Of Stack

Python eval of function risk analysis

  • 2020-04-02 13:48:38
  • OfStack

Python's eval() function generally turns the string "123" into a numeric 123, but PP3E says it's dangerous and can execute other commands as well!

Experiment with this. Sure enough, it's dangerous to write a cgi program in python that USES eval() instead of int() to transform the contents of an input box like age. Not only can see the list of all the files of the system, but also can perform delete files, see the file source code and other dangerous operations!

I tried to write a program to write the local script file line by line to a file of the server in such a form, but finally failed in the failure to enter the newline character "/n", as long as there is a newline character in the submitted statement, there will be an EOL error prompt, changed the encoding method or failed.
 
There's a window in the page where you can submit a name, and I'm just going to change it, because otherwise the name wouldn't be converted with an eval function, but age is a problem. This file (http://localhost/tutor4.html) into the OS. 


line1 = "Hello, %s." % eval(form['user'].value)

(1) 


os.system('del * /q') # Delete all files (not including folders) in the current directory.

OS. System invokes the current system's command (such as Windows)

/ q
Specifies the mandatory state. You are not prompted to confirm the deletion.

(2) if you delete a folder, use rmdir

/ s
Deletes the specified directory and all subdirectories and all included files. Use /s to delete the directory tree.

/ q
Run rmdir in quiet mode. Delete the directory without confirmation. 


os.system('rmdir d:/workspace /s/q')

(3) list all files os.system('dir'). Because the system returns 0 after the successful execution of the dir command, you can only see Hello,0. On the server, it is actually listed, and if there is a log, it may be found. Submit OS. System (' dir > Dir. TXT '), then access http://localhost/dir.txt so all the files and folders are exposed, want to see the source code? If you use os.system('type target.py') again, the command will return Hello, 0. Put another file in and access that file? Open (' target. Py). The read ()

From there, you can list and view the contents of other folders.

If nothing else, you can delete dir. TXT to avoid being discovered. OS. The system (' del dir. TXT/q)

Import OS and execute command: 


__import__('os').system('dir >dir.txt')
Related articles: