Django开发与攻防测试(入门篇)教学文档<\/h1>

一、Django基础开发<\/h2>

1. 环境搭建与项目创建<\/h3>

# 下载指定版本Django<\/span>
<\/span><\/span>pip install django==<\/span>1.8.2 -i https:\/\/pypi.mirrors.ustc.edu.cn\/simple\/
<\/span><\/span>
<\/span><\/span># 创建虚拟环境<\/span>
<\/span><\/span>virtualenv django_demo
<\/span><\/span>cd django_demo
<\/span><\/span>source bin\/activate
<\/span><\/span>
<\/span><\/span># 创建项目目录结构<\/span>
<\/span><\/span>mkdir learn_django
<\/span><\/span>cd learn_django
<\/span><\/span>
<\/span><\/span># 创建Django项目<\/span>
<\/span><\/span>python django-admin.py startproject django_web
<\/span><\/span>
<\/span><\/span># 创建应用<\/span>
<\/span><\/span>python manage.py startapp django_app
<\/span><\/span><\/code><\/pre>2. Django架构模式<\/h3>
Django采用MTV模式(Model-Template-View)，与传统的MVC模式对应关系如下：<\/p>

Model(模型) - 数据存取层<\/li>
Template(模板) - 表现层<\/li>
View(视图) - 业务逻辑层<\/li>
<\/ul>
3. 静态Web开发<\/h3>
模板层<\/h4>
在项目根目录创建templates<\/code>文件夹，添加index.html<\/code>：<\/p>
<!DOCTYPE html><\/span>
<\/span><\/span><html<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span>    <title<\/span>>Django Learning<\/title<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span>    <h1<\/span>>Hellow,Django!<\/h1<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>视图层<\/h4>
在django_app\/views.py<\/code>中添加视图函数：<\/p>
from<\/span> django.shortcuts import<\/span> render
<\/span><\/span>
<\/span><\/span>def<\/span> index<\/span>(request):
<\/span><\/span>    return<\/span> render(request,'index.html'<\/span>)
<\/span><\/span><\/code><\/pre>URL路由<\/h4>
在django_web\/urls.py<\/code>中配置路由：<\/p>
from<\/span> django.conf.urls import<\/span> include, url
<\/span><\/span>from<\/span> django.contrib import<\/span> admin
<\/span><\/span>from<\/span> django_app.views import<\/span> index
<\/span><\/span>
<\/span><\/span>urlpatterns =<\/span> [
<\/span><\/span>    url(r<\/span>'^admin\/'<\/span>, include(admin.<\/span>site.<\/span>urls)),
<\/span><\/span>    url(r<\/span>'^index\/'<\/span>, index),
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>4. 动态Web开发<\/h3>
数据库配置<\/h4>
修改settings.py<\/code>中的数据库配置：<\/p>
DATABASES =<\/span> {
<\/span><\/span>    'default'<\/span>: {
<\/span><\/span>        'ENGINE'<\/span>: 'django.db.backends.mysql'<\/span>,
<\/span><\/span>        'NAME'<\/span>: 'your_db_name'<\/span>,
<\/span><\/span>        'USER'<\/span>: 'your_db_user'<\/span>,
<\/span><\/span>        'PASSWORD'<\/span>: 'your_db_password'<\/span>,
<\/span><\/span>        'HOST'<\/span>: 'localhost'<\/span>,
<\/span><\/span>        'PORT'<\/span>: '3306'<\/span>,
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>模型层<\/h4>
在django_app\/models.py<\/code>中定义模型：<\/p>
from<\/span> django.db import<\/span> models
<\/span><\/span>
<\/span><\/span>class<\/span> DjangoTest<\/span>(models.<\/span>Model):
<\/span><\/span>    text =<\/span> models.<\/span>CharField(max_length=<\/span>20<\/span>)
<\/span><\/span><\/code><\/pre>数据库迁移<\/h4>
python manage.py makemigrations
<\/span><\/span>python manage.py migrate
<\/span><\/span><\/code><\/pre>管理员界面<\/h4>
创建超级用户：<\/p>
python manage.py createsuperuser
<\/span><\/span><\/code><\/pre>注册模型到admin：<\/p>
from<\/span> django.contrib import<\/span> admin
<\/span><\/span>from<\/span> .models import<\/span> DjangoTest
<\/span><\/span>
<\/span><\/span>admin.<\/span>site.<\/span>register(DjangoTest)
<\/span><\/span><\/code><\/pre>动态视图<\/h4>
带参数的视图函数：<\/p>
def<\/span> index<\/span>(request, id):
<\/span><\/span>    text =<\/span> DjangoTest.<\/span>objects.<\/span>all()
<\/span><\/span>    iden =<\/span> int(id)
<\/span><\/span>    context =<\/span> {'text'<\/span>: text[iden]}
<\/span><\/span>    return<\/span> render(request, 'index.html'<\/span>, context)
<\/span><\/span><\/code><\/pre>动态模板<\/h4>
<!DOCTYPE html><\/span>
<\/span><\/span><html<\/span> lang<\/span>=<\/span>"en"<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span>    <meta<\/span> charset<\/span>=<\/span>"UTF-8"<\/span>>
<\/span><\/span>    <title<\/span>>Django test<\/title<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span>    <h1<\/span>>ID: {{ text.id }}<\/h1<\/span>>
<\/span><\/span>    <h1<\/span>>Hello:{{ text.text }}<\/h1<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>二、Django安全攻防<\/h2>
1. 格式化字符串漏洞<\/h3>
漏洞代码<\/h4>
template =<\/span> 'Hello <\/span>{user}<\/span>! , You can set your email is:'<\/span> +<\/span> request.<\/span>POST.<\/span>get('email'<\/span>)
<\/span><\/span>return<\/span> render(request, 'index.html'<\/span>, {"value"<\/span>: template.<\/span>format(user=<\/span>request.<\/span>user)})
<\/span><\/span><\/code><\/pre>攻击方式<\/h4>
通过构造email<\/code>参数为{user.password}<\/code>可以获取用户密码哈希值<\/p>
修复方案<\/h4>

避免直接拼接用户输入到格式化字符串<\/li>
使用模板系统分离数据和展示<\/li>
<\/ul>
2. XSS漏洞<\/h3>
漏洞代码<\/h4>
info =<\/span> request.<\/span>POST.<\/span>get('info'<\/span>)
<\/span><\/span>return<\/span> render(request,'index.html'<\/span>,{"value"<\/span>:info})
<\/span><\/span><\/code><\/pre>Django的XSS防护机制<\/h4>

默认开启自动转义(escape)<\/li>
可通过safe<\/code>过滤器关闭转义<\/li>
可通过autoescape<\/code>标签控制转义<\/li>
<\/ul>
危险用法<\/h4>
{{ value | safe }}
<\/span><\/span><\/code><\/pre>修复方案<\/h4>
import<\/span> cgi
<\/span><\/span>
<\/span><\/span>info =<\/span> request.<\/span>POST.<\/span>get('info'<\/span>)
<\/span><\/span>info =<\/span> cgi.<\/span>escape(info)
<\/span><\/span>return<\/span> render(request,'index.html'<\/span>,{"value"<\/span>:info})
<\/span><\/span><\/code><\/pre>3. SQL注入漏洞<\/h3>
危险查询方式<\/h4>
id =<\/span> request.<\/span>POST.<\/span>get('id'<\/span>)
<\/span><\/span>tag =<\/span> dj.<\/span>objects.<\/span>extra(where=<\/span>{'id=<\/span>{}<\/span>'<\/span>.<\/span>format(id)})[0<\/span>].<\/span>text
<\/span><\/span><\/code><\/pre>攻击方式<\/h4>
构造id<\/code>参数为1 or 1=1<\/code>等恶意SQL片段<\/p>
修复方案<\/h4>
使用参数化查询：<\/p>
tag =<\/span> dj.<\/span>objects.<\/span>extra(where=<\/span>['id=<\/span>%s<\/span>'<\/span>], params=<\/span>[id])
<\/span><\/span><\/code><\/pre>4. 其他安全建议<\/h3>

始终使用Django内置的ORM进行数据库操作<\/li>
避免直接使用eval()<\/code>或exec()<\/code>执行用户输入<\/li>
使用Django的CSRF保护机制<\/li>
定期更新Django版本以获取安全补丁<\/li>
使用@login_required<\/code>装饰器保护敏感视图<\/li>
配置适当的权限系统<\/li>
<\/ol>
三、开发实践建议<\/h2>


项目结构规划<\/p>

合理划分应用模块<\/li>
使用虚拟环境隔离依赖<\/li>
遵循PEP8编码规范<\/li>
<\/ul>
<\/li>

调试技巧<\/p>

使用print(queryset.query)<\/code>查看生成的SQL<\/li>
利用Django shell进行快速测试<\/li>
配置日志记录系统<\/li>
<\/ul>
<\/li>

性能优化<\/p>

使用select_related<\/code>和prefetch_related<\/code>减少查询次数<\/li>
合理使用缓存<\/li>
优化模板渲染<\/li>
<\/ul>
<\/li>

测试策略<\/p>

编写单元测试<\/li>
进行安全扫描<\/li>
压力测试关键接口<\/li>
<\/ul>
<\/li>
<\/ol>

Django开发与攻防测试(入门篇)教学文档<\/h1>

一、Django基础开发<\/h2>

3. 静态Web开发<\/h3>

4. 动态Web开发<\/h3>

二、Django安全攻防<\/h2>

1. 格式化字符串漏洞<\/h3>

攻击方式<\/h4>
通过构造`email<\/code>参数为{user.password}<\/code>可以获取用户密码哈希值<\/p>`

2. XSS漏洞<\/h3>

3. SQL注入漏洞<\/h3>

攻击方式<\/h4>
构造`id<\/code>参数为1 or 1=1<\/code>等恶意SQL片段<\/p>`

Django开发与攻防测试(入门篇)教学文档<\/h1>

一、Django基础开发<\/h2>

3. 静态Web开发<\/h3>

4. 动态Web开发<\/h3>

二、Django安全攻防<\/h2>

1. 格式化字符串漏洞<\/h3>

攻击方式<\/h4> 通过构造email<\/code>参数为{user.password}<\/code>可以获取用户密码哈希值<\/p>

2. XSS漏洞<\/h3>

3. SQL注入漏洞<\/h3>

攻击方式<\/h4> 构造id<\/code>参数为1 or 1=1<\/code>等恶意SQL片段<\/p>

攻击方式<\/h4>
通过构造`email<\/code>参数为{user.password}<\/code>可以获取用户密码哈希值<\/p>`

攻击方式<\/h4>
构造`id<\/code>参数为1 or 1=1<\/code>等恶意SQL片段<\/p>`