问题相关代码,请勿粘贴截图
<body>
关于OrientDB
OrientDB是一个分布式图形数据库引擎,具有文档数据库的灵活性,一体化的产品。第一个也是最好的可升级,高性能,可操作的NoSQL数据库。
Vulnerability Details
OrientDB uses RBAC model for authentication schemes. By default an OrientDB has 3 roles –
admin, writer and reader. These have their usernames same as the
role. For each database created on the server, it assigns by default these 3 users.
The privileges of the users are:
admin
– access to all functions on the database without any limitation
reader
– read-only user. The reader can query any records in the database, but can’t modify or delete them. It has no
access to internal information, such as the users and roles themselves
writer
– same as the "reader", but it can also create, update and delete records
ORole structure handles users and
their roles and is only accessible by the admin user. OrientDB requires oRole read permissions to allow the user
to display the permissions of users and make other queries associated with oRole permissions.
From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements, this
permission requirement is not required and information is returned to unprivileged users.
Since we enable the functions where
, fetchplan
and order by
, and OrientDB
has a function where you could execute groovy functions and this groovy
wrapper doesn’t have a
sandbox and exposes system functionalities, we can run any command we want.
exploit
</body>
运行结果及报错内容
['关于OrientDB', 'Vulnerability Details', ' admin', 'writer', 'reader', 'admin', 'reader', 'writer', 'where', 'fetchplan', 'order by', 'groovy']
['OrientDB是一个分布式图形数据库引擎,具有文档数据库的灵活性,一体化的产品。第一个也是最好的可升级,高性能,可操作的NoSQL数据库。', 'OrientDB uses RBAC model for authentication schemes. By default an OrientDB has 3 roles –', ', ', ' and ', '. These have their usernames same as the role. For each database created on the server, it assigns by default these 3 users.', 'The privileges of the users are:', ' – access to all functions on the database without any limitation', ' – read-only user. The reader can query any records in the database, but can’t modify or delete them. It has no access to internal information, such as the users and roles themselves', ' – same as the "reader", but it can also create, update and delete records', 'ORole\u200b structure handles users and their roles and is only accessible by the admin user. OrientDB requires oRole read permissions to allow the user to display the permissions of users and make other queries associated with oRole permissions.', 'From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements\u200b, this permission requirement is not required and information is returned to unprivileged users.', 'Since we enable the functions ', ', ', ' and ', ', and OrientDB has a function where you could execute groovy functions and this ', ' wrapper doesn’t have a sandbox and exposes system functionalities, we can run any command we want.', 'poc']
我的解答思路和尝试过的方法
print(html.xpath('//body/p/*/text()' ))
print(html.xpath('//body/*/text()' ))
print(html.xpath('//body/*/text()' )) 结果都是p标签,为什么没有h3标签的内容
我想要达到的结果
提出所有内容,以下是想要达到的效果
关于OrientDB
OrientDB是一个分布式图形数据库引擎,具有文档数据库的灵活性,一体化的产品。第一个也是最好的可升级,高性能,可操作的NoSQL数据库。
Vulnerability Details
OrientDB uses RBAC model for authentication schemes. By default an OrientDB has 3 roles – admin, writer and reader. These have their usernames same as the role. For each database created on the server, it assigns by default these 3 users.
The privileges of the users are:
admin – access to all functions on the database without any limitation
reader – read-only user. The reader can query any records in the database, but can’t modify or delete them. It has no access to internal information, such as the users and roles themselves
writer – same as the "reader", but it can also create, update and delete records
ORole structure handles users and their roles and is only accessible by the admin user. OrientDB requires oRole read permissions to allow the user to display the permissions of users and make other queries associated with oRole permissions.
From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements, this permission requirement is not required and information is returned to unprivileged users.
Since we enable the functions where, fetchplan and order by, and OrientDB has a function where you could execute groovy functions and this groovy wrapper doesn’t have a sandbox and exposes system functionalities, we can run any command we want.