|
1 | 1 | 代码注入、命令执行 |
2 | 2 |
|
3 | | - 1.内置危险函数 |
4 | | - exec |
5 | | - execfile |
6 | | - eval |
7 | | - Python eval的常见错误封装及利用原理 |
8 | | - http://xxlegend.com/2015/07/31/Python%20eval%E7%9A%84%E5%B8%B8%E8%A7%81%E9%94%99%E8%AF%AF%E5%B0%81%E8%A3%85%E5%8F%8A%E5%88%A9%E7%94%A8%E5%8E%9F%E7%90%86/ |
9 | | - Exploiting Python’s Eval |
10 | | - http://www.floyd.ch/?p=584 |
11 | | - 2.标准库危险模块 |
12 | | - os |
13 | | - os.popen() or subprocess.Popen(), and subprocess.check_output() |
14 | | - 核心语句 |
15 | | - sys |
16 | | - subprocess |
17 | | - subprocess.call(user_input, shell=True) : popen, subprocess.call等函数所导致的命令执行 |
18 | | - commands |
19 | | - 3.危险第三方库 |
20 | | - Template(user_input) : 模板注入(SSTI)所产生的代码执行 |
21 | | - subprocess32 |
22 | | - 4.反序列化 |
23 | | - marshal |
24 | | - PyYAML |
25 | | - pickle和cpickle |
26 | | - http://www.cnblogs.com/yyds/p/6563608.html |
27 | | - shelve |
28 | | - PIL |
29 | | - https://xianzhi.aliyun.com/forum/read/2163.html |
30 | | - 图片库REC |
| 3 | +1.内置危险函数 |
| 4 | + |
| 5 | + exec |
| 6 | + execfile |
| 7 | + eval |
| 8 | +[Python eval的常见错误封装及利用原理](http://xxlegend.com/2015/07/31/Python%20eval%E7%9A%84%E5%B8%B8%E8%A7%81%E9%94%99%E8%AF%AF%E5%B0%81%E8%A3%85%E5%8F%8A%E5%88%A9%E7%94%A8%E5%8E%9F%E7%90%86/) |
| 9 | +[Exploiting Python’s Eval](http://www.floyd.ch/?p=584) |
| 10 | + |
| 11 | +2.标准库危险模块 |
| 12 | + |
| 13 | + os |
| 14 | + sys |
| 15 | + subprocess |
| 16 | + commands |
| 17 | +3.危险第三方库 |
| 18 | + Template(user_input) : 模板注入(SSTI)所产生的代码执行 |
| 19 | + subprocess32 |
| 20 | +4.反序列化 |
| 21 | + marshal |
| 22 | + PyYAML |
| 23 | + pickle和cpickle |
| 24 | + shelve |
| 25 | + PIL |
| 26 | + unzip |
| 27 | +参考: |
| 28 | + |
| 29 | +[Python之数据序列化(json、pickle、shelve)](http://www.cnblogs.com/yyds/p/6563608.html) |
| 30 | + |
| 31 | +[Exploiting Python PIL Module Command Execution Vulnerability](https://xianzhi.aliyun.com/forum/read/2163.html) |
| 32 | + |
| 33 | + |
| 34 | + |
| 35 | +payload构造 |
| 36 | + |
| 37 | + 前提 |
| 38 | + eval+compile |
| 39 | + 多语句 |
| 40 | + __import__ |
| 41 | + __import__是一个函数,并且只接受字符串参数,import 都是在它的基础上实现的。 |
| 42 | + importlib |
| 43 | +参考 |
| 44 | + import相关,沙箱绕过 |
| 45 | + https://xianzhi.aliyun.com/forum/read/2138.html |
| 46 | + 代码注入 |
| 47 | + https://www.doyler.net/security-not-included/exploiting-python-code-injection |
| 48 | + http://www.securitynewspaper.com/2016/11/12/exploiting-python-code-injection-web-applications/ |
31 | 49 | https://sethsec.blogspot.jp/2016/11/exploiting-python-code-injection-in-web.html |
32 | | - 命令注入 |
33 | | - unzip |
34 | | - https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution |
35 | | - payload构造 |
36 | | - 前提 |
37 | | - eval+compile |
38 | | - 多语句 |
39 | | - __import__ |
40 | | - __import__是一个函数,并且只接受字符串参数,import 都是在它的基础上实现的。 |
41 | | - importlib |
42 | | - 参考 |
43 | | - import相关,沙箱绕过 |
44 | | - https://xianzhi.aliyun.com/forum/read/2138.html |
45 | | - 代码注入 |
46 | | - https://www.doyler.net/security-not-included/exploiting-python-code-injection |
47 | | - http://www.securitynewspaper.com/2016/11/12/exploiting-python-code-injection-web-applications/ |
48 | | - codereview |
49 | | - Python Security Auditing (IV): Command Execution |
50 | | - https://www.cdxy.me/?p=747 |
| 50 | +codereview |
| 51 | + Python Security Auditing (IV): Command Execution |
| 52 | + https://www.cdxy.me/?p=747 |
0 commit comments