Brush title record: [De1CTF 2019] SSRF Me

Others 2019-08-31 21:59:24 views: null

table of Contents

Brush title record: [De1CTF 2019] SSRF Me

Recurring topic links: https://buuoj.cn/challenges
Reference Links: three solutions De1CTF ssrf_me the
analysis two web SSRF ME && ShellShellShell De1CTF 2019's

One, involving knowledge points

1, MD5 length extension attack

Reference MD5 attack length expansion brief notes
On MD5 extend the length of the attack

Attack scenario: file=filename&hash=md5($secret_key.filename)Verify successful download files
Objective: To pass any arbitrary file filename read
conditions:

  • It is known to any one md5($secret_key.filename), and knows the plaintext filename.
  • Known secret_keylength.
  • Users can submit md5 value.
  • Tools: HashPump / Python module: hashpumpy

2, Python 2.x - 2.7.16 urllib.fopen support local_file lead LFI (CVE-2019-9948)

https://bugs.python.org/issue35907

  • When there is no agreement, the default fileprotocol to read
  • Can be used local_file:to bypass, for example, local_file:flag.txtpath is the relative path to the script
    local_file://you must use an absolute path (usually this agreement)
    PS: local-file:///proc/self/cwd/flag.txtcan also be read as /proc/self/cwd/representative of the current path
  • If you use urllib2.urlopen (param) to include the file must add file, otherwise it will report ValueError: unknown url type: /path/to/filean error

Second, problem-solving approach

See reference links, not repeat them

Third, the summary

The code must be sensitive, good at searching existing vulnerability
cve library: cve Database

Guess you like

Origin www.cnblogs.com/20175211lyz/p/11440316.html
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com