大佬教程收集整理的这篇文章主要介绍了如何在Windows上安全地转义cmd.exe shell的命令行参数?,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
os.system或subprocess.Popen(…,sHell = TruE)
此命令包含字符串替换,如:cmd =“some_secret_command {0}”.format(String_from_user)
我想要转义String_from_user变量来防止任何注入.
简单的错误答案:
>使用shlex.quote – 不正确
print(shlex.quote(‘file.txxt;& ls.#’)) – > “file.txxt; & ls. #'(注射)
> python -c "import sys; print(sys.argv[1])" 'file.txxt; &ls . #' secret.txt secret2.txt
>使用转义^ – 不正确
import os CMD = '''String with spaces'''.replace('','^').replace('^"','') os.system('python -c "import sys; print(sys.argv[1])" {0}'.format(CMD))
现在我可以使用(空格)并注入多个参数.
>使用^和“或” – 不正确
import os CMD = '''some arg with spaces'''.replace('','') os.system('python -c "import sys; print(sys.argv[1])" "{0}"'.format(CMD))
打印^ s ^ o ^ m ^ e ^ ^ a ^ r ^ g ^ ^ w ^ i ^ t ^ h ^ ^ s ^ p ^ a ^ c ^ e ^ s ^
而如果 ‘
import os CMD = '''some spaces'''.replace('','^').replace('^\'','') os.system('python -c "import sys; print(sys.argv[1])" \'{0}\''.format(CMD))
打印’一些
也就是说,对于一般情况,例如,使用cmd.exe和一个用CommandLineToArgvW解析其命令行的程序,你可以使用Daniel Colascione在Everyone quotes command line arguments the wrong way中描述的技术.我原本试图将它改编为Ruby,现在尝试将其转换为python.
import re
def escape_argument(arg):
# Escape the argument for the cmd.exe sHell.
# See http://blogs.msdn.com/b/twistylittlepassagesallalike/archive/2011/04/23/everyone-quotes-arguments-the-wrong-way.aspx
#
# First we escape the quote chars to produce a argument suitable for
# CommandLineToArgvW. We don't need to do this for simple arguments.
if not arg or re.search(r'(["\s])',arg):
arg = '"' + arg.replace('"',r'\"') + '"'
return escape_for_cmd_exe(arg)
def escape_for_cmd_exe(arg):
# Escape an argument String to be suitable to be passed to
# cmd.exe on Windows
#
# This method takes an argument that is expected to already be properly
# escaped for the receiving program to be properly parsed. This argument
# will be further escaped to pass thE interpolation performed by cmd.exe
# unchanged.
#
# Any Meta-characters will be escaped,removing the ability to e.g. use
# redirects or variables.
#
# @param arg [String] a single command line argument to escape for cmd.exe
# @return [String] an escaped String suitable to be passed as a program
# argument to cmd.exe
Meta_chars = '()%!^"<>&|'
Meta_re = re.compile('(' + '|'.join(re.escape(char) for char in list(Meta_chars)) + ')')
Meta_map = { char: "^%s" % char for char in Meta_chars }
def escape_Meta_chars(m):
char = m.group(1)
return Meta_map[char]
return Meta_re.sub(escape_Meta_chars,arg)
应用此代码,您应该能够成功转义cmd.exe sHell的参数.
print escape_argument('''some arg with spaces''')
# ^"some arg with spaces^"
请注意,该方法应引用一个完整的参数.如果你从多个源收集你的参数,通过构建一串python代码传递给python命令,你必须在将它传递给escape_argument之前组装它.
import os CMD = '''String with spaces and &weird^ charcters!''' os.system('python -c "import sys; print(sys.argv[1])" {0}'.format(escape_argument(CMD))) # String with spaces and &weird^ charcters!
以上是大佬教程为你收集整理的如何在Windows上安全地转义cmd.exe shell的命令行参数?全部内容,希望文章能够帮你解决如何在Windows上安全地转义cmd.exe shell的命令行参数?所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。