Python_web _ Security

Python_web _ Security
1. Preface

Python began to build a web server, and gradually increased. Last week, I set up a small ctf to play with it. There was a good python_web question.

So I will take a look at python_web security, and summarize it so that I can refer to it later.

2. Basics

Python syntax Basics

Python web: djiango, web. py, etc ~

Web. py:

Http://webpy.org/tutorial3.zh-cn

Http://www.leavesongs.com/PYTHON/webpy-readme.html

Djiango:

Http://www.w3cschool.cc/django/django-install.html

It is basically based on the mvc framework. These are the basic knowledge for studying python security.

3. python_web vulnerability 3.1. SQL Injection

Is the framework not injected? Well, it's about programmers ....

Here there is an injection that can be directly injected.

3.2.xss

This is also very likely to happen ~

Here we will launch xss directly.

3.3 Arbitrary File Reading

If the Filename parameter is not filtered out, any file is read.

Direct http: // 127.0.0.1/index/readfile? Filename = ../etc/password

Another type of Arbitrary File Reading:

Changing the http://www.baidu.com to file: // etc/passwd causes Arbitrary file Reading

3.4 Command Execution

Modules related to OS command injection attacks: eval, OS. system (), OS. popen *, subprocess. popen

OS. spawn *, commands. *, popen2. *, and pickle

3.4.1. It is common to directly put transmitted data into these functions for execution, resulting in a command injection vulnerability.

Enter ip address | whoami is followed by whoami.

You should be careful when writing crawlers. Some people like to put the crawler url into a list, and then test the injection for sqlmap. py. For example

In case someone else comes to a list there is a http://evil.com in it | rm-rf the last execution of OS. system ("python sqlmap. py-u http://evil.com | rm-rf /&")

Then you are crying in the bathroom.

3.4.2.Pickle deserialization causes Command Execution

Vulnerability principle: http://drops.wooyun.org/papers/66

In this article, we know that

Pickle. loads () may cause command execution.

If the loads content is controllable:

Default

import picklecPickle.loads("csubprocess\nPopen\np1\n((S'CMD'\np2\ntp3\ntp4\nRp5\n."

The command can be executed here.

Web. py has this problem

It is worth noting that the decode method in session. py in the web. py framework has this vulnerability. That is to say, if decode is called, a vulnerability will occur ~~!

You can modify the script to get str and execute the command you want.

4. Instance

Here, let's take the code given by the notes as an example:

It is not convenient to give the code to everyone. Write the vulnerability Code directly.

4.1 Injection

Admin check method, Username is not filtered, can be injected directly:

 

If the result is found to be 2, the select flag from flag can be directly displayed. Note that there must be brackets!

4.2 File Reading

App. py-defined uploads Method Arbitrary File Read Vulnerability

Filtered ../, but we can modify it like this:

Note---|

4.3 Command Execution

Or because the decode method in session. py has a vulnerability,

In the ctf, the base function's authcode method calls the decode function to execute the Code:

The authcode in the Cookie enters the decode vulnerability function.

Run the following script to generate the str' of basd64 and add it to the authcode to trigger this command.

Run the whoami command

Over ........ Thank you for taking me to fly ~ @ Note

P Shen added:

Session. py in web. py. This is simply a method used by the 0cms authors to construct a structure.

Store is a class for storing sessions on the web. As we all know, sessions are a method for storing user identities and creden. in php, sessions are stored in files by default, which is never accessible to users.

If the session is parsed like this in 0cms, it means that the session is obtained directly from the cookie and pickle. loads is called for resolution.

Whether it causes command execution or code execution, parsing means that the user has full control over the session (instead of controlling one of the objects), then I can forge any identity, the whole website is mine.

Some may be confused about the session. Sometimes we can control the session. For example, after registering a user with the username xxx, the session value will be xxx. However, note that xxx is only a value in the session. You cannot control the data structure of the session, and a value cannot be executed by commands.

The Store class should have been an internal class in session. py. If it is used out, it is totally wrong. Normal programmers will not write it like this. This usage is like modifying SessionHandler in php to retrieve the session from the cookie.

Therefore, this vulnerability is not a web. py vulnerability.

But I am talking about the utilization.

For example, my http://waf.science is to save the session in redis, if you can find redis unauthorized access, you can connect to redis to modify the value,

At this time, the Code Execution Vulnerability can be caused when the session is read. In addition, web. py sessions are stored in files by default. If you can find a method that can control files in the session directory, it can also cause code execution vulnerabilities.