{"id":424,"date":"2023-08-27T16:53:40","date_gmt":"2023-08-27T08:53:40","guid":{"rendered":"https:\/\/blog.byzhb.top\/?p=424"},"modified":"2023-09-02T17:08:38","modified_gmt":"2023-09-02T09:08:38","slug":"wr","status":"publish","type":"post","link":"https:\/\/blog.byzhb.top\/index.php\/2023\/08\/27\/wr\/","title":{"rendered":"Python\u539f\u578b\u94fe\u6c61\u67d3"},"content":{"rendered":"

\u4e00\u3001\u4ec0\u4e48\u662f\u539f\u578b\u94fe\u6c61\u67d3<\/h1>\n
\n

Python \u4e2d\u7684\u539f\u578b\u94fe\u6c61\u67d3\uff08Prototype Pollution\uff09\u662f\u6307\u901a\u8fc7\u4fee\u6539\u5bf9\u8c61\u539f\u578b\u94fe\u4e2d\u7684\u5c5e\u6027\uff0c\u5bf9\u7a0b\u5e8f\u7684\u884c\u4e3a\u4ea7\u751f\u610f\u5916\u5f71\u54cd\u6216\u5229\u7528\u6f0f\u6d1e\u8fdb\u884c\u653b\u51fb\u7684\u4e00\u79cd\u6280\u672f\u3002
\n\u5728 Python\u4e2d\uff0c\u5bf9\u8c61\u7684\u5c5e\u6027\u548c\u65b9\u6cd5\u53ef\u4ee5\u901a\u8fc7\u539f\u578b\u94fe\u7ee7\u627f\u6765\u83b7\u53d6\u3002\u6bcf\u4e2a\u5bf9\u8c61\u90fd\u6709\u4e00\u4e2a\u539f\u578b\uff0c\u539f\u578b\u4e0a\u5b9a\u4e49\u4e86\u5bf9\u8c61\u53ef\u4ee5\u8bbf\u95ee\u7684\u5c5e\u6027\u548c\u65b9\u6cd5\u3002\u5f53\u5bf9\u8c61\u8bbf\u95ee\u5c5e\u6027\u6216\u65b9\u6cd5\u65f6\uff0c\u4f1a\u5148\u5728\u81ea\u8eab\u67e5\u627e\uff0c\u5982\u679c\u627e\u4e0d\u5230\u5c31\u4f1a\u53bb\u539f\u578b\u94fe\u4e0a\u7684\u4e0a\u7ea7\u5bf9\u8c61\u4e2d\u67e5\u627e\uff0c\u539f\u578b\u94fe\u6c61\u67d3\u653b\u51fb\u7684\u601d\u8def\u662f\u901a\u8fc7\u4fee\u6539\u5bf9\u8c61\u539f\u578b\u94fe\u4e2d\u7684\u5c5e\u6027\uff0c\u4f7f\u5f97\u7a0b\u5e8f\u5728\u8bbf\u95ee\u5c5e\u6027\u6216\u65b9\u6cd5\u65f6\u5f97\u5230\u4e0d\u7b26\u5408\u9884\u671f\u7684\u7ed3\u679c\u3002\u5e38\u89c1\u7684\u539f\u578b\u94fe\u6c61\u67d3\u653b\u51fb\u5305\u62ec\u4fee\u6539\u5185\u7f6e\u5bf9\u8c61\u7684\u539f\u578b\u3001\u4fee\u6539\u5168\u5c40\u5bf9\u8c61\u7684\u539f\u578b\u7b49<\/p>\n

\u4e8c\u3001\u6c61\u67d3\u6761\u4ef6<\/h1>\n

\u548cJavascript\u539f\u578b\u94fe\u6c61\u67d3\u5dee\u4e0d\u591a\uff0c\u539f\u578b\u94fe\u6c61\u67d3\u9700\u8981merge\u5408\u5e76\u51fd\u6570\uff0c\u901a\u8fc7\u9012\u5f52\u5408\u5e76\u6765\u4fee\u6539\u7236\u7ea7\u5c5e\u6027\uff0cCTF\u4e2d\u5e38\u89c1\u7684merge\u51fd\u6570\u5982\u4e0b<\/p>\n<\/blockquote>\n

def merge(src, dst):  #src\u4e3a\u539f\u5b57\u5178\uff0cdst\u4e3a\u76ee\u6807\u5b57\u5178\n    # Recursive merge function\n    for k, v in src.items():\n        if hasattr(dst, '__getitem__'):  #\u952e\u503c\u5bf9\u5b57\u5178\u5f62\u5f0f\n            if dst.get(k) and type(v) == dict:\n                merge(v, dst.get(k))  #\u9012\u5f52\u5230\u5b57\u5178\u6700\u540e\u4e00\u5c42\n            else:\n                dst[k] = v\n        elif hasattr(dst, k) and type(v) == dict:  #class\u5f62\u5f0f\n            merge(v, getattr(dst, k))  #\u9012\u5f52\u5230\u6700\u7ec8\u7684\u7236\u7c7b\n        else:\n            setattr(dst, k, v)<\/code><\/pre>\n
\u4e09\u3001\u6c61\u67d3\u8fc7\u7a0b<\/h1>\n
\u611f\u89c9\u548c\u4e4b\u524d\u5b66\u7684flask\u7684\u6a21\u677f\u6ce8\u5165\u8fc7\u7a0b\u5dee\u4e0d\u591a\uff0c\u90fd\u662f\u901a\u8fc7\u5c5e\u6027\u548c\u65b9\u6cd5\u7684\u4e00\u5c42\u5c42\u8c03\u7528\uff0c\u4ece\u800c\u5b9e\u73b0\u5c5e\u6027\u7684\u4fee\u6539
\n\u793a\u4f8b\u5982\u4e0b\uff1a<\/p>\n
class father:\n    secret = "hello"\nclass son_a(father):\n    pass\nclass son_b(father):\n    pass\ndef merge(src, dst):\n    for k, v in src.items():\n        if hasattr(dst, '__getitem__'):\n            if dst.get(k) and type(v) == dict:\n                merge(v, dst.get(k))\n            else:\n                dst[k] = v\n        elif hasattr(dst, k) and type(v) == dict:\n            merge(v, getattr(dst, k))\n        else:\n            setattr(dst, k, v)\ninstance = son_b()\npayload = {\n    "__class__" : {\n        "__base__" : {\n            "secret" : "world"\n        }\n    }\n}\nprint(son_a.secret)\n#hello\nprint(instance.secret)\n#hello\nmerge(payload, instance)\nprint(son_a.secret)\n#world\nprint(instance.secret)\n#world<\/code><\/pre>\n
3.1 \u8fc7\u7a0b\u5206\u6790<\/h2>\n
\u6267\u884cmerge\u51fd\u6570\u540e\uff0c\u56e0\u4e3ainstance\u662f\u5bf9\u8c61\u7c7b\u578b\uff0c\u5e76\u4e14\u542b\u6709__class__\u9ed8\u8ba4\u5c5e\u6027\uff0c\u5e76\u4e14v\u4e5f\u4e3a\u5b57\u5178\u683c\u5f0f\uff0c\u6545\u6267\u884c\u8fd9\u6761\u5224\u65ad\u8bed\u53e5<\/p>\n
elif hasattr(dst, k) and type(v) == dict\nmerge(v, getattr(dst, k))\n\n'''\nsrc={\n    "__class__" : {\n        "__base__" : {\n            "secret" : "world"\n        }\n    }\n}\ndst=instance()\n'''<\/code><\/pre>\n
\u63a5\u7740\u8fdb\u884c\u7b2c\u4e00\u6b21\u9012\u5f52\uff0c\u6267\u884c\u8bed\u53e5merge(v, getattr(dst, k))\uff0c\u6b64\u65f6\u5408\u5e76\u76ee\u6807\u901a\u8fc7__class__\u5c5e\u6027\u6362\u6210\u4e86instance\u5bf9\u8c61\u7684\u6240\u5c5e\u7684\u7c7b(son_b<\/strong>),\u7136\u540e\u518d\u6b21\u901a\u8fc7\u4e00\u4e0b\u5224\u65ad\u8bed\u53e5\u8fdb\u884c\u7b2c\u4e8c\u6b21\u9012\u5f52<\/p>\n
elif hasattr(dst, k) and type(v) == dict:\nmerge(v, getattr(dst, k))\n\n'''\nsrc={\n        "__base__" : {\n            "secret" : "world"\n        }\n    }\ndst=son_b()\n'''<\/code><\/pre>\n
\u7b2c\u4e8c\u6b21\u9012\u5f52\u4e4b\u540e\uff0c\u6267\u884c\u8bed\u53e5merge(v, getattr(dst, k))\uff0c\u6b64\u65f6\u5408\u5e76\u76ee\u6807\u901a\u8fc7__base__\u5c5e\u6027\u6362\u6210\u4e86son_b\u7c7b\u7684\u6240\u5c5e\u7684\u76f4\u63a5\u7236\u7c7b(father<\/strong>)\uff0c\u7136\u540e\u8fdb\u884c\u7b2c\u4e09\u6b21\u9012\u5f52<\/p>\n
elif hasattr(dst, k) and type(v) == dict:\nmerge(v, getattr(dst, k))\n\n'''\nsrc={"secret" : "world"}\ndst=father()\n'''<\/code><\/pre>\n
\u7b2c\u4e09\u6b21\u9012\u5f52\u65f6\uff0ctype(v) == dict<\/strong>\u4e3aFALSE\uff0c\u9012\u5f52\u7ed3\u675f\uff0c\u6b64\u65f6v="world"<\/strong>,\u4e0d\u518d\u662f\u5b57\u5178\u7c7b\u578b\uff0c\u7136\u540e\u6267\u884c\u8bed\u53e5<\/p>\n
setattr(dst, k, v)<\/code><\/pre>\n
\u91cd\u7f6efather\u7c7b<\/strong>\u4e2d\u7684secret<\/strong>\u5c5e\u6027\u7684\u503c\u4e3aworld<\/strong>\uff0c\u5230\u6b64\u7b80\u5355\u7684\u94fe\u6c61\u67d3\u5df2\u7ecf\u5b8c\u6210<\/p>\n
\u56db\u3001\u603b\u7ed3<\/h1>\n
\u5927\u4f53\u611f\u89c9\u548cSSTI\u8fc7\u7a0b\u57fa\u672c\u4e00\u81f4\uff0c\u53ea\u662f\u6362\u4e86\u4e2a\u4f20\u9012\u5f62\u5f0f\uff0c\u672c\u8d28\u8fd8\u662f\u5c5e\u6027\u548c\u65b9\u6cd5\u5c42\u7ea7\u5229\u7528\uff0c\u6700\u540e\u4fee\u6539\u6211\u4eec\u60f3\u8981\u7684\u5c5e\u6027<\/p>\n","protected":false},"excerpt":{"rendered":"
Python \u4e2d\u7684\u539f\u578b\u94fe\u6c61\u67d3\uff08Prototype Pollution\uff09\u662f\u6307\u901a\u8fc7\u4fee\u6539\u5bf9\u8c61\u539f\u578b\u94fe\u4e2d\u7684\u5c5e\u6027\uff0c\u5bf9\u7a0b\u5e8f\u7684\u884c\u4e3a\u4ea7\u751f\u610f\u5916\u5f71\u54cd\u6216\u5229\u7528\u6f0f\u6d1e\u8fdb\u884c\u653b\u51fb\u7684\u4e00\u79cd\u6280\u672f\u3002<\/p>\n","protected":false},"author":1,"featured_media":425,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,9,22],"tags":[15,18,19,26],"class_list":["post-424","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-python","category-webs","tag-ctf","tag-flask","tag-python","tag-web"],"_links":{"self":[{"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/posts\/424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/comments?post=424"}],"version-history":[{"count":1,"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/posts\/424\/revisions"}],"predecessor-version":[{"id":426,"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/posts\/424\/revisions\/426"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/media\/425"}],"wp:attachment":[{"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/media?parent=424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/categories?post=424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.byzhb.top\/index.php\/wp-json\/wp\/v2\/tags?post=424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}