From 8ac18996c7f616ce7ac5d2f221998a229d4455ec Mon Sep 17 00:00:00 2001 From: bit4woo Date: Fri, 17 May 2019 11:34:07 +0800 Subject: [PATCH 1/3] add 2 links about new vuln --- Readme.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index d91deea..0d9e4ce 100644 --- a/Readme.md +++ b/Readme.md @@ -63,7 +63,7 @@ [Exploiting Python Code Injection in Web Applications](https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html) ([翻译版](https://www.anquanke.com/post/id/84891)) - +[Numpy反序列化命令执行(CVE-2019-6446)浅析](https://www.freebuf.com/vuls/194540.html) @@ -203,7 +203,9 @@ Python_Hack_知道创宇_北北(孙博).pdf [Programming Secure Web Applications in Python](https://www.thoughtco.com/programming-secure-web-applications-2813531) -[Advisory: HTTP Header Injection in Python urllib](http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html) +[[CVE-2016-5699] HTTP Header Injection in Python urllib](http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html) 同 http://www.anquan.us/static/drops/papers-16905.html + +[[CVE-2019-9740] Python urllib CRLF injection vulnerability](https://bugs.python.org/issue36276) 同 https://xz.aliyun.com/t/5123 [Hack Redis via Python urllib HTTP Header Injection](https://security.tencent.com/index.php/blog/msg/106) From 5b6d0456104fe18bfa18dc041141f930b80627e6 Mon Sep 17 00:00:00 2001 From: bit4woo Date: Tue, 6 Aug 2019 17:21:53 +0800 Subject: [PATCH 2/3] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Django JSONField SQL注入漏洞(CVE-2019-14234) --- Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Readme.md b/Readme.md index 0d9e4ce..8fdac85 100644 --- a/Readme.md +++ b/Readme.md @@ -127,6 +127,8 @@ [django的一些安全问题答案](https://www.kevinlondon.com/2015/10/16/answers-to-django-security-questions.html) +[Django JSONField SQL注入漏洞(CVE-2019-14234)分析与影响](https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html) + ### package钓鱼 From 2900d021290e1714a6391a808c5a5278ad6a58ea Mon Sep 17 00:00:00 2001 From: bit4woo Date: Thu, 6 Aug 2020 10:31:20 +0800 Subject: [PATCH 3/3] Update Readme.md --- Readme.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Readme.md b/Readme.md index 8fdac85..6bdc2d2 100644 --- a/Readme.md +++ b/Readme.md @@ -139,6 +139,8 @@ https://www.pytosquatting.org/ +[PyPI 官方仓库遭遇request恶意包投毒](https://mp.weixin.qq.com/s/dkPdXfGfSK097GI6Ln92lA) + ### LDAP注入 @@ -167,6 +169,8 @@ https://www.pytosquatting.org/ [讨论PythonWeb开发中可能会遇到的安全问题之SQL注入](http://blog.neargle.com/2016/07/22/pythonweb-framework-dev-vulnerable/) +[Django JSONField SQL注入漏洞(CVE-2019-14234)分析与影响](https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html) + ### SSTI模版注入 @@ -185,10 +189,14 @@ https://github.com/evilcos/python-webshell https://github.com/ahhh/Reverse_DNS_Shell + + ### paper Python_Hack_知道创宇_北北(孙博).pdf + + ### 其他 [如何判断目标站点是否为Django开发](https://www.leavesongs.com/PENETRATION/detect-django.html)