简单地说

exec unchecked_parameter_from_the_web

在Python中解析用户给出的字典字面量。那真的很可怕。

In the 1970's Stanford had IBM 2741 hardcopy terminals spread around campus networked to an IBM 360/67. Account passwords were three characters. During logon, the password prompt would overprint a three-position blob of about nine random uppercase characters, so the subsequently-typed password would supposedly be masked by the blob. However, everyone typed their passwords in lowercase, which were trivial to discern against the uppercase background blob. That meant you could usually walk up to any terminal, peruse the hardcopy typically left behind by the previous user, and easily logon with their account and password.

在这里根据记忆来解释，但它很接近……

<form action="secretpage.html" id="authentication"          
      onsubmit="return document.forms.authentication.password.value == 's3cr3t'">
    Enter password: <input type="password" name="password"><br>
    <input type="submit" name="Login" >
</form>

我认识的一个家伙用这个来保护他网站的“私人区域”。起初，他不愿意相信我，甚至他的浏览器都有这个不可靠的“查看源代码”功能。

我之前至少有一个同事可能符合这个条件。

有一个地方，管理员在共享FAT32文件夹中设置了所有用户的主目录。

这意味着您可以读取、写入和删除其他用户的文件。

我见过很多客户项目，这些项目都包含IP地址、用户名和SQL server数据库的密码。