 |
2 | 2 |
|
3 | | -1.内置危险函数 |
4 | | - |
| 3 | + 1.内置危险函数 |
5 | 4 | exec |
6 | 5 | execfile |
7 | 6 | eval |
8 | | -2.标准库危险模块 |
9 | | - |
| 7 | + |
| 8 | + 2.标准库危险模块 |
10 | 9 | os |
| 10 | + os.popen() or subprocess.Popen(), and subprocess.check_output() |
11 | 11 | sys |
12 | 12 | subprocess |
| 13 | + subprocess.call(user_input, shell=True) : popen, subprocess.call等 |
13 | 14 | commands |
14 | | -3.危险第三方库 |
| 15 | + |
| 16 | + 3.危险第三方库 |
15 | 17 | Template(user_input) : 模板注入(SSTI)所产生的代码执行 |
16 | 18 | subprocess32 |
17 | | -4.反序列化相关库 |
| 19 | + |
| 20 | + 4.反序列化 |
18 | 21 | marshal |
19 | 22 | PyYAML |
20 | 23 | pickle和cpickle |
|
23 | 26 | unzip |
24 | 27 |
|
25 | 28 |
|
26 | | -参考: |
27 | | - |
28 | 29 | [Python沙箱逃逸的n种姿势](https://xianzhi.aliyun.com/forum/read/2138.html) |
29 | 30 |
|
30 | 31 | [Python之数据序列化(json、pickle、shelve)](http://www.cnblogs.com/yyds/p/6563608.html) |
|
35 | 36 |
|
36 | 37 | [EXPLOITING PYTHON CODE INJECTION IN WEB APPLICATIONS](http://www.securitynewspaper.com/2016/11/12/exploiting-python-code-injection-web-applications/) |
37 | 38 |
|
38 | | -[Exploiting Python Code Injection in Web Applications](https://sethsec.blogspot.jp/2016/11/exploiting-python-code-injection-in-web.html) |
| 39 | +[Exploiting Python Code Injection in Web Applications](https://sethsec.blogspot.jp/2016/11/exploiting-python-code-injection-in-web.html) |
| 40 | + |
| 41 | +[Python eval的常见错误封装及利用原理](http://xxlegend.com/2015/07/31/Python%20eval%E7%9A%84%E5%B8%B8%E8%A7%81%E9%94%99%E8%AF%AF%E5%B0%81%E8%A3%85%E5%8F%8A%E5%88%A9%E7%94%A8%E5%8E%9F%E7%90%86/) |
| 42 | + |
| 43 | +[Exploiting Python’s Eval](http://www.floyd.ch/?p=584) |
| 44 | + |
| 45 | +[Exploiting insecure file extraction in Python for code execution](https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution) |
| 46 | + |
| 47 | +[掌阅iReader某站Python漏洞挖掘](https://www.leavesongs.com/PENETRATION/zhangyue-python-web-code-execute.html) |
| 48 | + |
| 49 | +[Python Pickle的任意代码执行漏洞实践和Payload构造](http://www.code2sec.com/2017/03/22/python-pickle%E7%9A%84%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%AE%9E%E8%B7%B5%E5%92%8Cpayload%E6%9E%84%E9%80%A0/) |
| 50 | + |
| 51 | +[Python PyYAML反序列化漏洞实验和payload构造](http://www.code2sec.com/2017/09/22/python-pyyaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%AE%9E%E9%AA%8C%E5%92%8Cpayload%E6%9E%84%E9%80%A0/) |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | +### 代码审计 |
| 56 | + |
| 57 | +[Python安全编码和代码审计](http://xxlegend.com/2015/07/30/Python%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E5%92%8C%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/) |
| 58 | + |
| 59 | +https://xianzhi.aliyun.com/forum/read/303.html |
| 60 | +https://xianzhi.aliyun.com/forum/read/302.html |
| 61 | +https://xianzhi.aliyun.com/forum/read/301.html |
| 62 | +https://xianzhi.aliyun.com/forum/read/300.html |
| 63 | +https://xianzhi.aliyun.com/forum/read/274.html |
| 64 | + |
| 65 | + |
| 66 | + |
| 67 | +### python web 框架 |
| 68 | + |
| 69 | +[Django debug page XSS漏洞(CVE-2017-12794)分析](https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html) |
| 70 | + |
| 71 | +[Django DeleteView without confirmation template, but with CSRF attack](https://www.leavesongs.com/PYTHON/django-deleteView-without-confirmation-template.html) |
| 72 | + |
| 73 | +[谈一谈如何在Python开发中拒绝SSRF漏洞](https://www.leavesongs.com/PYTHON/defend-ssrf-vulnerable-in-python.html) |
| 74 | + |
| 75 | +[Django安全机制](http://xxlegend.com/2015/04/01/Django%E5%AE%89%E5%85%A8%E6%9C%BA%E5%88%B6/) |
| 76 | + |
| 77 | +[从Django的SECTET_KEY到代码执行](http://xxlegend.com/2015/04/01/%E4%BB%8EDjango%E7%9A%84SECTET_KEY%E5%88%B0%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/) |
| 78 | + |
| 79 | +[Django CSRF Bypass (CVE-2016-7401) 漏洞分析](https://paper.seebug.org/58/) |
| 80 | + |
| 81 | +[Django的两个url跳转漏洞分析:CVE-2017-7233&7234](https://paper.seebug.org/274/) |
| 82 | + |
| 83 | +[Python 格式化字符串漏洞(Django为例)](https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html) |
| 84 | + |
| 85 | + |
| 86 | + |
| 87 | +### package钓鱼 |
| 88 | + |
| 89 | +[Package 钓鱼](https://paper.seebug.org/311/) |
| 90 | + |
| 91 | +[被忽视的攻击面:Python package 钓鱼](https://paper.seebug.org/326/) |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | +### LDAP注入 |
| 96 | + |
| 97 | +[Python安全编码之预防LDAP注入](http://xxlegend.com/2016/12/01/Python%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B9%8B%E9%A2%84%E9%98%B2LDAP%E6%B3%A8%E5%85%A5/) |
| 98 | + |
| 99 | + |
| 100 | + |
| 101 | +### 其他 |
| 102 | + |
| 103 | +[如何判断目标站点是否为Django开发](https://www.leavesongs.com/PENETRATION/detect-django.html) |
| 104 | + |
| 105 | +[Supervisord远程命令执行漏洞(CVE-2017-11610)](https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html) |
| 106 | + |
| 107 | +[Python安全 - 从SSRF到命令执行惨案](https://www.leavesongs.com/PENETRATION/getshell-via-ssrf-and-redis.html) |
| 108 | + |
| 109 | +[从Pwnhub诞生聊Django安全编码](https://www.leavesongs.com/PYTHON/django-coding-experience-from-pwnhub.html) |
| 110 | + |
| 111 | +[python富文本XSS过滤器](https://www.leavesongs.com/PYTHON/python-xss-filter.html) |
| 112 | + |
| 113 | +[基于mezzanine的攻防比赛环境搭建及XXE漏洞构造/](http://xxlegend.com/2016/04/01/%E5%9F%BA%E4%BA%8Emezzanine%E7%9A%84%E6%94%BB%E9%98%B2%E6%AF%94%E8%B5%9B%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%8F%8AXXE%E6%BC%8F%E6%B4%9E%E6%9E%84%E9%80%A0/) |
| 114 | + |
| 115 | + |
| 116 | + |
| 117 | +### 安全工具 |
| 118 | + |
| 119 | +[python正向连接后门](https://www.leavesongs.com/PYTHON/python-shell-backdoor.html) |
| 120 | + |
| 121 | +[struts2 S2-016/S2-017 Python GetShell](https://www.leavesongs.com/PENETRATION/UseOfStruts.html) |
| 122 | + |
| 123 | +[Python多线程端口扫描工具](https://www.leavesongs.com/PYTHON/PortScanner.html) |
| 124 | + |
0 commit comments