Shulou(Shulou.com)05/31 Report--

This article shows you what the SQL and ORM injection in Python code audit is like, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

There are a variety of Python code audit methods, but in a word, it is formed according to the migration and fusion extension of previous ideas. At present, the idea of Python code audit shows a trend of dispersion and diversity. Python small research and development experience and combined with the actual ideas and skills to be summarized.

SQL injection and ORM injection

The two injections have a high similarity, so they are intended to be analyzed and summarized together. The principle described in OWASP TOP TEN is appropriate: "when untrusted data is sent to the parser as part of a command or query, there are injection defects such as SQL injection, NoSQL injection, OS injection, and LDAP injection. The malicious data of an attacker can induce the parser to execute unexpected commands or access data without proper authorization." .

1. SQL injection

Risk SQL statements are common in Python, and there are security risks when id or Name can be controlled. The controllable parameter can concatenate the code that we expect him to execute according to syntax, thus executing the code that was not expected.

Sql = "select id,name from user_table where id =% s and name =% s"% (id,name) cur.execute (sql)

However, in actual cases, this kind of execution of SQL statements is rare, which is a typical case. The example code is as follows:

Import urllib import MySQLdb import SocketServer from SimpleHTTPServer import SimpleHTTPRequestHandler class MyHandler (SimpleHTTPRequestHandler): def _ set_headers (self): self.send_response (200) self.send_header ('Content-type' 'text/html') self.end_headers () def do_GET (self): print ("got get request% s"% (self.path)) hql = urllib.splitquery (self.path) [1] uri_c = str (hql) print (' cmd===%s'% (uri_c)) sql = "select id from user_table where id =% s"% Uri_c db = MySQLdb.connect ("localhost" "testuser", "test123", "TESTDB", charset='utf8') cursor = db.cursor () cursor.execute (sql) data = cursor.fetchone () self.wfile.write (data) def start_server (): httpd = SocketServer.TCPServer (("127.0.0.1", 8090), MyHandler) print ('Starting httpd...') Httpd.serve_forever () if _ _ name__ = "_ _ main__": start_server ()

This is a simple HTTP server that currently works in Python2. Get the parameters of the GET request through urllib.splitquery. The uri_c contains the values of the request parameters. The value is passed to the SQL statement to concatenate, resulting in an injection problem. This is a relatively simple one. Normally, the call chain may be relatively long, depending on the design architecture of the platform.

2. ORM injection

(1) sqlalchemy ORM injection (CNVD-2019-17301)

Taking into account that it is relatively easy to understand, using the module for example, does not involve the framework. ORM injection is a special case of SQL injection. The ORM module templates SQL statements, so the method of finding SQL statement strings is not good. So what should we do? To find the execution method according to the module, problems may arise if the module is not properly filtered or escaped, and there are controllable variables. The time has come to discover and find the Python ORM module and show your friends' search skills, instead of platitudes. The following is a case study:

From sqlalchemy import create_engine from sqlalchemy.orm import sessionmaker import sqlalchemy print ("sqlalchemy_version:", sqlalchemy.__version__) engine = create_engine ('mysql://root:123456@192.168.56.101:3306/mysql?charset=utf8') DB_Session = sessionmaker (bind=engine) session = DB_Session () session.execute (' use mysql;') print (session.execute ("" select * from user where User='root' and 11x1) "). Fetchall ()

This is ORM injection using sqlalchemy, which has an arbitrary interface to execute SQL statements. Logically speaking, this is a function, but in fact, most programmers will think that ORM is able to defend against SQL injection, which may become a vulnerability. The problem can be better solved by escape, but the authorities may not take it seriously. In addition, there are several problems in sqlalchemy, such as the use of order_by injection, the use of "limit" and "offset" keywords to transfer injection to the "select ()" function, and so on.

(2) Django JSON SQL injection (CVE-2019-14234)

We continue to look at Django JSON SQL injection, which has been analyzed by predecessors. Some difficulties in this analysis require us to understand Django and PostgreSQL. If you find it difficult, you might as well learn it first. Understand that the query about JSON data in PostgreSQL mainly uses ArrayField, JSONField, HStoreField, and how to query PostgreSQL,Json.objects.filter () and QuerySet.filter () through Django.

The query is used as follows:

# query method # query the entire field Json.objects.filter (data__test='user') or Json.objects.filter named 'user'' named test under data data (* * {"data__test": 'user'})

It is determined by the patch that the implementation method uses self.key_name, and the call to QuerySet.filter () is related to self.key_name delivery.

Then it is found that the class KeyTransformFactory calls KeyTransform and passes in self.key_name, followed by string concatenation. Here is not much detailed description of interested friends to follow the process.

Class KeyTextTransform (KeyTransform): operator ='- > > '... # string concatenation (% s% s) "% (lhs, self.operator, lookup)

The implementation test is carried out with the injected knowledge, and the results are as follows.

# complete SQL syntax Json.objects.filter with injection # splicing (* * {"data__breed'='" a "') OR 11.1 OR ('d":'x syntax,})

ORM injection is for two cases, one is about modules and the other is about frameworks.

The above is what SQL and ORM injection are like in Python code audit. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.