常见Web攻击
一、SQL注入
1. sql注入的危害
- 非法读取、篡改、删除数据库中的数据
- 盗取用户的各类敏感信息,获取利益
- 通过修改数据库来修改网页上的内容
- 注入木马等
2. 实例
MYSQLDB
# 通过在用户名里面构建一个sql语句,达到了我们在执行sql语句的时候永远为真的情况
# username = '~ OR 1=1'
username = request.POST.get('username')
password = request.POST.get('password')
import MySQLdb
conn = MySQLdb.connect(host='127.0.0.1', user='root', db='mxonline', password='0000')
cursor = conn.cursor()
sql_select = "select * from users_userprofile where email='{0}' and password='{1}'".format(username, password)
result = cursor.execute(sql_select)
for row in cursor.fetchall():
# 查询到所有用户
3. 防范
mysqldb
c=db.cursor()
max_price=5
c.execute("""SELECT spam, eggs, sausage FROM breakfast
WHERE price < %s""", [max_price])
sqlalchemy
from sqlalchemy.orm import sessionmaker
from sqlalchemy import create_engine
from sqlalchemy.orm import scoped_session
from models import Student,Course,Student2Course
engine = create_engine(
"mysql+pymysql://root:123456@127.0.0.1:3306/s9day120?charset=utf8",
max_overflow=0, # 超过连接池大小外最多创建的连接
pool_size=5, # 连接池大小
pool_timeout=30, # 池中没有线程最多等待的时间,否则报错
pool_recycle=-1 # 多久之后对线程池中的线程进行一次连接的回收(重置)
)
SessionFactory = sessionmaker(bind=engine)
session = scoped_session(SessionFactory)
cursor = session.execute('INSERT INTO users(name) VALUES(:value)', params={"value": 'zhangyafei'})
session.commit()
print(cursor.lastrowid)
from sqlalchemy.sql import text
t = text("select * from test where id= :tid")
conn.execute(t, tid=1).fetchall()
flask-sqlalchemy
db = SQLAlchemy(app)
conn = db.session.connection()
@app.route('/')
def index():
rv = conn.execute('select * from test where id = %s', [1])
return jsonify(rv)
pymysql
def fetchall(sql, arg=list(), type=pymysql.cursors.DictCursor):
conn, cursor = connect(type)
cursor.execute(sql, arg)
data = cursor.fetchall()
connect_close(conn, cursor)
return data
二、xss攻击
1.xss跨站脚本攻击(Cross Site Scripting)的危害
- 盗取各类用户的账号,如用户网银账号、各类管理员账号
- 盗窃企业重要的具有商业价值的资料
- 非法转账
- 控制受害者机器向其他网站发起攻击、注入木马等等
2.xss攻击防范
- 首先在代码里对用户输入的地方和变量都需要仔细检查长度和对"<",">",",","'"等字符进行过滤
- 避免直接在cookie中泄露用户隐私,例如email、密码等等通过使cookie和系统ip绑定来降低cookie泄露后的危险
- 尽量使用POST而非GET提交表单
3. xssf防范代码
#!/usr/bin/env python # -*- coding:utf-8 -*- from bs4 import BeautifulSoup class XSSFilter(object): __instance = None def __init__(self): # XSS白名单 self.valid_tags = { "font": ['color', 'size', 'face', 'style'], 'b': [], 'div': [], "span": [], "table": [ 'border', 'cellspacing', 'cellpadding' ], 'th': [ 'colspan', 'rowspan' ], 'td': [ 'colspan', 'rowspan' ], "a": ['href', 'target', 'name'], "img": ['src', 'alt', 'title'], 'p': [ 'align' ], "pre": ['class'], "hr": ['class'], 'strong': [] } def __new__(cls, *args, **kwargs): """ 单例模式 :param cls: :param args: :param kwargs: :return: """ if not cls.__instance: obj = object.__new__(cls, *args, **kwargs) cls.__instance = obj return cls.__instance def process(self, content): soup = BeautifulSoup(content, 'html.parser') # 遍历所有HTML标签 for tag in soup.find_all(recursive=True): # 判断标签名是否在白名单中 if tag.name not in self.valid_tags: tag.hidden = True if tag.name not in ['html', 'body']: tag.hidden = True tag.clear() continue # 当前标签的所有属性白名单 attr_rules = self.valid_tags[tag.name] keys = list(tag.attrs.keys()) for key in keys: if key not in attr_rules: del tag[key] return soup.decode() if __name__ == '__main__': html = """<p class="title"> <b>The Dormouse's story</b> </p> <p class="story"> <div name='root'> Once upon a time there were three little sisters; and their names were <a href="http://example.com/elsie" class="sister c1" style='color:red;background-color:green;' id="link1"><!-- Elsie --></a> <a href="http://example.com/lacie" class="sister" id="link2">Lacie</a> and <a href="http://example.com/tillie" class="sister" id="link3">Tilffffffffffffflie</a>; and they lived at the bottom of a well. <script>alert(123)</script> </div> </p> <p class="story">...</p>""" obj = XSSFilter() v = obj.process(html) print(v)
三、CSRF攻击
1. csrf跨站请求伪造(Cross-site request forgery)的危害
- 以你名义发送邮件
- 盗取你的账号
- 购买商品
- 虚拟货币转账
2. 防范
- 加上csrf token
