python3之Crypto

··

阅读

关键洞察

今天在写一个压测工具的时候。试运行的时候发现了一个报错

Traceback (most recent call last):
  File "/.../path/test.py", line 5, in <module>
    from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'

因为我这边压测的接口都是加密请求，需要使用到AES-ECB加密理所当然的在这个时候我理所当然的执行了

python3 -m pip install Crypto

执行如下

Collecting Crypto
  Downloading crypto-1.4.1-py2.py3-none-any.whl (18 kB)
Collecting shellescape
  Downloading shellescape-3.8.1-py2.py3-none-any.whl (3.1 kB)
Collecting Naked
  Downloading Naked-0.1.31-py2.py3-none-any.whl (590 kB)
     |████████████████████████████████| 590 kB 444 kB/s
Requirement already satisfied: requests in /usr/local/lib/python3.10/site-packages (from Naked->Crypto) (2.26.0)
Collecting pyyaml
  Downloading PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl (197 kB)
     |████████████████████████████████| 197 kB 5.5 MB/s
Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (2021.10.8)
Requirement already satisfied: idna<4,>=2.5 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (3.3)
Requirement already satisfied: charset-normalizer~=2.0.0 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (2.0.8)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (1.26.7)
Installing collected packages: pyyaml, shellescape, Naked, Crypto
Successfully installed Crypto-1.4.1 Naked-0.1.31 pyyaml-6.0 shellescape-3.8.1

然后执行依然是相同的报错。我很奇怪就百度查了资料，然后又执行了

python3 -m pip install pycrypto
python3 -m pip install pycryptodomex

结果报错依旧。我吐了接着查询。又听了某些人说修改site-packages文件夹下面的crypto文件夹名字为Crypto。

然后还是报错。我没办法了。继续google里面查找资料

终于找到一篇文章Stop using pycrypto. Use pycryptodome instead

就如文章中所说

Pycrypto is vulnerable to a heap-based buffer overflow in the ALGnew function in blocktemplace.c. It allows remote attackers to execute arbitrary code in the python application. It was assigned the <a href="https://security-tracker.debian.org/tracker/CVE-2013-7459" target="blank">CVE-2013-7459</a> number.
Pycrypto didn’t release any fix to that vulnerability and no commit was made to the project since Jun 20, 2014.

意思就是:

Pycrypto 容易受到 blocktemplace.c 中 ALGnew 函数中基于堆的缓冲区溢出的影响。它允许远程攻击者在 python 应用程序中执行任意代码。它被分配了<a href="https://security-tracker.debian.org/tracker/CVE-2013-7459" target="blank">CVE-2013-7459</a>编号。
自 2014 年 6 月 20 日以来，Pycrypto 没有发布对该漏洞的任何修复程序，也没有对该项目进行任何提交。

所以最终得到的解决方案就是请卸载的所有版本crypto和pycrypto，并且安装pycryptodome：

CodeBlock Loading...

Collecting Crypto Downloading crypto-1.4.1-py2.py3-none-any.whl (18 kB) Collecting shellescape Downloading shellescape-3.8.1-py2.py3-none-any.whl (3.1 kB) Collecting Naked Downloading Naked-0.1.31-py2.py3-none-any.whl (590 kB) |████████████████████████████████| 590 kB 444 kB/s Requirement already satisfied: requests in /usr/local/lib/python3.10/site-packages (from Naked->Crypto) (2.26.0) Collecting pyyaml Downloading PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl (197 kB) |████████████████████████████████| 197 kB 5.5 MB/s Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (2021.10.8) Requirement already satisfied: idna<4,>=2.5 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (3.3) Requirement already satisfied: charset-normalizer~=2.0.0 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (2.0.8) Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/local/lib/python3.10/site-packages (from requests->Naked->Crypto) (1.26.7) Installing collected packages: pyyaml, shellescape, Naked, Crypto Successfully installed Crypto-1.4.1 Naked-0.1.31 pyyaml-6.0 shellescape-3.8.1